Controlled Unclassified Information (CUI)

Overview

In an effort to streamline the management of sensitive information, 32 CFR Part 2002 established a process for management of unclassified information that is to be protected from public disclosure. Any project at the �鶹��Ѱ�� that incorporates the responsibility for managing Controlled Unclassified Information (CUI) must take the appropriate measures to protect the sensitive information. Details about CUI and cybersecurity can be found on �鶹��Ѱ��Boulder’s Research Security & Integrity Office’s Cybersecurity & CUI webpage.

�鶹��Ѱ��Boulder’s in is empowered to review each program for CUI compliance and work with faculty and staff to ensure that the appropriate steps are taken.

Impact on Sponsored Projects

For sponsored project activities that incorporate CUI by reference (or through NIST 800-171r1 or DFARS 252.204-7012), IT Security will need to conduct an additional review prior to award acceptance.

CMMC Requirements for DOD Contracts

On September 10, 2025, the Department of Defense (DOD) published a final rule (CMMC Final Rule) implementing the Cybersecurity Maturity Model Certification program (CMMC) for DOD contractors and subcontractors. ��

Effective November 10, 2025, the CMMC Final Rule requires DOD to include CMMC requirements in contracts that include the handling of Controlled Unclassified Information (CUI) or Federal Contract Information (FCI).

Visit �鶹��Ѱ��Boulder's Research Security & Integrity Office's CMMC Requirements webpage for more information and support.

Review Process

Once IT Security is notified of an agreement that may include the requirement to manage CUI, they will contact the Primary Investigator (PI) or assigned representative to initiate the cybersecurity review. They will work in conjunction with the PI or assigned representative to identify and plan to implement the necessary security controls. Once the review has been conducted, the Office of Contracts and Grants (OCG) will be notified by OIT Security whether the computing environment that is supporting the project will be compliant. At that point, OCG will finalize the review of the contract.

What Steps Do I Take?

Proposal Stage:

Notify your department's OCG Proposal Analyst

Award Stage:

If you received a notification that the award is subject to CUI, notify your department's OCG Contract Officer

�鶹��Ѱ�����

Search

Other ways to search: