Important information for proposers

All proposals must be submitted in accordance with the requirements specified in this funding opportunity and in the NSF Proposal & Award Policies & Procedures Guide (PAPPG) that is in effect for the relevant due date to which the proposal is being submitted. It is the responsibility of the proposer to ensure that the proposal meets these requirements. Submitting a proposal prior to a specified deadline does not negate this requirement.

Dear Colleague Letter

Controlled Unclassified Information (CUI) Program at the National Science Foundation (NSF)


Dear Colleagues:

In January 2021, the National Science Foundation established its Controlled Unclassified Information (CUI) program in accordance with Executive Order 13556 and Implementing Directive 32 CFR Part 2002. This government-wide initiative is an information security reform designed to address the inconsistent policies and markings that federal agencies use to control sensitive, unclassified information. This Dear Colleague Letter (DCL) introduces our external partners to the CUI program at NSF, and its importance.

What is CUI?

CUI is information the government creates or possesses, or that another entity creates or possesses for or on behalf of the government, that a law, regulation, or government-wide policy requires or permits agencies, including NSF, to safeguard or control its dissemination. CUI includes certain records generated internally by NSF (e.g., personnel files, deliberative internal recommendations, analyses, and Inspector General investigational materials). CUI also includes certain records collected by NSF from external sources (e.g., grant proposals, statistical data protected by law).

What are the CUI requirements?

NSF is required to mark and safeguard the dissemination and storage of CUI according to applicable laws, regulations, and federal policies. CUI requirements include:

  • Marking – Materials containing CUI must be identified and marked accordingly.
  • Protection – CUI materials must be stored in protected digital and physical environments.
  • Sharing – CUI may be shared only with those with a lawful government purpose.
  • Destruction – When CUI is no longer needed, it must be destroyed or decontrolled.

How do CUI requirements apply to me or my institution?

NSF is required to ensure that CUI requirements are followed not only by its own staff and contractors, but also when NSF shares or discusses CUI with any other “authorized holder” of CUI. An "authorized holder" includes any outside individual, agency, organization, or group of users who have been authorized to handle, possess, use, share, or receive such CUI, or authorized to operate, use, or have access to federal information and information systems on behalf of the agency. Thus, CUI requirements may apply if NSF shares or discusses CUI with you or your institution, or you or your institution are given access to NSF systems containing CUI. For example:

  • You are an NSF merit review panelist. NSF provides you with nonpublic access to grant proposals, so you can prepare your written reviews and discuss the proposals confidentially with other reviewers in a closed panel meeting. Since NSF treats grant proposals as CUI, you must treat these proposals as CUI, and you may not share, discuss, or disclose the proposals with anyone else except as permitted by NSF. See NSF Confidentiality and Conflicts-of-Interest Statement (Form 1230P). Because your written reviews will discuss these proposals, your reviews, and any e-mails you exchange with NSF program staff about the proposals will also be treated and designated as CUI. Similarly, internal NSF minutes of panel meetings about these proposals will also be treated and marked as CUI in NSF's records systems.
  • You are a PI and submit a grant proposal to NSF. NSF will treat and designate your proposal as CUI in its records systems. You are also free to mark your proposal as confidential when you submit it. If an NSF program officer communicates with another NSF program officer, NSF contractor, or NSF panel reviewer about your proposal, any copy of that communication will be treated and marked by NSF as CUI. In contrast, if the NSF program officer communicates directly with you about your own proposal, the program officer will not mark the communication with you as CUI. On the other hand, NSF's copy of any communications with you about your proposal remains confidential and will be treated and designated as CUI in NSF’s own systems. Thus, while you are not prohibited from disclosing communications between you and NSF about your proposal with anyone you choose, NSF will still treat those communications with you, like your proposal itself, as confidential and CUI.

Where can I learn more?

As referenced in 32 CFR 2002.2(4), the National Institute of Standards and Technology (NIST) Special Publication 800-171 contains the standards for protecting CUI in non-federal information systems, which may apply if you are a reviewer or otherwise acting on behalf of NSF. Please consult the CUI webpage on nsf.gov to learn about CUI and NSF's CUI Policy. Visit the National Archives and Records Administration CUI Registry webpage for information on CUI categories, markings and controls, CUI training, executive orders, and more.

This DCL is an overview and is informational only. It is not intended as, and should not be relied upon, as legal advice or guidance for specific cases or situations. Please direct questions, suggestions, meeting requests, and concerns of erroneously marked materials to cui@nsf.gov.

We look forward to your continued collaboration and input.

Victor Powers
CUI Senior Agency Official (SAO)
Division Director 
Division of Administrative Services (DAS)

OTHER CONTACTS:

  • Dorothy Harris, CUI Program Manager cui@nsf.gov
  • Rebecca S. Keiser, Chief of Research Security Strategy & Policy rlkeiser@nsf.gov
  • Sarah Stalker-Lehoux, Deputy Chief of Research Security Strategy & Policy sstalker@nsf.gov