When a research project involves CUI, the university is contractually obligated to follow specific safeguarding requirements. These requirements affect how data is handled, who may access it, what systems can be used, and how incidents must be reported.

For researchers and project teams, this means that some projects require additional planning, infrastructure, and oversight beyond what is needed for non-restricted research. For the university, compliance protects our ability to continue participating in federally sponsored research and reduces institutional and individual risk.

CUI compliance is a shared responsibility. Researchers, administrators, IT staff, and support teams all play a role in ensuring that projects meet sponsor and federal requirements from proposal through closeout.

CUI can take many forms, and its presence is not always obvious at first glance. Common examples in a university research environment include:

• Technical data or specifications provided by a federal sponsor
• Research data with restrictions on dissemination or reuse
• Information subject to export control or national security considerations
• Data labeled by the sponsor with handling or distribution controls
• Research outputs that cannot be shared publicly without approval

Not every federally sponsored project involves CUI. However, when restrictions appear in a solicitation, award document, data use agreement, or sponsor communication, additional review is required.

If you are unsure whether a project involves CUI, that uncertainty is expected. The purpose of this site is to help you recognize potential indicators early and connect you with the appropriate support before work begins.

CUI requirements are most likely to appear in projects funded by the DOD/DOW, NASA, DARPA, DOE and industry contracts supporting defense related research. NIH supported projects involving genomic data sharing may also include CUI-like data protections. Key terms and contract clauses include but are not limited to:

• Controlled Unclassified Information
• Controlled Technical Information
• Controlled Defense Information
• DFARS 252.204-7012
• DFARS 252.204-7008
• CMMC: Cybersecurity Maturity Model Certification
• NIST 800-171
• 32 CFR 2002: CUI
• ITAR / Export Controlled

Language indicating restrictions on access, handling, storage, transmission, or sharing of data should be reviewed carefully.

Some awards, particularly those associated with the Department of Defense, may reference cybersecurity frameworks such as the Cybersecurity Maturity Model Certification (CMMC) or related safeguarding requirements.

If the project documentation references specific cybersecurity standards, system security requirements, or compliance attestations, this is a strong signal that CUI may be involved and that approved systems and environments will be required.

Researchers and project teams are not expected to make a final determination about CUI on their own.

If the project includes any of the indicators above, the next step is to contact the Controlled Research Support Program (CRSP) for review. This review confirms whether CUI requirements apply and identifies what safeguards, systems, and planning are needed before work begins.

Early identification is critical. Confirming CUI involvement at the proposal or award stage helps avoid delays, unplanned costs, and compliance issues later in the project lifecycle.

If a project is determined to involve CUI, you can expect:

• Guidance from the CRSP on required safeguards and approved environments
• Support in developing a Technology Control Plan, if needed
• Coordination with IT and CRSP Office
• Clear expectations for roles, responsibilities, and next steps

You will not be expected to navigate these requirements alone. The goal is to ensure that the project can proceed smoothly while meeting sponsor and federal obligations.

CUI requirements can affect where data is stored, what systems are used, and how project teams access and manage information. These requirements may introduce costs that are not present in non-restricted research projects.

Including CUI-related expenses at the proposal stage allows project teams to:

• Select approved systems and environments from the start
• Ensure appropriate access for project personnel
• Avoid mid-project changes that can disrupt research timelines

Early coordination with the Controlled Research Support Program is strongly encouraged when developing a proposal that may involve CUI.

While specific requirements vary by sponsor and project, common cost categories for CUI projects may include:

• Secure computing environments, such as approved research computing platforms
• Secure cloud storage approved for CUI data
• Secure Microsoft O365 accounts designated for controlled research use and communication
• Dedicated or restricted-use computers for accessing or processing CUI
• Cybersecurity and system support services required to meet sponsor requirements

Not all CUI projects require all of these resources. Required safeguards are determined based on sponsor requirements, the type of data involved, and how the data will be used.

Federal sponsors generally allow reasonable data protection and security-related expenses when they are necessary for project performance. These costs should be:

• Clearly justified in the proposal budget and budget justification
• Directly related to safeguarding project data
• Consistent with sponsor and university policies

Examples of commonly allowable expenses include secure storage, approved computing environments, and required system access. The research administrator and the Controlled Research Support Program can help determine which costs are appropriate to include.

If you believe a project may involve CUI, discussing potential cost implications early can help ensure the project is fully supported from the outset. Identifying requirements before submission or at award review allows the university to align systems, resources, and budgets with sponsor expectations.

Contact the Controlled Research Support Program as early as possible if:

• Your proposal, solicitation, or award includes indicators of CUI
• Your sponsor references data safeguarding, access restrictions, or cybersecurity requirements
• You are unsure whether project data may be subject to handling or dissemination controls

Early review, ideally at the proposal stage or immediately upon award, helps avoid delays, unplanned costs, and compliance issues later in the project.

