Controlled Unclassified Information (CUI)

Controlled Unclassified Information (CUI)

---

Training Plan

Required Training/Review:  All personnel (PI’s, managers, administrators, etc.) involved in CUI/RCE will need to complete the following training.

1. Complete the DoD Mandatory Controlled Unclassified Information (CUI) Training.  This provides an overview of recognizing, marking, and safeguarding CUI data.  It is located at the following link DoD Mandatory Controlled Unclassified Information (CUI)
   1. Read through the webpage which provides an overview of what the course covers/provides.
   2. Scroll down to the bottom of the page and click on “Start Course”.
   3. Upon completing the course print off the certificate provided to be used as confirmation of course completion.  This will be provided to the Data Steward (PI) and to the College Security Point-of-Contact (POC).
2. The annual cyber awareness challenge training from the DoD Cyber Exchange.
   1. It is free and open to the public as a self-guided course.
   2. Upon completing the course print off the “Certificate of Completion” to be used as confirmation of course completion.  This can be provided to the Data Steward (PI) and to the Russ College Security Point-of-Contact (POC).
3. Review of the Project specific System Security Plan (SSP).
   1. This document will use the RCE SSP template which may be customized based on project need/requirement.
   2. A copy of the Project SSP will be retained by the Data Steward and the POC.

Items 1 and 2 will need to be completed for any project that is processed through Ohio University, that includes contract language pertaining to CUI handling, before the project can be implemented financially and technically.  Item 3 will only be needed if the project is expected to receive, manipulate, produce, or provide CUI during the period-of-performance identified by the project contract.  

Supplemental Training Material

Review of this material can be required by the Data Steward for their specific project with a signature sheet being signed by the authorized user indicating the date when the review was completed.

1. Ohio OIT "Data Security and Privacy" training from the Ohio EVERFI website.  This training will need to be scheduled with OIT Security through the POC.
   1. After enrollment, an email should be received to link you to the self-guided training.
   2. Upon completing the course print off the “Certificate of Completion” to be used as confirmation of course completion.  This will be provided to the Data Steward (PI) and to the Russ College Security Point-of-Contact (POC).
2. Review of the current NIST 800-171 document and associated supplemental materials. This link will need to be updated to account for additional revisions.
3. The National Archives has a location for CUI . This provides background information on CUI and a CUI Marking handbook.
4. Review the DFARS clauses (252.204-7012, 252.204-7019, 252.204-7020, and 252.204-7021) or Part 252 Solicitation Provisions and Contract Clauses that generally are used contractually to call out Cyber Security, CUI, and NIST 800-171 compliance as well as definitions and reporting requirements.
5. The DoD Cyber Exchange has additional self-guided training that might prove useful in mitigating and explaining cyber security.
6. The Center for Development of Security Excellence (CDSE) also provides additional information and training material. It also provides useful information for all types of security (physical, cyber, Personal Information, etc.)
7. Additional information/training maybe found on the Security Training, Education and Professionalization Portal (STEPP)

Please complete the Controlled Unclassified Information (CUI) Training Requirements Compliance Agreement .