CUI and Research at Emory

Most research conducted at Emory is classified as fundamental research, which does not involve CUI and is exempt from CMMC requirements. While the DoD is currently the only federal agency with a codified CUI/CMMC program, other federal agencies also have the authority to classify their data as CUI and require enhanced cybersecurity controls. 

Compliance with CUI requirements is overseen by the Export Control and Research Cybersecurity (ECRC) Office, and technical implementation is conducted by the Office of Information Technology (OIT). If your award, either directly or indirectly funded by the DoD, contains enhanced cybersecurity language, the Office of Sponsored Projects (OSP) coordinates with ECRC and OIT to ensure the appropriate cybersecurity measures are implemented.

Process for Awards/Grants

  1. OSP reviews the agreement. If enhanced cybersecurity requirements are indicated in the agreement, it is forward to ECRC for review. 
  2. ECRC works to determine if the enhanced cybersecurity requirements are applicable to the agreement. 
  3. If the agreement requires compliance with CUI laws and regulations, ECRC forwards the agreement and assessment to OIT, who coordinates with the project team to develop a System Security Plan (SSP). 
  4. The SSP is reviewed by ECRC for completeness, and if the relevant agreement is funded by the DoD, the SSP is registered in the DoD Supplier Performance Risk System (SPRS).

Summary of PI Responsibilities

When an award or contract contains Controlled Unclassified Information (CUI) language, the Office of Sponsored Programs (OSP) routes it to the Export Control & Research Cybersecurity (ECRC) Office for review. If CUI handling is required, ECRC, and IT work with the project team to develop a project-specific System Security Plan (SSP) that maps the applicable NIST 800-171 controls and defines the approved computing environment. Principal Investigators are responsible for ensuring that every project team member who will access CUI completes the mandatory CUI/cybersecurity training before handling project data, and that the team consistently follows the SSP, using only the approved system to store, process, or transmit CUI, enforcing access controls, and reporting any suspected loss or unauthorized disclosure to security@emory.edu within 12 hours. Investigators must also alert both ECRC and IT immediately if any change in personnel, project scope, or technology could affect the SSP. At close-out, coordinate with IT to dispose of, return, or archive CUI exactly as the sponsor requires. 

CUI Frequently Asked Questions

Controlled Unclassified Information is non-public federal information that requires safeguarding or dissemination controls under U.S. law, regulation, or government-wide policy. Sponsors expect Emory to meet the NIST 800-171 standard for protecting CUI, and failure to comply can jeopardize funding and subject the university-- and the Principal Investigator-- to fines or loss of eligibility.

If a contract, grant, or subcontract contains CUI clauses, the Office of Sponsored Programs (OSP) flags it and sends the agreement to the Export Control & Research Cybersecurity (ECRC) Office for review. The PI then receives a notification from ECRC outlining next steps. 

ECRC partners with IT and the project team to draft an SSP tailored to the research. The plan identifies the approved computing environment and maps the required NIST 800-171 controls. The PI must provide project specifics-- data flows, software, outside collaborators-- so the plan is accurate. 

Everyone who will access CUI must complete the online “Mandatory CUI Training” course before handling any project data. Refresher training is required annually, and completion records should be retained by the PI for audit purposes.

Yes. Graduate students, undergraduates, postdocs, visiting scholars, temporary employees, and contractors (i.e., anyone with potential CUI access) must complete the training.

No. CUI may be stored, processed, or transmitted only within the IT environment named in the SSP (for example, a secured OneDrive enclave or an encrypted Emory-managed workstation). Personal devices and unsanctioned cloud services are prohibited.

Immediately (a) stop working with the material; (b) secure or isolate it without making copies; and (c) email both ECRC and IT. They will advise whether the SSP must be updated or if the data must be returned or destroyed.

A spillage is any actual or suspected exposure of CUI outside the approved environment; for example, sending CUI to the wrong person, storing it on an unapproved device, or discovering malware on a CUI system. PIs must report spillages to security@emory.edu within 12 hours of discovery. Do not attempt to “clean up” first; preserve evidence and await guidance.

Notify both ECRC and IT immediately if project scope, personnel, external collaborators, software, or hosting infrastructure changes in ways that could affect the SSP. Early notice prevents accidental non-compliance. 

Work with IT to dispose of, return, or archive CUI exactly as the sponsor requires and as detailed in the SSP. Obtain written confirmation of proper data disposition and keep it with the project records.