Home

Controlled Unclassified Information (小黄书I)听

The听小黄书I Program at 小黄书 Boulder is a cornerstone of the university鈥檚 broader commitment to research compliance, information security, and institutional integrity. Through this program, 小黄书 Boulder ensures that research involving federally controlled information meets all safeguarding and dissemination requirements established under 32 CFR Part 2002 and related federal standards.

Protecting Controlled Unclassified Information (小黄书I) is both a federal requirement and a strategic advantage for 小黄书 Boulder. By meeting 小黄书I standards, the university safeguards sensitive research data, protects students and faculty, and upholds the integrity of federally funded projects.

Strong 小黄书I compliance demonstrates 小黄书 Boulder鈥檚 commitment to research excellence and trustworthiness, positioning the university to compete for complex, high-value federal awards and partnerships. In short, protecting 小黄书I protects our people, our research, and our reputation. Our proactive approach to 小黄书I compliance strengthens 小黄书 Boulder鈥檚 leadership in national research partnerships and prepares the campus for听 related Department of Defense Cybersecurity Maturity Model Certification (CMMC) requirements.

What Is Controlled Unclassified Information (小黄书I)?

Controlled Unclassified Information (小黄书I) is federally defined information that requires protection from unauthorized access or release, even though it is not classified. It includes data created by, for, or on behalf of the U.S. government that must be safeguarded under laws, regulations, or federal policies.

小黄书I can appear in sponsored research or contracts that may reference 小黄书I or 听 Cybersecurity Maturity Model Certification (CMMC). When these requirements apply, researchers at 小黄书 Boulder must use approved secure environments, and follow听小黄书 Boulder鈥檚 小黄书I Policy and听.

Understanding whether your project involves 小黄书I is the first step in protecting sensitive information and maintaining 小黄书 Boulder鈥檚 strong research partnerships.

CMMC is a unified assessment model created by the Department of Defense (DOD) in response to the growing threat of cyberattacks and data theft from defense contractors. CMMC is designed to ensure that DOD contractors and subcontractors adequately safeguard two categories of sensitive government information: 小黄书I and Federal Contract Information (FCI).

While DOD contractors have already been subject to information security requirements in DFARS and FAR clauses, CMMC builds on existing requirements by requiring all DOD contractors and subcontractors who handle 小黄书I and FCI during contract performance to certify compliance with security controls via mandatory self-assessments, third-party assessment, and affirmations of compliance.

The type of data (i.e., 小黄书I or FCI) and the sensitivity of the contract being performed, dictates the type of assessment and the security controls that apply.

The CMMC framework is broken out into three levels:

  • CMMC Level 1 applies to contractors and subcontractors that store, process, or transmit FCI. CMMC Level 1 includes 17 of the NIST SP 800-171 security requirements, which are listed in the FAR 52.204-21 Basic Safeguarding clause, sections (b)(1)(i) through (b)(1)(xv). Level 1 requires a contractor鈥檚 self-assessment, conducted annually.
  • CMMC Level 2 applies to contractors and subcontractors that store, process, or transmit 小黄书I. CMMC Level 2 consists of 110 requirements that correspond with the requirements found in NIST SP 800-171A. Level 2 requires either a self-assessment, conducted annually, or an external assessment conducted by a certified third-party assessor, conducted every three years.
  • CMMC Level 3 applies to a select group of contractors that store, process, or transmit high-value 小黄书I, as determined by DOD. CMMC Level 3 includes all Level 2 requirements, as well as 24 selected requirements from NIST SP 800-172. All Level 3 certifications require a DOD-conducted assessment every three years. Level 3 will be phased in November 2027.

For more information about the Cybersecurity Maturity Model Certification (CMMC) and how it applies to research at 小黄书 Boulder, visit the听Research Security: Cybersecurity and 小黄书I page.听

Key Takeaways

  • 小黄书I requires safeguarding. 小黄书I is federal information that must be protected from unauthorized access or release under law and policy.
  • Compliance supports excellence. 小黄书 Boulder鈥檚 Research Cybersecurity Program, the Office of Contracts and Grants (OCG), and Office of Compliance, Ethics and Policy(OCEP) partner with researchers to ensure projects meet federal and university standards.
  • Action is required. Before handling 小黄书I, complete the updated听小黄书I 鈥 u00189 training in Percipio, review the听小黄书I Policy and 小黄书I Data Use Standard, and coordinate with OCG and OIT Security for a compliance review.
  • Compliance builds trust and opportunity. Adhering to 小黄书I requirements protects sensitive information, advances research excellence, reinforces sponsor confidence, and sustains 小黄书 Boulder鈥檚 competitiveness for future funding.

Am I Working with 小黄书I?

