Home

Controlled Unclassified Information (I)

TheI Program at Boulder is a cornerstone of the university’s broader commitment to research compliance, information security, and institutional integrity. Through this program, Boulder ensures that research involving federally controlled information meets all safeguarding and dissemination requirements established under 32 CFR Part 2002 and related federal standards.

Protecting Controlled Unclassified Information (I) is both a federal requirement and a strategic advantage for Boulder. By meeting I standards, the university safeguards sensitive research data, protects students and faculty, and upholds the integrity of federally funded projects.

Strong I compliance demonstrates Boulder’s commitment to research excellence and trustworthiness, positioning the university to compete for complex, high-value federal awards and partnerships. In short, protecting I protects our people, our research, and our reputation. Our proactive approach to I compliance strengthens Boulder’s leadership in national research partnerships and prepares the campus for related Department of Defense Cybersecurity Maturity Model Certification (CMMC) requirements.

What Is Controlled Unclassified Information (I)?

Controlled Unclassified Information (I) is federally defined information that requires protection from unauthorized access or release, even though it is not classified. It includes data created by, for, or on behalf of the U.S. government that must be safeguarded under laws, regulations, or federal policies.

I can appear in sponsored research or contracts that may reference I or Cybersecurity Maturity Model Certification (CMMC). When these requirements apply, researchers at Boulder must use approved secure environments, and follow Boulder’s I Policy and.

Understanding whether your project involves I is the first step in protecting sensitive information and maintaining Boulder’s strong research partnerships.

CMMC is a unified assessment model created by the Department of Defense (DOD) in response to the growing threat of cyberattacks and data theft from defense contractors. CMMC is designed to ensure that DOD contractors and subcontractors adequately safeguard two categories of sensitive government information: I and Federal Contract Information (FCI).

While DOD contractors have already been subject to information security requirements in DFARS and FAR clauses, CMMC builds on existing requirements by requiring all DOD contractors and subcontractors who handle I and FCI during contract performance to certify compliance with security controls via mandatory self-assessments, third-party assessment, and affirmations of compliance.

The type of data (i.e., I or FCI) and the sensitivity of the contract being performed, dictates the type of assessment and the security controls that apply.

The CMMC framework is broken out into three levels:

  • CMMC Level 1 applies to contractors and subcontractors that store, process, or transmit FCI. CMMC Level 1 includes 17 of the NIST SP 800-171 security requirements, which are listed in the FAR 52.204-21 Basic Safeguarding clause, sections (b)(1)(i) through (b)(1)(xv). Level 1 requires a contractor’s self-assessment, conducted annually.
  • CMMC Level 2 applies to contractors and subcontractors that store, process, or transmit I. CMMC Level 2 consists of 110 requirements that correspond with the requirements found in NIST SP 800-171A. Level 2 requires either a self-assessment, conducted annually, or an external assessment conducted by a certified third-party assessor, conducted every three years.
  • CMMC Level 3 applies to a select group of contractors that store, process, or transmit high-value I, as determined by DOD. CMMC Level 3 includes all Level 2 requirements, as well as 24 selected requirements from NIST SP 800-172. All Level 3 certifications require a DOD-conducted assessment every three years. Level 3 will be phased in November 2027.

For more information about the Cybersecurity Maturity Model Certification (CMMC) and how it applies to research at Boulder, visit theResearch Security: Cybersecurity and I page.

Key Takeaways

  • I requires safeguarding. I is federal information that must be protected from unauthorized access or release under law and policy.
  • Compliance supports excellence. Boulder’s Research Cybersecurity Program, the Office of Contracts and Grants (OCG), and Office of Compliance, Ethics and Policy(OCEP) partner with researchers to ensure projects meet federal and university standards.
  • Action is required. Before handling I, complete the updatedI – u00189 training in Percipio, review theI Policy and I Data Use Standard, and coordinate with OCG and OIT Security for a compliance review.
  • Compliance builds trust and opportunity. Adhering to I requirements protects sensitive information, advances research excellence, reinforces sponsor confidence, and sustains Boulder’s competitiveness for future funding.

Am I Working with I?

