I. Scope
This policy applies to all offices, academic, and operational departments at all George Mason University locations, owned and leased, that access or engage with Controlled Unclassified Information (CUI). It also applies to all George Mason faculty, staff, students, affiliates, partners, visitors, contractors and subcontractors (and their employees and agents) (collectively, George Mason Persons) who access George Mason’s CUI systems and applications or otherwise engage with CUI.
II. Background
CUI, as defined by Presidential Executive Order 13556, and 32 CFR 2002, is information that the Federal Government creates or possesses, or that an entity creates or possesses for or on behalf of the Federal Government, that a law, regulation, or Federal Government–wide policy requires or permits an agency to handle using safeguarding or dissemination controls. CUI does not include information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies that is classified under Executive Order 13526 or the Atomic Energy Act, as amended. The Federal CUI regulation applies to Federal executive branch agencies that handle CUI and all organizations (including universities) that handle, possess, use, share, create, or receive CUI—or which operate, use, or have access to Federal information and information systems on behalf of such an agency.
There are many types of CUI. The CUI categories are listed on the Federal CUI Register. Examples include certain types of critical infrastructure information, proprietary business or manufacturing information, export controlled information, controlled technical information, financial information, and law enforcement information. Federal agencies are in the process of issuing implementing regulations that provide additional details on how individual agencies will implement CUI requirements.
CUI could be received, created or shared in connection with a research project, or with university operations unrelated to research. Its creation or exchange could be required by contract, grant, non-disclosure agreement, data use agreement, or other agreement or arrangement.
III. Policy Statement
George Mason University, and all George Mason Persons who access or engage with CUI, must protect all CUI in accordance with this Policy, related CUI Procedures and Standards, applicable CUI Implementing Regulations, and relevant contractual agreements. The purposes of this policy are to assure compliance with Federal laws and regulations governing the use of CUI, protect the security and confidentiality of CUI entrusted to George Mason, and to explain the responsibilities of institutional units and George Mason Persons who are involved in creating, possessing, transporting, manipulating, or transmitting CUI.
CUI can only be stored and processed on IT systems that have been risk assessed to comply with NIST SP 800-171 standards.
IV. Definitions
CUI Implementing Regulations: 32 CFR 2002 and related implementing regulations including but not limited to DFARs 252.204-7012.
NIST Special Publication 800-171: is a document published by the National Institute of Standards and Technology titled “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” It provides requirements for protecting the confidentiality of Controlled Unclassified Information (CUI). The requirements apply to all components of nonfederal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components.
George Mason Persons: are all George Mason faculty, staff, students, affiliates, partners, visitors, contractors and subcontractors (and their employees and agents) (collectively, George Mason Persons)
V. Compliance
Failing to comply with the CUI Implementing Regulations and George Mason’s CUI Procedures and related standards may result in contractual, financial, and legal penalties to the University and to the individuals(s) involved, including administrative sanctions such as loss of federal funding. Failing to abide by this policy and the related procedures and standards can result in disciplinary action up to and including termination of employment and academic expulsion from George Mason.
Any George Mason Person who suspects or becomes aware of a potential or actual violation of the CUI Implementing Regulations, this policy, or George Mason’s CUI Procedures and related standards is required to report their concerns to the Vice President and Chief Information Officer and the Vice President for Research, Innovation, and Economic Impact.
VI. Responsibilities
George Mason Persons are responsible for complying with and ensuring their activities conform to the CUI Implementing Regulations, this policy, and George Mason’s CUI Procedures and related standards.
The teams reporting to the Vice President and Chief Information Officer and the Vice President for Research, Innovation, and Economic Impact will monitor changes and revisions to the CUI Implementing Regulations and will make appropriate changes to this policy and to George Mason’s CUI requirements and documentation as appropriate.
VII. Dates:
A. Effective Date:
This policy will become effective upon the date of approval by the Senior Vice President for Administration and Finance and the Provost and Executive Vice President.
B. Date of Most Recent Review:
November 23, 2024
VIII. Timetable for Review
This policy, and any related procedures, shall be reviewed every three years or more frequently as needed.
IX. Signatures
Approved:
______/S________
Senior Vice President for
Administration and Finance
______/S________
Provost and Executive Vice President
Date Approved: October 1, 2018
Reviewed: November 23, 2024
Page last updated: January 13, 2025