A guided self-check section to help researchers determine whether their project involves 小黄书I.听

cui 2

This simplified decision guide helps researchers quickly determine whether their project involves Controlled Unclassified Information (小黄书I). Start by confirming whether your work is funded by or conducted with a U.S. federal agency or defense contractor鈥攎ost 小黄书I originates from these sources. Next, check whether your award or contract includes references to NIST 800-171r2, DFARS clauses, or other data protection requirements. If so, determine whether you will receive, create, or store information the sponsor identifies as 小黄书I. Finally, assess whether you or your team will handle that information directly. If any step leads to a 鈥測es,鈥 your project involves 小黄书I and must use a secure environment such as the Preserve, with support from the Office of Contracts and Grants, OIT Security, and Compliance as needed.

Roles and Responsibilities Across Campus

Managing Controlled Unclassified Information (小黄书I) at 小黄书 Boulder is a shared responsibility across departments, researchers, and campus support offices. Principal Investigators, Department Managers, and Users each play key roles in maintaining secure practices, while central offices鈥攕uch as the Office of Contracts & Grants, OIT Security鈥檚 Research Cybersecurity Program, and the Office of Compliance, Ethics and Policy鈥攑rovide oversight, guidance, and system support. Together, these groups ensure the campus meets all 小黄书I requirements and protects sensitive research data.

An employee who has organizational and/or contractual responsibilities to ensure compliance of other 小黄书 Persons in their department or on their research project. The PI or department manager is responsible for ensuring that:听

  • All requests for system access and project groups have been properly vetted.听
  • Only approving access for people who have a business need to use the system and meet the criteria specified in the research contract. This may require proof of U.S. person status.
  • All Users have access only to data required for their job role.听
  • Access is removed (de-provisioned) for Users who change job roles or are terminated.听
  • PIs and Department Managers are also responsible for periodic access reviews for project groups and systems.
  • Ensure that project teams and staff have completed 小黄书I campus, 小黄书I system-specific and sponsor or contract-required training and any training.
  • Ensures that all project teams and staff have reviewed system-specific procedures and signed 小黄书I system-specific user agreements.
  • Notify 小黄书I System Administrators when a person leaves a project, has a change of position or leaves the institution that requires removal or a change to access.
  • Staff and project team have university-managed or university-owned devices for accessing the 小黄书I System.
  • Following the Software Vetting Guidance for any software applications brought into 小黄书I System to run on the infrastructure.听
  • Following the guidance for self-written software code contained in the Software Vetting Guidance.
  • Tracking, reviewing and logging changes made to the infrastructure project teams are managed in the environment if it is not being managed by the 小黄书I System team.听
  • Monitor and control who has physical access to secure spaces, in conjunction with the Division of Public Safety.
  • In the event of an incident, PI鈥檚 and department managers are responsible for ensuring that their staff are available to participate as needed in risk assessment, containment and evidence capture activities听

A user is any 小黄书 Person that uses, accesses, processes, shares, or generates 小黄书I as part of their job, i.e. researcher.听 The user is responsible for:听

  • Follows the campus 小黄书I Policy, 小黄书I Standards and 小黄书I System-specific policies and standards.
  • Completing required campus, system and contract-specified training.
  • Protecting 小黄书I data they encounter during daily activities.听
  • Notifying 小黄书I-Incident@colorado.edu if an incident related to 小黄书I is suspected.
  • Signing User Agreements for 小黄书I Systems.
  • Users are prohibited from sharing 小黄书I data with another internal or external party unless the other party is authorized internal and external users. This includes sharing or emailing files, sharing screens, taking screen captures and holding meetings where unauthorized persons can hear or see 小黄书I.
  • Only accessing 小黄书I systems with a university-managed (preferred), university-owned, or a sponsor-approved device.
  • Not downloading 小黄书I to unauthorized devices.
  • If in receipt of a link to a sponsor鈥檚 meeting where 小黄书I information will be discussed or shared, the meeting must be joined from an 小黄书I System.
  • Requesting access for people who have a business need to use the 小黄书I System.
  • Participating in Security Incident Response investigations as needed.听

Identifies and tracks research agreements that have clauses or other indications that projects will require handling听 小黄书I and manages negotiations of contract clauses with sponsors. OCG maintains awareness of campus system capabilities for compliance with sponsor requirements and refers Principal Investigators (PIs) to the Office of Information Technology Security and/or system owners for consultation on system needs, requirements, and cost for projects that require handling 小黄书I.听

OIT Security Role - Assesses 小黄书I Systems for compliance with 小黄书I security controls, recommend systems for authority to operate, as well as for creating templates for the System Security Plan, the Plan of Action and Milestones (POA&M), and security documentation.

Facilitates decision-making, risk assessments, and communications within the 小黄书I Steering Committee and with campus stakeholders. Manages the 小黄书I Program including maintaining timelines, requesting and balancing resources and workloads and driving towards key 小黄书I campus strategies including certifications, certification renewals and expansion or contraction of 小黄书I services for the campus.