2147 Safeguarding Controlled Unclassified Information

Federal research agencies include stringent security requirements for data designated as Controlled Unclassified Information (CUI). CUI must be stored or handled in controlled environments that prevent or detect unauthorized access, and security controls must be compliant with federal regulations specified in 32 CFR Part 2002. The federal CUI regulations apply to federal executive branch agencies that handle CUI, and all organizations–including universities–that receive, possess, share, use, or create CUI.

• Controlled Unclassified Information (CUI): Information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. CUI does not include classified information or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency
• NIST Special Publication 800-171: a document published by the National Institute of Standards and Technology that provides requirements for protecting the confidentiality of Controlled Unclassified Information (CUI). The requirements apply to all components of non-federal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components.
• Secure Research Enclave (SRE): an environment that has been assessed to comply with NIST SP 800-171.
• System Security Plan: a document that describes how an organization meets or plans to meet the security requirements for a system.

CUI may only be stored and processed on designated Penn SRE systems in accordance with the specific System Security Plan.

This Policy is applicable to any faculty, staff, students, affiliates, contractors, or agents who handle, possess, use, share, create, or receive CUI.

Business Administrator

• Work with Principal Investigator to identify projects that may involve CUI.

Principal Investigator

• Understand and identify if CUI is expected to be involved in a project.
• Work with the relevant Penn offices to ensure compliance prior to handling CUI.
• Understand and comply with the safeguarding and dissemination requirements.
• Ensure compliance within their research group.

Personnel accessing an SRE

• Understand and comply with the safeguarding and dissemination requirements.
• Adhere to the Rules of Behavior.

Office of Research Services, Research Security

• Work with the PI, department, and school/center to:
  • Determine if a project is subject to CUI safeguarding requirements.
  • Negotiate agreements that may require the receipt or generation of CUI.
  • Determine if Penn can appropriately safeguard any potential CUI involved in the project.
  • Ensure that mandatory training is complete and other requirements have been met prior to granting access.

Office of Information Security, Secure IT

• Prepare for, and respond to, security incidents.
• Work with ORS, PI, department, and school/center to ensure that appropriate parties are notified of any incidents.

Penn SRE Provider

• Administer the SRE system in accordance with Penn SRE system-level policies and procedures aligned to NIST SP 800-171
• Coordinate with ORS, Procurement Services, OIS, and Principal Investigator to follow required procedures
• Provide technology oversight to ensure ongoing vendor compliance with required authorizations, such as FedRAMP

Failure to comply will result in immediate revocation of  SRE access.