The new version of MAC OS X, 10.10 (Yosemite) is expected to be released today, Thursday October 16th, and is currently incompatible with the ClearPass registration system and potentially other services at Rowan.

University Policies

University Policies

Page tree

ROWAN UNIVERSITY POLICY

Title: Controlled Unclassified Information (CUI) Policy
Subject: Information Security
Policy No: ISO:2025:01
Applies: University-Wide
Issuing Authority: Senior Vice President for Information Resources and Technology and Chief Information Officer and Vice President of Research
Responsible Officer: Information Security Officer and Research Department Empowered Official
Date Adopted: 11/17/2025
Last Revision: 11/17/2025
Last Review: 11/17/2025

I. PURPOSE

The purpose of this policy is to establish requirements for the storage, processing, and handling of Controlled Unclassified Information (CUI) in the Rowan computing environment.

II. ACCOUNTABILITY

Under the President, the Chief Information Officer and Information Security Officer shall implement and ensure compliance with this policy. The Chancellor, Vice Chancellors, Vice Presidents, Deans and other members of management shall ensure compliance with this policy and support all research efforts related to CUI accordingly.

III. APPLICABILITY

This policy applies to all members of the Rowan University community who access and use the University’s electronic information and information systems. It presents administrative, physical, and technical safeguards necessary to manage and control access to Rowan’s information systems.

IV.DEFINITIONS

Refer to Rowan University Technology Terms and Definitions for terms and definitions that are used in this policy.

V. POLICY

All members of the Rowan University community accessing, processing, storing, or otherwise interacting with Controlled Unclassified Information (CUI) must comply with the following elements:

  1. All projects and programs involving CUI must be registered and coordinated with the University’s Divisions of Research and Information Resources & Technology (IRT). Such registration must take place prior to CUI data accessed, processed, or stored by Rowan employees (e.g., faculty members).

  2. Data categorized as CUI must only be accessed, processed, and stored in conjunction with the University’s NIST 800-171 enclave, controls, and policies. This environment provides a Defense Federal Acquisition Regulation Supplement (DFARS) and Cybersecurity Maturity Model Certification (CMMC) Level 2 compliant framework, which are the minimum requirements for CUI per NIST 800-171.

  3. Individuals accessing CUI must be approved to work on an active project with a Technology Control Plan (TCP). All data and information related to this TCP must be handled within the guidelines of the TCP and any applicable Export Control requirements.

  4. At no time may CUI be opened, accessed, processed, stored, or otherwise handled, on standard Rowan University workstations or servers or on any personally owned devices. The dedicated NIST 800-171 enclave is the only authorized location for this activity.

  5. All users with access to CUI and the NIST 800-171 enclave must adhere to all policies, procedures, standards and requirements of that specific environment, in addition to all standard University policies, procedures, standards and requirements.

  6. Individuals with access to CUI must take applicable Security Awareness Training annually. This may require additional training beyond what members of the Rowan community who do not have access to CUI are required to take.

  7. Individuals with access to the NIST 800-171 enclave and/or CUI will not grant access to this data or environment to unauthorized individuals.

  8. Upon termination of the relationship between Rowan and any individual with CUI access, all access to CUI data will be immediately revoked.

  9. Individuals who are not active in the NIST 800-171 enclave for a period of 90 days will have their accounts disabled.

  10. Transfer of data to external storage devices (including USB) is restricted to only authorized devices which comply with the requirements outlined in the Rowan University CUI Media Protection Standard. Most notably, the following requirements must be adhered to:

    1. Identification and marking of all media with CUI data (i.e., digital, non-digital)

    2. All system media, digital and non-digital, containing federal contract information (FCI) or CUI that are subject to disposal or reuse must be sanitized.

    3. Do not store CUI on unencrypted portable storage devices (i.e., removable media).

    4. The Information Security Officer, Empowered Official or individuals (e.g., Lab Director) with assigned oversight responsibility for maintaining the appropriate operational security posture for any information system or enclave are responsible for identifying and documenting the specific CUI systems on which approved removable media may be used, if any. 

  11. All individuals with access to CUI understand that the nature of this data requires them to be subject to monitoring, security controls and logging above and beyond the Rowan University standard. All controls and monitoring are in accordance with United States federal requirements as outlined in the NIST 800-171 and CMMC requirements.

  12. Members of the Rowan community and affiliates who are aware of any violations of this policy are required to report said violations to the Research Department Empowered Official, Chief Compliance Officer and/or the Information Security Officer immediately.

  13. Funds related to computing resources will be recovered/provided by the associated research funding utilizing said resource.

VI. NON-COMPLIANCE AND SANCTIONS

Any individual who violates this policy shall be subject to discipline up to and including dismissal from the University, as well as civil and criminal penalties including reporting to local, state, and federal employees as required by law. Sanctions shall be applied consistently to all violators. Any exceptions to this policy must be approved by the Information Security Office.


By Direction of the CIO:
Mira Lalovic-Hand,
SVP and Chief Information Officer