Controlled Unclassified Information

Effective Date

January 1, 2025

Approved By

Justin Schwartz, Chancellor

Policy Owner

Senior Vice Chancellor for OperationsÌý

Responsible Organization

OIT, RIO

I. Introduction

On November 4, 2010, Federal Executive Order 13556 Controlled Unclassified Information (the Order) established a comprehensive Controlled Unclassified Information (CUI) Program for the Executive Branch of the government (Government) and all agencies. The Order designated the National Archives and Records Administration (NARA) to serve as the Executive Agent to implement and oversee federal agency actions to ensure compliance with the Order. The Order was further codified by 32 CFR Part 2002 Controlled Unclassified Information as published in the Federal Register on September 12, 2016, which established the National Archives and Records Administration (NARA) as the governing federal agency overseeing CUI.

The following policy is established to maximize the ÌÇÐÄVlogÆƽâ°æ’s (CU ÌÇÐÄVlogÆƽâ°æ) ability to abide by its legal commitments and comply with the rules and regulations of the Government CUI Program. All CU ÌÇÐÄVlogÆƽâ°æ employees, students, and affiliates who are authorized to use University IT resources and to receive, access, process, store, generate, or transmit information as part of their CU responsibilities and designated as CUI by NARA or Federal Agencies are subject to this policy. See links in the reference section for CU-specific CUI training.

II. Definitions

Controlled Unclassified Information:Ìýmeans any information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or allows an agency to handle using safeguarding or dissemination controls. It is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and Federal Government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.

CU Person:ÌýThis includes all individuals who are authorized to use University IT resources and may hold roles such as:

  • CU faculty, researcher, staff, and student.
  • Person of Interest (POI): an individual affiliated with the university but not paid as an employee who is granted an IdentiKey for official university needs.
  • Sponsored Affiliate: an individual affiliated with the university who is granted an IdentiKey for official university needs when an HR appointment, including POI, is not a possibility.
  • An individual who may be authenticated by external means and authorized by a CU IT service provider to access CU-managed IT services or data (e.g., an external research collaborator or contractor authenticated via federated techniques).

III. Policy Statement

  1. CU ÌÇÐÄVlogÆƽâ°æ will establish and maintain a CUI program to address legal and contractual requirements for handling information as prescribed by NARA and the Federal Agencies.
  2. CU Persons who handle CUI are responsible for taking the appropriate training to safeguarding CUI in accordance with this policy and the standards, guidelines, and best practices established by the university’s CUI program.
  3. CU ÌÇÐÄVlogÆƽâ°æ’s CUI program will facilitate CU Persons fulfilling safeguarding responsibilities by providing resources, including training and coordinated campus website(s), devoted to providing information regarding the CU ÌÇÐÄVlogÆƽâ°æ CUI program. The training and resources shall include specific information for appropriately marking CUI, requirements for controlling and protecting CUI information, and handling and reporting of incidents related to CUI as required by applicable Federal laws, rules, regulations, and contractual requirements.
  4. The Senior Vice Chancellor for Research (SVCR), the Vice Chancellor for IT (VC for IT), and Information Security Officer (ISO), in coordination with the Office of Compliance, Ethics and Policy are responsible for:
    1. establishing and maintaining CU ÌÇÐÄVlogÆƽâ°æ’s CUI program;
    2. establishing CU ÌÇÐÄVlogÆƽâ°æ’s CUI Advisory Board with representative campus stakeholders to participate thereon;
    3. creating, revising, and publishing campus CUI standards, best practices, and resources in collaboration with the CUI Advisory Board;
    4. reporting CUI related incidents in accordance with Federal Requirements;
    5. reviewing and reporting on program effectiveness to theÌýCUI Advisory Board, the Research and Innovation Office (RIO), and the University Executive Leadership Team (UELT);
    6. developing and maintaining CUI training content; and
    7. executing any other related responsibilities as assigned by the Chancellor, Provost, or Senior Vice Chancellor for Operations.
  5. CU ÌÇÐÄVlogÆƽâ°æ’s CUI program includes a CUI Advisory Board. Members of the Board shall include a cross-representation of campus stakeholders. The duties of the board include:
    1. approval of campus CUI standards, best practices, and resources proposed by the VC for IT or ISO;
    2. determination of the content and frequency of trainings;
    3. proactive communication with appropriate campus stakeholders regarding the shared responsibilities of interacting with CUI in accordance with standards, best practices, training, and resource information; and
    4. periodically review and approve updates to this Policy and the campus CUI standards.

IV. Procedures

Any CU Person who handles CUI in violation of Federal law, Contractual requirements, or University or Campus policy is subject to loss of privileges, disciplinary action, personal liability, and/or criminal prosecution. Further, CU ÌÇÐÄVlogÆƽâ°æ may temporarily block or remove CU ÌÇÐÄVlogÆƽâ°æ IT resource access when CUI is mishandled or used for inappropriate or illegal use.

The SVCR, along with the VC for IT shall, as determined by the circumstances of a potential policy violation, work with the appropriate University offices such as University Counsel, the Office of Student Conduct (in cases involving students), the CU ÌÇÐÄVlogÆƽâ°æ Police Department, deans and directors, and others to enforce the Controlled Unclassified Information Policy.

Exceptions to the Controlled Unclassified Information Policy will be considered on a case-by-case basis by contacting the Office of Compliance, Ethics and Policy at:Ìýcompliance@colorado.edu. Exception requests will be reviewed by the Office of IT Security and forwarded to the SVC for Research and VC for IT if appeal and/or escalation is required.
Ìý

V. Related Policies, Forms, Guidelines, and Other ResourcesÌý

University Related Policies

University Training

  • CU: Controlled Unclassified Information (CUI) (login required)
  • CU: LASP CUI Awareness (login required)

Related Statutes and Regulations

  • CUI security requirements; refer to relevant contract to determine whether revision 2 or 3 is applicable:Ìý