In addition to classified information, certain types of unclassified information also require application of access and distribution controls and protective measures for a variety of reasons. University activities (e.g. sponsored research projects, non-disclosure agreements, proprietary information agreements) may include receiving, generating or using controlled unclassified information. Access to CUI is usually restricted to Non-U.S. persons, unless the sponsor has agreed to grant access to a Non-U.S. person under a fully executed non-disclosure agreement (NDA).
The Office of Research Integrity collaborates with UT System Facility Security Officer/Security Manager to ensure there is a common approach to national security issues common to export controlled and classified programs. ORI is responsible for helping UTSA faculty and staff with the security measures necessary to safeguard controlled unclassified information (CUI) to include export-controlled, for official use only (FOUO) and sensitive but unclassified information (SUI).
The UTSA Office of Information Security (OIS) and the UTSA Office of Information Technology (OIT) are responsible for administering programs that create a reliable and secure university computing environment. The Information Security Officer (ISO) and the Information Security Administrator provide assistance with the implementation and administration of information security initiatives and Data Owner’s security needs. Please contact the ISO at (210) 458-7974 for additional information.
UTSA faculty and staff are responsible for:
- obtaining sponsoring organization’s guidance concerning access to CUI or Classified Information;
- determining who will have access to CUI;
- contacting ORI, OIS and OIT if a protection/security plan (e.g. technology control plan) is required to control access to and dissemination of CUI.
UTSA does not allow classified research or storage or use of classified data at any of its campuses. ORI can assist with security clearances applications for UTSA personnel who seek access to classified material housed elsewhere or to conduct classified research elsewhere as part of a sponsored research project. Use of classified information is restricted to those areas that adhere to the requirements identified in the National Industrial Security Program Operating Manual (NISPOM) or the DD 254 Form, DoD Contract Security Classification Specification, issued by the sponsoring agency.
Controlled technical information is defined in the DFARS 252.204-7012 as technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.
Controlled Unclassified Information (CUI) is information that laws, regulations, or Government-wide policies require to have safeguarding or dissemination controls, excluding classified information. For CUI Categories and Subcategories please go to CUI Registry General Guidelines site.
“Covered defense information” is unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies, and is—
- Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
- Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
The Department of Defense (DOD) issued a final rule on November 18,2013, amending the Defense Federal Acquisition Regulation Supplement (DFARS) to add a new subpart and contract clause (DFARS 252.204-7012) associated with safeguarding unclassified controlled technical information. The new rule requires that contractors with “controlled technical information” resident on or passing through their information systems use a minimum set of protective measures and security controls to safeguard the data.
The National Institute of Standards and Technology (NIST) also published on June 19, 2015, the final version of guidance for federal agencies NIST Special Publication 800-171:Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations (PDF) to ensure sensitive information remains confidential when stored outside of federal systems. The guidelines apply to nonfederal information systems and organizations that process, store, or transmit federal controlled unclassified information.
General Guidelines and Forms
|Military Critical Technical Agreement (DD 2345 Form): ORI maintains an approved Military Critical Technical Agreement (DD 2345 Form ) with the Assistant Facility Security Officer. Please contact the AFSO prior to attending a meeting/conference where unclassified technical data will be disclosed. ORI strongly recommend to have the meeting/conference organizers mail the unclassified technical data to ORI, if possible. If you are planning to bring CUI back with you to UTSA, please contact the AFSO at (210) 458-4233 for guidance.|
|Contract Security Classification Specification (DD 254 Form): The Federal Acquisition Regulation (FAR) requires that a DD 254 Form be incorporated in each classified contract. The DD 254 Form provides to the contractor (or a subcontractor) the security requirements and the classification guidance that would be necessary to perform on a classified contract. UTSA personnel are also required to contact the Office of Contracts & Industry Agreements ((210) 458-8575) for a government-sponsored contract that will include this form.|