CUI & CMMC

As a leading research institution, Texas A&M University often collaborates with federal agencies on projects vital to national interests. This work sometimes involves handling sensitive government information that, while not classified, still requires careful protection. Two key concepts related to this are Controlled Unclassified Information (CUI) and the Cybersecurity Maturity Model Certification (CMMC).

CUI is a category of information created or owned by the U.S. Government that needs safeguarding or specific controls on how it's shared, according to laws, regulations, or government-wide policies. Think of it as sensitive information that isn't classified but isn't meant for public release either. This could include data related to research projects, technical specifications, or other information received under federal contracts or agreements. The CUI program, established by Executive Order 13556, aims to standardize how this type of information is marked, handled, and protected across all government agencies and their partners.

Safeguarding CUI is crucial because its unauthorized disclosure could potentially harm national security interests or compromise sensitive government operations. For Texas A&M, properly managing CUI is essential for maintaining trust with federal sponsors, ensuring compliance with contractual obligations, and protecting the integrity of our research endeavors.

The Cybersecurity Maturity Model Certification (CMMC) is a framework developed by the U.S. Department of Defense (DoD). Its primary goal is to verify that organizations participating in the defense supply chain— including university researchers working on DoD contracts— have adequate cybersecurity measures in place to protect sensitive information, particularly CUI and Federal Contract Information (FCI).

CMMC essentially sets different cybersecurity levels (Levels 1, 2, and 3) that organizations must meet, depending on the type and sensitivity of the information they handle. These levels are largely based on cybersecurity standards found in NIST SP 800-171 and NIST SP 800-172. Depending on the required level and the nature of the information, compliance might involve self-assessments or formal assessments by third-party organizations or government entities.

The Texas A&M University System has established System Regulation 15.05.02, Controlled Unclassified Information Management, which governs the requirements and procedures for handling CUI. Key points include:

• Oversight: The system's Research Security Office (RSO), led by the Chief Research Security Officer (CRSO), oversees the CUI program and helps ensure compliance across system members.
• Secure Environments: CUI must be handled within specific secure computing environments that meet NIST SP 800-171 standards; the RSO offers a Secure Computing Enclave that meets these requirements.
• Individual Responsibility: Anyone accessing CUI is responsible for protecting it according to government and contract requirements.
• Training: Employees who access CUI must complete specific training (TrainTraq Course #2113511) every year.

If your work involves federal contracts or you believe you might be handling CUI, it's crucial to understand the specific requirements.

• Review your specific contract or funding agreement for any clauses mentioning CUI or CMMC
• Reach out to the Research Security & Compliance team for guidance on CUI management and compliance with System Regulation 15.05.02

RESEARCH SECURITY & COMPLIANCE OFFICE

Adhering to CUI and CMMC requirements is essential for enabling Texas A&M's continued contributions to vital research and protecting sensitive national security information.