Skip to content Skip to main navigation Report an accessibility issue

Data Security

Data security is of utmost importance to the integrity of research.  There are two ways in which to secure your data.  If data is kept in a physical manner (i.e. lab notebook, paper surveys, etc.), then physical security is needed.  Examples of physical security include lockable filing cabinets to hold the physical copies of data.  If data is stored in an electronic manner (i.e. laptop, electronic database, cloud storage), then information security is needed.  Examples of information security include the use of encryption and/or the secure enclave.

Although these are best practices, some sponsors may require additional physical and information security practices dependent upon nature and sensitivity of the research and data.

Controlled Unclassified Information

What if my contract calls for CUI, but I believe it is not?

If clauses are in an agreement, our office can go back to the prime contracting officer and ask if portion of the work is fundamental in nature. If we receive confirmation in writing from the prime contracting officer that the university’s work is fundamental then a CUI plan is not necessary.

Controlled Unclassified Information (CUI) is defined as information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.  CUI was established by Executive Order 13556 and 32 CFR § 2002.  These documents establishes a uniform program for managing information that requires safeguarding or dissemination controls across the Federal Government and appointed the National Archives and Records Administration (NARA) as the CUI Executive Agent, respectively

CUI does NOT include classified information.

The National Institute of Standards and Technology Special Publication 800171 provides agencies with recommended security requirements for protecting the confidentiality of Controlled Unclassified Information (CUI) when resident in Non-Federal Information Systems and Organizations.

This clause requires the university to implement security measures as outlined in the NIST 800-171. In the event of a cybersecurity incident, the university’s responsibility under DFARS 252.204-7012 is to report the incident to the DoD within 72 hours. The university should preserve and protect images of all known affected information systems identified in this clause and all relevant monitoring/packet capture data for at least 90 days from the submission of the cyber incident report.

Disclosure of Information restricts the release of information unless the information is already in the public domain, the Prime Contracting Officer has given prior written approval, or the results during the performance of the project involved no covered defense information and has been determined by the Prime Contracting Officer to be fundamental research.

ISAAC Secure Enclave

The High Performance and Scientific Computing (HPSC) group provides resources and support for research involving sensitive information through the Secure Enclave. The Secure Enclave protects Protected Health Information, Controlled Unclassified Information, and other protected information. The Office of Information Technology provides support, documentation, training, and support services for the Secure Enclave. Contact the OIT Help Desk for more more information.