OIT Research and Compliance Information


OIT Research and Compliance Information


The evolution of research is well implanted in the information technology field with technologies directly supporting research. OIT is committed to serving the security needs of our campus researchers and partnering when possible to advance the discovery and innovation process at UCCS. 

As the cybersecurity landscape evolves, research is a direct target of intellectual propriety (IP) theft, or misuse. Protecting research using cybersecurity best practices should be top of mind for those conducting research. Compliance requirements have become more stringent and encompassing. The Department of Defense (DoD) and United States Federal government require Defense Federal Acquisition Regulation Supplement (DFARS) clauses and Cybersecurity Maturity Model Certification (CMMC) as written into awards to protect Controlled Unclassified Information (CUI).  This website is meant as a support resource of researchers on campus to help navigate these emerging requirements.

Who Can Help Support You?

Research Impact

For research activities that incorporate Controlled Unclassified Information (CUI) by reference (or through NIST 800-171r1 or DFARS 252.204-7012), the Office of Information Technology Security will need to conduct an additional review, prior to award acceptance.

Review Process

Once OIT Security is notified of an agreement that may include the requirement to manage CUI, OIT Security will contact the PI or assigned representative to initiate the cyber security review. They will work in conjunction with the PI or assigned representative to identify and plan to implement the necessary security controls. Once the review has been conducted, OCG will be notified by OIT Security whether the computing environment that is supporting the project, will be compliant. At that point, they will finalize the review of the contract.

Getting Oriented

A cookbook for your research security needs and questions: 


Download the PDF here: Research-Compliance-Cookbook.pdf



Download the PDF here: ResearchSecurityOnePagers.pdf



Download the PDF here: DesicionTrees.pdf

What You Need to Know Before You Submit a Proposal

  • Consult with OIT before you submit on your budget and what to include for compliance coverage in your proposal.

Congratulations, You're Funded; Now What?

  • Meet with our OIT team to map out the research security plan.

Training for CUI

Training for CUI is provided by CDSE and the DoD. This training is free and provides a certificate upon completion. This training is mandatory for DoD and Government persons handling CUI. The OIT Security Office highly recommends that researchers handling CUI take this course.



  • Acquisition of equipment and storing equipment:
    • Do not buy equipment from eBay as the supply chain integrity could have been compromised.
    • If the research contract falls under DFARS, ITAR or will be processing CUI data, please reach out to security@uccs.edu for specific guidance on buying compliant equipment for your research needs.

What is Export Control?

Export control regulations are federal laws that prohibit the unlicensed export of certain commodities or information for reasons of national security or protections of trade. Export controls usually arise for one or more of the following reasons:

  • The nature of the export has actual or potential military applications or economic protection issues.
  • Government concerns about the destination country, organization, or individual.
  • Government concerns about the declared or suspected end use or the end user of the export.
  • The UCCS Export Control Officer reached at exportcontrol@uccs.edu. See also Export Control Definitions or Export Controls.

Government Compliance, Including STTR and SBIR and DOD

What is DFARS?

The main purpose of DFARS is to protect the confidentiality of Controlled Unclassified Information (CUI)—regulations apply to all DoD contractors and sub-contractors.

What is ITAR?

ITAR (International Traffic in Arms Regulations) Compliance is the United States regulation that controls the manufacture, sale, and distribution of defense and space-related articles and services as defined in the United States Munitions List (USML).

  • ITAR mandates that access to physical materials or technical data related to defense and military technologies is restricted to US citizens only.

What is NIST 171-800v2 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations)?

NIST 171-800 is a set of technical and non-technical controls and requirements for defense contractors and sub-contractors on how to securely handle CUI data.

  • Publication for NIST 800-171v2
  • As of May 2024, NIST 800-171v3 has been released. However, the DoD has stated that they will be complying with NIST 800-171v2 for now.  

What We Cannot Support

Although UCCS cannot support the architectural needs for an environment to properly secure CUI and certain DFARS export-controlled data. We will work with Researchers on a case by case need to help support the research goals.

Campus Wide and Campus Specific Policies:

Last updated May 2024



What does UCCS currently offer for Researchers?

Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) FAQs

Where do I find out more about the DoD Cybersecurity Maturity Model Certification?
Who can help me to understand whether UCCS resources meet the standards imposed by the DoD CMMC?
Can UCCS OIT assess and certify my Cybersecurity Measures?
How come UCCS is not certified at the enterprise level?
Is Fundamental Research exempt from CMMC?
Will the University include the cost to comply with CMMC requirements as part of F&A?
When will university-based labs and other research facilities conducting DoD-sponsored research need to be CMMC certified?
Will CMMC 2.0 apply to DoD grants, in addition to contracts?
I have experienced a cyber incident. How does this get reported?

Information Security