Controlled Unclassified Information (CUI)
Definition: Information that per law, regulation, or governmental policy requires safeguarding and information security controls.
Governing Authority: Federal Information Security Management Act (FISMA)
Responsible Operating Unit: Office of Research
Examples: Research in which data is provided by federal organizations such as the National Institutes of Health, NASA, or the Department of Veteran's Affairs.
Special Considerations: FISMA requires that federal agencies and those providing services on their behalf develop, document, and implement security programs for information technology systems and store the data on U.S. soil. The data that is regulated by FISMA is often times noted in a Request for Proposal (RFP) or in contract or grant language. It is critical that researchers and principal investigators review contract and grant language closely to identify information security requirements as well as the use of Controlled Unclassified Information (CUI).
Acceptable IT Services & Tools:
- None.
Consultation Required:
- Research Computing Environment (RCE)
Not Permitted IT Services & Tools:
- Blackboard
- OnBase
- OneDrive/O365 Group or individual accounts
- PeopleSoft
- Personal cloud accounts
- Personal/Non-University owned devices
- Qualtrics
- NAS departmental shared storage (shared.ohio.edu)
- NAS individual home storage (home.ohio.edu)
If you don't see the IT service or tool listed that you wish to use to store data classified as medium or high sensitivity, contact Information Security to determine if it's appropriate for your data type.