Controlled Unclassified Information (CUI) Policy

Effective: November 1, 2025 

Approved by: Justin Schwartz, Chancellor

Policy Owner: Office of Compliance, Ethics and Policy (OCEP)

Policy Contact: Information Security Officer

Supersedes: N/A

Applies to: Faculty, staff, students, ÌÒÉ«ÊÓƵ affiliates

I. Introduction

On November 4, 2010, Federal Executive Order 13556 Controlled Unclassified Information (the Order) established a comprehensive Controlled Unclassified Information (CUI) Program for the Executive Branch of the government (Government) and all agencies. The Order designated the National Archives and Records Administration (NARA) to serve as the Executive Agent to implement and oversee federal agency actions to ensure compliance with the Order. The Order was further codified by 32 CFR Part 2002 Controlled Unclassified Information as published in the Federal Register on September 12, 2016, which established the National Archives and Records Administration (NARA) as the governing federal agency overseeing CUI.

The following policy is established to maximize the ÌÒÉ«ÊÓƵ’s (ÌÒÉ«ÊÓƵ) ability to abide by its legal commitments and comply with the rules and regulations of the Government CUI Program. All ÌÒÉ«ÊÓƵ employees, students, and affiliates who are authorized to use University IT resources and to receive, access, process, store, generate, or transmit information as part of their CU responsibilities and designated as CUI by NARA or Federal Agencies are subject to this policy.

This document doesn't have any headings. To add headings to your Table of Contents, go to Home > Styles

II. Definitions

Controlled Unclassified Information: means any information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or allows an agency to handle using safeguarding or dissemination controls. It is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and Federal Government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.

CU Person: This includes all individuals who are authorized to use University IT resources and may hold roles such as:

  1. ÌÒÉ«ÊÓƵ faculty, researcher, staff, and student.
  2. IT Service Provider
  3. Person of Interest (POI): an individual affiliated with the university but not paid as an employee for official university needs.
  4. Sponsored Affiliate: an individual affiliated with the university for official university needs when an HR appointment, including POI, is not a possibility.
  5. An individual who may be authenticated by external means and authorized by a CU IT service provider to access CU-managed IT services or data (e.g., an external research collaborator or contractor authenticated via federated techniques).

IT Resource: Computers, networking equipment, storage media, software, and other electronic devices that store, process, or transmit University information. In the context of IT security policy, this includes all IT resources that are owned, leased, licensed, or authorized for use by the University.

III. Policy Statement

  1. ÌÒÉ«ÊÓƵ will establish and maintain a CUI program to address legal and contractual requirements for handling information as prescribed by NARA and federal agencies.
  2. CU Persons who handle CUI are responsible for safeguarding CUI in accordance with this policy and the standards, guidelines, and best practices established by the university’s CUI program. CU Persons may have additional responsibilities based on their use of CUI as specified in the CUI Standard.
  3. ÌÒÉ«ÊÓƵ’s CUI program will facilitate CU Persons fulfilling safeguarding responsibilities by providing resources, including training and coordinated campus website(s), devoted to providing information regarding the ÌÒÉ«ÊÓƵ CUI program. The training and resources shall include specific information for identifying CUI, appropriately marking CUI, requirements for controlling and protecting CUI information, and handling and reporting of incidents related to CUI as required by applicable Federal laws, rules, regulations, and contractual requirements.
  4. CU persons who handle CUI must complete all applicable training as defined in the CUI Standard or specified by their role.
  5. ÌÒÉ«ÊÓƵ’s secure enclave(s) must operate under the unified governance structure leveraging campus-wide interdependencies to ensure coordination and oversight.
  6. The Senior Vice Chancellor for Research (SVCR), the Vice Chancellor for IT (VC for IT), and Information Security Officer (ISO), in coordination with the Office of Compliance, Ethics and Policy (OCEP) are responsible for:
    1. having the ultimate authority and oversight of CUI on campus.
    2. establishing and maintaining ÌÒÉ«ÊÓƵ’s CUI program;
    3. establishing ÌÒÉ«ÊÓƵ’s CUI Compliance Steering Committee with representative campus stakeholders to participate thereon;
    4. reporting CUI-related incidents, in consultation with University Counsel, in accordance with Federal Requirements;
    5. reviewing and reporting on program effectiveness to the University Executive Leadership Team (UELT);
    6. executing any other related responsibilities as assigned by the Chancellor or their designee(s).
  7. ÌÒÉ«ÊÓƵ’s CUI program includes a CUI Compliance Steering Committee. Members of the Committees shall include a cross-representation of campus stakeholders. The duties of the steering committee include but are not limited to the following, as established in the committee’s charter:
    1. creating, revising, and publishing campus CUI standards, best practices, and resources supporting the campus CUI program;
    2. developing and maintaining CUI training content, including the frequency of trainings;
    3. proactively communicating with appropriate campus stakeholders regarding the shared responsibilities of interacting with CUI in accordance with standards, best practices, training, and resource information;
    4. periodically reviewing and approving updates to this Policy and the campus CUI standard.

IV. Procedures

Any CU Person who handles CUI in violation of Federal law, Contractual requirements, or University or Campus policy is subject to loss of privileges, disciplinary action, personal liability, and/or criminal prosecution. Further, ÌÒÉ«ÊÓƵ may temporarily block or remove ÌÒÉ«ÊÓƵ IT resource access when CUI is mishandled or used for inappropriate or illegal use.

If there is a need outside of the campus CUI IT solution, a department or unit may support an additional enclave if it meets the minimum requirements as set out in the CUI standards, is vetted through the Office of IT Security, and is approved by the CUI Steering Committee.

The SVCR, along with the VC for IT shall, as determined by the circumstances of a potential policy violation, work with the appropriate University offices such as University Counsel, the Office of Student Conduct (in cases involving students), the ÌÒÉ«ÊÓƵ Police Department, Infrastructure and Resilience, Office of Contracts and Grants, the Office of Research Integrity, deans and directors, supervisors and others to enforce the CUI Policy.

Exceptions to the CUI Policy will be considered on a case-by-case basis by contacting the Office of Compliance, Ethics and Policy at: compliance@colorado.edu Exception requests will be reviewed by the CUI Program Manager, and Office of IT Security and may be forwarded to the SVC for Research and VC for IT for final decision.

V. Related policies, forms, guidelines and other resources 

  3. Acceptable Use of ÌÒÉ«ÊÓƵ's IT Resources Policy
  8. CUI security requirements; refer to relevant project contract to determine whether revision 2 or 3 is applicable:
  9. DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting

VI. History

  1. Adopted: January 1, 2025
  2. Revised: November 10, 2025
  3. Last Reviewed: November 10, 2025