Computing for Restricted Access Data

CUI is non-classified federal information created or managed by the U.S. Government or by entities such as the University of Washington on the Federal government’s behalf. Any entity handling CUI must comply with federal security controls, as overseen by the National Archives and Records Administration.

Examples of CUI include:

• Research findings funded by a federal agency (NASA, NIH, DoD, Dept. of Education, Dept. of Energy, Dept. of Commerce, etc.).
• Data related to infrastructure, healthcare, or export-controlled technologies.
• Clinical trials and study data, PII.
• Sensitive student or institutional data shared with federal entities.
• Genomics Data, Patient, and Healthcare Data.
• Biodefense and public health data.

UW’s Responsibility to Protect CUI

As a recipient of federal grants and contracts, the University of Washington must handle Controlled Unclassified Information (CUI) in compliance with federal regulations. This obligation impacts how researchers manage, store, and share sensitive information.

Non-compliance with CUI regulations can result in serious risks, including data breaches, fines, litigation, reputational harm, and loss of future funding opportunities. Protecting CUI ensures data security, safeguards researchers, and upholds the University’s commitment to federal partnerships.

When CUI Compliance is Required

CUI compliance may be required if:

1. Your sponsor indicates that data in your award/contract is designated as CUI.
2. Your request for proposal/solicitation, award, or contract includes one of the following:
   • 32 CFR 2002: Controlled Unclassified Information
   • FAR 52.204-21: Basic Safeguarding of Covered Contractor Information Systems
   • Data classified as CUI under a data use agreement or similar legal document.
   • NIST SP 800-171 security requirements, even if CUI is not explicitly mentioned in the contract.
   • DFARS 70 series clauses 7008, 7012, 7019, 7020, and/or 7021 or other specific security requirements.

Still unsure if your project requires CUI compliance? Use the CUI Registry to identify information subject to CUI laws, regulations, and policies including required handling and security controls.

Additional CUI Resources

• About CUI | National Archives and Records Administration
• Federal CUI Policy & Guidelines | National Archives and Records Administration
• FAQs about CUI | National Archives and Records Administration

Recent Changes to NIH Data

The NIH has updated its security standards for Approved Users of controlled-access data under the Genomic Data Sharing (GDS) Policy. Beginning January 25, 2025, adherence to the updated NIH Security Best Practices for Users of Controlled-Access Data will be required in all new or renewed Data Use Certifications or similar agreements.

Approved Users with agreements established before January 25, 2025, must follow the current NIH Security Best Practices for Controlled-Access Data until their project is either closed or renewed.

Users Required to Meet the New Standards

The updated compliance requirements apply to:

1. Approved Users of NIH-controlled human genomic data:
   • This includes users accessing data from repositories like the Database of Genotypes and Phenotypes (dbGaP).
   • Visit the NIH webpage for a complete list of repositories implementing NIH Security Best Practices.
2. Developers and infrastructure providers:
   • Includes those building or testing platforms, pipelines, tools, and interfaces that store, manage, or interact with NIH-controlled human genomic data.
   • Also applies to infrastructure development and repository maintenance teams.

What Researchers Need to Do

• Use a UW recognized computing environment for CUI and NIH data.
• Consult with and receive confirmation from the IT Director for the computing environment.
• Develop and maintain an approved System Security Plan (SSP).
• Secure a Cloud Computing Use Statement if applicable.
• Complete required training. Contact researchsecurity@uw.edu for further instructions.
• Follow OSP guidance on how to request datasets from dbGaP.

The CSDE remote computing environment is an on-premises Windows remote desktop environment intended for Public to Sensitive data Research computing in the social sciences and features a variety of pre-licensed software. Both windows and linux systems are available. The environment is aligned with CMMC 1.0 and may host data classified at category 1-3 (Public or Sensitive, and some confidential) Washington State’s Data Classification Standard SEC-08-01-S

IT Director

• Matt Weatherford

Eligible Users

• CSDE Research Affiliates and their Co-PI’s.
• Any UW student who pays the Student Technology Fee.

Cost

• Faculty and Staff: $1500 per person per year plus project storage billed annually by the Terabyte ($1000 per tb / year).
• Students who pay the Student Technology Fee: Free.

Contact

• Email mbw@uw.edu for more information.

The UWDC provides a NIST 800-171 / CMMC 2.0 aligned secure data enclave service designed and built for hosting and conducting collaborative research with CUI. This Windows remote desktop service is intended to host data that is classified as Category 3 (confidential data) or Category 4 (confidential data requiring special handling) data based on Washington State’s Data Classification Standard SEC-08-01-S. This includes administrative and survey datasets that contain PII and/or PHI.

The service implements a full set of NIST 800-171 controls, including encryption at rest and in transit, vulnerability management, and active monitoring, and uses a human vetting process for all data transfers in and out of the data enclave to prevent data exfiltration and unauthorized disclosure.

IT Director

• Matt Weatherford

Eligible Users

• CSDE affiliates (this group is given priority access).
• Other researchers affiliated with UW.

Cost

• Typical contract fee is appx. $20,000 for the first year and $10,000 for each subsequent year.
• Rate varies on multiple factors like data type, required storage, volume and type of use, and required CPU processing power.

Contact Information

• Visit the UW Data Collaborative website for more information.

The Northwest Federal Statistical Research Data Center (NWFSRDC) provides researchers a secure physical and virtual environment, operated by the U.S. Census Bureau, to access non-public data from federal agencies and to conduct statistical analyses employing these data. The NWFSRDC is part of a unique network of over 30 open Federal Statistical Research Data Centers (FSRDCs) located within leading U.S. research institutions. The FSRDC program is a flagship program of the Interagency Council on Statistical Policy.

A key attribute of much of the data available through FSRDCs is their ability to be linked, allowing for the creation of complex datasets that extend research capacity. This access to linked and linkable, non-public data is crucial for advancing research in numerous fields, providing insights that would otherwise be unattainable. Additionally, data available through FSRDCs may also be linkable to data provided by researchers.

IT Director

• Carlos Becerra

Eligible Users

• Qualified researchers who meet the following conditions:
  • Have resided in the US for 3 of the last 5 years.
  • Have an approved research project.
  • Can obtain Special Sworn Status (SSS).

Note: Project application review can take between 6 to 12 months, and the SSS application process can take an additional 3 to 5 months.

Cost

• Combination of access fees, data fees, and the SSS application fee.

Note: Researchers should contact the NWFSRDC for specific fee information applicable to their project and affiliation.

Contact

• Reach out to carlos.becerra@census.gov for more information.