A guided self-check section to help researchers determine whether their project involves I.

cui 2

This simplified decision guide helps researchers quickly determine whether their project involves Controlled Unclassified Information (I). Start by confirming whether your work is funded by or conducted with a U.S. federal agency or defense contractor—most I originates from these sources. Next, check whether your award or contract includes references to NIST 800-171r2, DFARS clauses, or other data protection requirements. If so, determine whether you will receive, create, or store information the sponsor identifies as I. Finally, assess whether you or your team will handle that information directly. If any step leads to a “yes,” your project involves I and must use a secure environment such as the Preserve, with support from the Office of Contracts and Grants, OIT Security, and Compliance as needed.

Roles and Responsibilities Across Campus

Managing Controlled Unclassified Information (I) at Boulder is a shared responsibility across departments, researchers, and campus support offices. Principal Investigators, Department Managers, and Users each play key roles in maintaining secure practices, while central offices—such as the Office of Contracts & Grants, OIT Security’s Research Cybersecurity Program, and the Office of Compliance, Ethics and Policy—provide oversight, guidance, and system support. Together, these groups ensure the campus meets all I requirements and protects sensitive research data.

An employee who has organizational and/or contractual responsibilities to ensure compliance of other Persons in their department or on their research project. The PI or department manager is responsible for ensuring that:

  • All requests for system access and project groups have been properly vetted.
  • Only approving access for people who have a business need to use the system and meet the criteria specified in the research contract. This may require proof of U.S. person status.
  • All Users have access only to data required for their job role.
  • Access is removed (de-provisioned) for Users who change job roles or are terminated.
  • PIs and Department Managers are also responsible for periodic access reviews for project groups and systems.
  • Ensure that project teams and staff have completed I campus, I system-specific and sponsor or contract-required training and any training.
  • Ensures that all project teams and staff have reviewed system-specific procedures and signed I system-specific user agreements.
  • Notify I System Administrators when a person leaves a project, has a change of position or leaves the institution that requires removal or a change to access.
  • Staff and project team have university-managed or university-owned devices for accessing the I System.
  • Following the Software Vetting Guidance for any software applications brought into I System to run on the infrastructure.
  • Following the guidance for self-written software code contained in the Software Vetting Guidance.
  • Tracking, reviewing and logging changes made to the infrastructure project teams are managed in the environment if it is not being managed by the I System team.
  • Monitor and control who has physical access to secure spaces, in conjunction with the Division of Public Safety.
  • In the event of an incident, PI’s and department managers are responsible for ensuring that their staff are available to participate as needed in risk assessment, containment and evidence capture activities

A user is any Person that uses, accesses, processes, shares, or generates I as part of their job, i.e. researcher. The user is responsible for:

  • Follows the campus I Policy, I Standards and I System-specific policies and standards.
  • Completing required campus, system and contract-specified training.
  • Protecting I data they encounter during daily activities.
  • Notifying I-Incident@colorado.edu if an incident related to I is suspected.
  • Signing User Agreements for I Systems.
  • Users are prohibited from sharing I data with another internal or external party unless the other party is authorized internal and external users. This includes sharing or emailing files, sharing screens, taking screen captures and holding meetings where unauthorized persons can hear or see I.
  • Only accessing I systems with a university-managed (preferred), university-owned, or a sponsor-approved device.
  • Not downloading I to unauthorized devices.
  • If in receipt of a link to a sponsor’s meeting where I information will be discussed or shared, the meeting must be joined from an I System.
  • Requesting access for people who have a business need to use the I System.
  • Participating in Security Incident Response investigations as needed.

Identifies and tracks research agreements that have clauses or other indications that projects will require handling I and manages negotiations of contract clauses with sponsors. OCG maintains awareness of campus system capabilities for compliance with sponsor requirements and refers Principal Investigators (PIs) to the Office of Information Technology Security and/or system owners for consultation on system needs, requirements, and cost for projects that require handling I.

OIT Security Role - Assesses I Systems for compliance with I security controls, recommend systems for authority to operate, as well as for creating templates for the System Security Plan, the Plan of Action and Milestones (POA&M), and security documentation.

Facilitates decision-making, risk assessments, and communications within the I Steering Committee and with campus stakeholders. Manages the I Program including maintaining timelines, requesting and balancing resources and workloads and driving towards key I campus strategies including certifications, certification renewals and expansion or contraction of I services for the campus.