С»ÆÊé

Effective: November 1, 2025 

Approved by: Justin Schwartz, Chancellor

Policy Owner: Office of Compliance, Ethics and Policy (OCEP)

Policy Contact: Information Security Officer

Supersedes: N/A

Applies to: Faculty, staff, students, С»ÆÊé Boulder affiliates

I. Introduction

On November 4, 2010, Federal Executive Order 13556 Controlled Unclassified Information (the Order) established a comprehensive Controlled Unclassified Information (С»ÆÊéI) Program for the Executive Branch of the government (Government) and all agencies. The Order designated the National Archives and Records Administration (NARA) to serve as the Executive Agent to implement and oversee federal agency actions to ensure compliance with the Order. The Order was further codified by 32 CFR Part 2002 Controlled Unclassified Information as published in the Federal Register on September 12, 2016, which established the National Archives and Records Administration (NARA) as the governing federal agency overseeing С»ÆÊéI.

The following policy is established to maximize the University of Colorado Boulder’s (С»ÆÊé Boulder) ability to abide by its legal commitments and comply with the rules and regulations of the Government С»ÆÊéI Program. All С»ÆÊé Boulder employees, students, and affiliates who are authorized to use University IT resources and to receive, access, process, store, generate, or transmit information as part of their С»ÆÊé responsibilities and designated as С»ÆÊéI by NARA or Federal Agencies are subject to this policy.

II. Definitions

Controlled Unclassified Information: means any information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or allows an agency to handle using safeguarding or dissemination controls. It is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and Federal Government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.

С»ÆÊé Person: This includes all individuals who are authorized to use University IT resources and may hold roles such as:

1. С»ÆÊé Boulder faculty, researcher, staff, and student.
2. IT Service Provider
3. Person of Interest (POI): an individual affiliated with the university but not paid as an employee for official university needs.
4. Sponsored Affiliate: an individual affiliated with the university for official university needs when an HR appointment, including POI, is not a possibility.
5. An individual who may be authenticated by external means and authorized by a С»ÆÊé IT service provider to access С»ÆÊé-managed IT services or data (e.g., an external research collaborator or contractor authenticated via federated techniques).

IT Resource: Computers, networking equipment, storage media, software, and other electronic devices that store, process, or transmit University information. In the context of IT security policy, this includes all IT resources that are owned, leased, licensed, or authorized for use by the University.

III. Policy Statement

1. С»ÆÊé Boulder will establish and maintain a С»ÆÊéI program to address legal and contractual requirements for handling information as prescribed by NARA and federal agencies.
2. С»ÆÊé Persons who handle С»ÆÊéI are responsible for safeguarding С»ÆÊéI in accordance with this policy and the standards, guidelines, and best practices established by the university’s С»ÆÊéI program. С»ÆÊé Persons may have additional responsibilities based on their use of С»ÆÊéI as specified in the С»ÆÊéI Standard.
3. С»ÆÊé Boulder’s С»ÆÊéI program will facilitate С»ÆÊé Persons fulfilling safeguarding responsibilities by providing resources, including training and coordinated campus website(s), devoted to providing information regarding the С»ÆÊé Boulder С»ÆÊéI program. The training and resources shall include specific information for identifying С»ÆÊéI, appropriately marking С»ÆÊéI, requirements for controlling and protecting С»ÆÊéI information, and handling and reporting of incidents related to С»ÆÊéI as required by applicable Federal laws, rules, regulations, and contractual requirements.
4. С»ÆÊé persons who handle С»ÆÊéI must complete all applicable training as defined in the С»ÆÊéI Standard or specified by their role.
5. С»ÆÊé Boulder’s secure enclave(s) must operate under the unified governance structure leveraging campus-wide interdependencies to ensure coordination and oversight.
6. The Senior Vice Chancellor for Research (SVCR), the Vice Chancellor for IT (VC for IT), and Information Security Officer (ISO), in coordination with the Office of Compliance, Ethics and Policy (OCEP) are responsible for:
   1. having the ultimate authority and oversight of С»ÆÊéI on campus.
   2. establishing and maintaining С»ÆÊé Boulder’s С»ÆÊéI program;
   3. establishing С»ÆÊé Boulder’s С»ÆÊéI Compliance Steering Committee with representative campus stakeholders to participate thereon;
   4. reporting С»ÆÊéI-related incidents, in consultation with University Counsel, in accordance with Federal Requirements;
   5. reviewing and reporting on program effectiveness to the University Executive Leadership Team (UELT);
   6. executing any other related responsibilities as assigned by the Chancellor or their designee(s).
7. С»ÆÊé Boulder’s С»ÆÊéI program includes a С»ÆÊéI Compliance Steering Committee. Members of the Committees shall include a cross-representation of campus stakeholders. The duties of the steering committee include but are not limited to the following, as established in the committee’s charter:
   1. creating, revising, and publishing campus С»ÆÊéI standards, best practices, and resources supporting the campus С»ÆÊéI program;
   2. developing and maintaining С»ÆÊéI training content, including the frequency of trainings;
   3. proactively communicating with appropriate campus stakeholders regarding the shared responsibilities of interacting with С»ÆÊéI in accordance with standards, best practices, training, and resource information;
   4. periodically reviewing and approving updates to this Policy and the campus С»ÆÊéI standard.

IV. Procedures

Any С»ÆÊé Person who handles С»ÆÊéI in violation of Federal law, Contractual requirements, or University or Campus policy is subject to loss of privileges, disciplinary action, personal liability, and/or criminal prosecution. Further, С»ÆÊé Boulder may temporarily block or remove С»ÆÊé Boulder IT resource access when С»ÆÊéI is mishandled or used for inappropriate or illegal use.

If there is a need outside of the campus С»ÆÊéI IT solution, a department or unit may support an additional enclave if it meets the minimum requirements as set out in the С»ÆÊéI standards, is vetted through the Office of IT Security, and is approved by the С»ÆÊéI Steering Committee.

The SVCR, along with the VC for IT shall, as determined by the circumstances of a potential policy violation, work with the appropriate University offices such as University Counsel, the Office of Student Conduct (in cases involving students), the С»ÆÊé Boulder Police Department, Infrastructure and Resilience, Office of Contracts and Grants, the Office of Research Integrity, deans and directors, supervisors and others to enforce the С»ÆÊéI Policy.

Exceptions to the С»ÆÊéI Policy will be considered on a case-by-case basis by contacting the Office of Compliance, Ethics and Policy at: compliance@colorado.edu Exception requests will be reviewed by the С»ÆÊéI Program Manager, and Office of IT Security and may be forwarded to the SVC for Research and VC for IT for final decision.

V. Related policies, forms, guidelines and other resources 

3. Acceptable Use of С»ÆÊé Boulder's IT Resources Policy
8. С»ÆÊéI security requirements; refer to relevant project contract to determine whether revision 2 or 3 is applicable:
9. DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting

VI. History

1. Adopted: January 1, 2025
2. Revised: November 10, 2025
3. Last Reviewed: November 10, 2025