Search within:

Controlled Unclassified Information (CUI)

Definition: Information that per law, regulation, or governmental policy requires safeguarding and information security controls.

Governing Authority: Federal Information Security Management Act (FISMA)

Responsible Operating Unit: Office of Research

Examples: Research in which data is provided by federal organizations such as the National Institutes of Health, NASA, or the Department of Veteran's Affairs.

Special Considerations: FISMA requires that federal agencies and those providing services on their behalf develop, document, and implement security programs for information technology systems and store the data on U.S. soil. The data that is regulated by FISMA is often times noted in a Request for Proposal (RFP) or in contract or grant language. It is critical that researchers and principal investigators review contract and grant language closely to identify information security requirements as well as the use of Controlled Unclassified Information (CUI).

List of IT Services & Tools

For the definition of terms related to the categories below, please reference the Glossary of Permission Levels.

Acceptable IT Services & Tools:

  • None.

Consultation Required:

  • Research Computing Environment (RCE)

Not Permitted IT Services & Tools:

  • Blackboard

  • OnBase

  • OneDrive/O365 Group or individual accounts

  • PeopleSoft

  • Personal cloud accounts

  • Personal/Non-University owned devices

  • Qualtrics

  • NAS departmental shared storage (

  • NAS individual home storage (

If you don't see the IT service or tool listed that you wish to use to store data classified as medium or high sensitivity, contact Information Security to determine if it's appropriate for your data type.