Controlled Unclassified Information
University Policy Number 1316
- 1. Access Control
- 2. Awareness and Training
- 3. Audit and Accountability
- 4. Configuration Management
- 5. Identification and Authentication
- 6. Incident Response
- 7. Maintenance
- 8. Media Protection
- 9. Personnel Security
- 10. Physical Protection
- 11. Risk Assessment
- 12. Security Assessment
- 13. System and Communications Protection
- 14. System and Information Integrity
Related Law & Policy:
- Executive Order 13556
- 32 CFR 2002 Controlled Unclassified Information Final Rule
- NIST Special Publication 800–171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
- CUI Registry: List of Categories of CUI
This policy applies to all offices, academic, and operational departments at all George Mason University (Mason) locations, owned and leased, that access or engage with Controlled Unclassified Information (CUI). It also applies to all Mason faculty, staff, students, affiliates, partners, visitors, contractors and subcontractors (and their employees and agents) (collectively, Mason Persons) who access Mason’s CUI systems and applications or otherwise engage with CUI.
CUI, as defined by Presidential Executive Order 13556, and 32 CFR 2002, is information that the Federal Government creates or possesses, or that an entity creates or possesses for or on behalf of the Federal Government, that a law, regulation, or Federal Government–wide policy requires or permits an agency to handle using safeguarding or dissemination controls. CUI does not include information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies that is classified under Executive Order 13526 or the Atomic Energy Act, as amended. The Federal CUI regulation applies to Federal executive branch agencies that handle CUI and all organizations (including universities) that handle, possess, use, share, create, or receive CUI—or which operate, use, or have access to Federal information and information systems on behalf of such an agency.
There are many types of CUI. The CUI categories are listed on the Federal CUI Register. Examples include certain types of critical infrastructure information, proprietary business or manufacturing information, export controlled information, controlled technical information, financial information, and law enforcement information. Federal agencies are in the process of issuing implementing regulations that provide additional details on how individual agencies will implement CUI requirements.
CUI could be received, created or shared in connection with a research project, or with university operations unrelated to research. Its creation or exchange could be required by contract, grant, non-disclosure agreement, data use agreement, or other agreement or arrangement.
IV. Policy Statement
George Mason University, and all Mason Persons who access or engage with CUI, must protect all CUI in accordance with this Policy, related CUI Procedures and Standards, applicable CUI Implementing Regulations, and relevant contractual agreements. The purposes of this policy are to assure compliance with Federal laws and regulations governing the use of CUI, protect the security and confidentiality of CUI entrusted to Mason, and to explain the responsibilities of institutional units and Mason Persons who are involved in creating, possessing, transporting, manipulating, or transmitting CUI.
CUI can only be stored and processed on IT systems that have been risk assessed by ITS to comply with NIST SP 800-171 standards.
A. CUI Implementing Regulations: 32 CFR 2002 and related implementing regulations including but not limited to DFARs 252.204-7012.
B. NIST Special Publication 800-171 is a document published by the National Institute of Standards and Technology titled “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” It provides requirements for protecting the confidentiality of Controlled Unclassified Information (CUI). The requirements apply to all components of nonfederal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components.
C. Mason Persons are all Mason faculty, staff, students, affiliates, partners, visitors, contractors and subcontractors (and their employees and agents) (collectively, Mason Persons)
Failing to comply with the CUI Implementing Regulations and Mason’s CUI Procedures and related standards may result in contractual, financial, and legal penalties to Mason and to the individuals(s) involved, including administrative sanctions such as loss of federal funding. Failing to abide by this policy and the related procedures and standards can result in disciplinary action up to and including termination of employment and academic expulsion from Mason.
Any Mason Person who suspects or becomes aware of a potential or actual violation of the CUI Implementing Regulations, this policy, or Mason’s CUI Procedures and related standards is required to report their concerns to the Vice President of Information Technology and the Vice President for Research.
Mason Persons are responsible for complying with and ensuring their activities conform to the CUI Implementing Regulations, this policy, and Mason’s CUI Procedures and related standards.
The Vice President of Information Technology and the Vice President for Research will monitor changes and revisions to the CUI Implementing Regulations and will make appropriate changes to this policy and to Mason’s CUI Procedures and related standards.
A. Effective Date:
This policy will become effective upon the date of approval by the Senior Vice President for Administration and Finance and the Provost and Executive Vice President.
B. Date of Most Recent Review:
VIII. Timetable for Review
This policy, and any related procedures, shall be reviewed every three years or more frequently as needed.
Senior Vice President for
Administration and Finance
Provost and Executive Vice President
Date Approved: 10/1/2018