Once contacted, the Controlled Research Support Program will:

• Review sponsor and award documentation for CUI requirements
• Confirm whether CUI applies to the project
• Identify required safeguards, systems, and approvals
• Coordinate with the research team, information security, IT, and research administration teams as needed

This process is designed to support research activity while ensuring sponsor and federal requirements are met.

For projects involving CUI, a Technology Control Plan (TCP) will be required. A TCP documents how CUI will be protected throughout the project lifecycle, including:

• Where CUI will be stored and processed
• Who may access the information
• What systems and environments will be used
• How data will be safeguarded and monitored

The Controlled Research Support Program provides guidance and templates to support TCP development and approval.

CUI compliance is a shared responsibility across the project team. Roles may include:

• Principal Investigators, who oversee project activities and ensure requirements are followed
• Research administrators, who assist with proposal development, budgeting, and documentation
• IT and support staff, who help implement and maintain approved systems and safeguards
• Project personnel, who are responsible for handling CUI in accordance with established requirements

Clear roles and early coordination help ensure projects proceed smoothly and remain compliant throughout their duration.

CUI projects must use approved computing and storage environments that meet federal safeguarding requirements. These environments are designed to protect data through technical, administrative, and physical controls.

Depending on the project, this may include:

• Use of designated secure research computing platforms
• Approved secure cloud storage solutions
• Restricted system configurations for accessing or processing CUI

Public or open systems are generally not permitted for CUI work unless explicitly approved.

Access to CUI is limited to authorized individuals with a legitimate project need. In many cases, sponsor requirements may restrict access to U.S. Persons only.

Before accessing CUI, project personnel will be required to:

• Complete required training
• Receive approval for system and data access
• Acknowledge project-specific handling requirements

Access is granted based on role and project responsibilities, not convenience.

CUI projects are subject to both physical and cybersecurity safeguards. These may include:

• Secure workspace requirements for handling CUI
• Project specific, dedicated computers and laptops
• Restrictions on the use of personal devices
• Specific system security configurations
• Monitoring and logging of system access

The exact requirements depend on the sponsor, data type, and approved project environment.

Projects involving CUI are subject to ongoing compliance expectations. This may include:

• Periodic reviews of access and system usage
• Verification that safeguards remain in place
• Monitoring to detect unauthorized access or misuse

Compliance activities are not meant to disrupt research, but they are a required part of working with federally controlled information.

Working on a CUI project does not mean working alone. The Controlled Research Support Program, along with IT and security partners, provides ongoing support to help project teams understand requirements, resolve issues, and adapt as projects evolve.

Early communication and continued coordination help ensure that research can proceed efficiently and in compliance with sponsor expectations.

You should report any situation involving CUI that may include:

• Unauthorized access to or disclosure of CUI
• Receipt of CUI by someone not approved for the project
• Loss, theft, or improper storage of devices or media containing CUI
• Inappropriate receipt of CUI into university email
• Use of unapproved systems, accounts, or storage for CUI
• Suspected cybersecurity incidents affecting CUI systems

If you are unsure whether an event qualifies as an incident, it is still appropriate to report it.

If you believe there may have been an incident involving Controlled Unclassified Information, it is important to report it as soon as possible.

At this time, incidents involving CUI should be reported by contacting the Controlled Research Support Program directly:

Email: crsp@austin.utexas.edu

The Controlled Research Support Program will coordinate with the appropriate university offices, including information security and research compliance, to assess the situation and determine next steps.

If you are unsure whether an event qualifies as an incident, it is still appropriate to reach out for guidance.

Once an incident is reported:

• The appropriate response teams will assess the situation
• You may be contacted for additional information
• Required notifications to sponsors and corrective actions will be coordinated centrally

Project teams are not responsible for determining severity or regulatory reporting obligations. That responsibility rests with the university.

Timely reporting helps:

• Protect sensitive federal information
• Reduce risk to the project and the university
• Ensure compliance with sponsor and federal requirements

Delaying or failing to report a potential incident can increase risk and complicate response efforts.

The Controlled Research Support Program is the primary point of contact for questions related to CUI in sponsored research. This team can assist with:

• Determining whether a project involves CUI
• Interpreting sponsor requirements
• Coordinating required reviews and approvals
• Connecting you with information security and IT resources

Email: crsp@austin.utexas.edu

Researchers and project teams are encouraged to reach out early. Asking questions before work begins helps ensure projects move forward smoothly and in compliance with sponsor requirements.

Depending on the nature of the project, you may also be connected with:

• Research administration staff
• Information security and IT support teams
• Export control or compliance specialists

The Controlled Research Support Program will help coordinate these resources as needed.