Managing Controlled Unclassified Information in Research Institutions

TL;DR

This paper presents a framework for managing Controlled Unclassified Information (CUI) in research institutions, addressing compliance challenges and proposing a cost-effective, secure research data processing workflow to enhance cybersecurity and regulatory adherence.

Contribution

It introduces a novel managed research ecosystem framework for CUI compliance and shares an awareness and training program to expand CUI management practices across institutions.

Findings

Most researchers and IT staff lack understanding of CUI and related regulations.

The proposed framework effectively processes research data for high-level cybersecurity compliance.

The training program supports broader adoption of CUI management in research environments.

Abstract

In order to operate in a regulated world, researchers need to ensure compliance with ever-evolving landscape of information security regulations and best practices. This work explains the concept of Controlled Unclassified Information (CUI) and the challenges it brings to the research institutions. Survey from the user perceptions showed that most researchers and IT administrators lack a good understanding of CUI and how it is related to other regulations, such as HIPAA, ITAR, GLBA, and FERPA. A managed research ecosystem is introduced in this work. The workflow of this efficient and cost effective framework is elaborated to demonstrate how controlled research data are processed to be compliant with one of the highest level of cybersecurity in a campus environment. Issues beyond the framework itself is also discussed. The framework serves as a reference model for other institutions to support CUI research. The awareness and training program developed from this work will be shared with other institutions to build a bigger CUI ecosystem.