Classified or Restricted Research
Contents
Sponsors may impose restrictions on personnel, access to facilities, or information sharing. Pay close attention to the Request for Proposal or the Notice of Funding Opportunity where it lists the classified or restricted research requirements.
Review this tool for Identifying Key Terms in Solicitations for help recognizing whether Classified or Restricted Information will be part of the project.
Faculty Council on Research (FCR) Approval
There are specific circumstances where FCR approval is required prior to the University accepting any of the following:
- Prohibits the open publication or dissemination of research results within a reasonable period of time.
- Restricts participation on grounds other than interest or competence.
- Restricts access to campus facilities in ways that are judged to disrupt the overall research activity of the University.
If the proposal solicitation or resulting award contains provisions that seek to limit participation, access to facilities, or the freedom of the investigators to publish or not to publish the results of such research, the PI must submit the project details for review on the FCR review intake form.
If the proposal solicitation or resulting award contains provisions that seek to limit participation, access to facilities, or the freedom of the investigators to publish or not to publish the results of such research, the PI must submit the project details for review on the FCR review intake form.
Classified or Restricted Information
When using the tool for Identifying Key Terms in Solicitations, pay close attention to references to DD Form 254, National Industrial Security Program Operations Manual (NISPOM), NIST SP 800-171, federal contract information and controlled unclassified information.
These requirements will have implications for determining the feasibility of applying, budget impacts, and if awarded, impacts to managing the project.
Classified Research at the UW
Classified information is information or material deemed by government officials to be so sensitive that it must be protected. Laws or regulations restrict access to such classified information to people with the necessary security clearance and “need to know.” In some instances, misuse and mishandling of the material can result in criminal penalties. Please review the official definition of Classified Information.
The University of Washington is a cleared defense contractor with an active Facility Clearance Level (FCL) under the National Industrial Security Program Oversight (NISP). The UW NISP is centrally managed and locally implemented. The FSO provides oversight and standards.
UW PIs/Campus units pursuing classified research must coordinate with the UW FSO to establish a compliant, department-level security program before initiating work with classified information. Project personnel must also obtain security clearance through the FSO.
Pre-Contract Requirements for Classified Research
When routing the eGC1, please select the “Classified Information” checkbox for Question D-1 on the nonfiscal compliance page of the eGC1. This applies to federal or federal flow-through funding from non-federal sponsors.
Before entering into a contract or accepting funding involving classified information, the PI must obtain:
- Confirmation from the Faculty Council on Research (FCR) approving restricted research
- Coordination and approval from the UW FSO, including:
- Verification of appropriately cleared and trained personnel
- Validation of facilities and resources to support the effort
- Fully executed DD-254 or other official security specification document
For guidance, contact the UW Facility Security Officer (FSO) at uwfso@uw.edu.
Exception: NAVSEA and Basic Operating Agreement (BOA) contracts. While overall contracts have FCR approval, individual classified task orders require a signed DD Form 254 and FSO approval on the eGC1.
Classified research contracts require compliance with NIST SP 800-171 for Controlled Unclassified Information (CUI). Some projects may also require accredited classified IT systems under NISPOM and adherence to the NISPOM Risk Management Framework (RMF), which provides a structured process for managing cybersecurity risks. Please review the following section on Research & Secure IT Computing for more information.
Research & Secure IT Computing
Many sponsors have specific IT security standards which must be in place which include using secure IT environments. In many cases, these standards are in place for national security purposes.
Secure IT Environments are an expense that you must include in your proposal budget. Some sponsors also have specific certification requirements at time of proposal submission.
Review the following guidance on:
- Feasibility Review & IT Director Feasibility Memo
- What is Cybersecurity Maturity Model Certification?
Feasibility Review & IT Director Feasibility Memo
When a project will be handling Restricted Access Data, which can include federal contract information, or controlled unclassified information, you will need to follow these feasibility review & memo steps.
Before preparing and routing your proposal on an eGC1:
- Identify the Computing Environment you intend to use for the restricted access data.
- Contact UWIT via help@uw.edu use the subject line: “”Controlled access computing environment”.
- UW IT will help assess whether an environment is meeting the sponsor requirements and project needs.
- After UWIT assessment, the IT Director of the environment you use will issue you the IT Director Feasibility Memo.
- Note: Individuals at the UW must have UWIT approval to register IT systems in the federal Supplier Performance Risk System (SPRS). UWIT vets the SPRS entry beforehand.
Key steps after receiving signed IT Director Feasibility Memo
After you have a signed Feasibility Memo from the authorized IT Director:
- Route your proposal at least seven days in advance of sponsor deadline:
- Build the cost of the IT environment into your proposal budget
- Select “Federal Contract Information” or “Controlled Unclassified Information” checkbox for Question D-1 on the nonfiscal compliance page of the eGC1.
- Provide OSP the signed IT Director Feasibility Memo attached to the eGC1
OSP cannot submit a proposal that requires the UW to certify at the time of proposal that we have a registered IT environment without a signed IT Director Feasibility Memo.
What is Cybersecurity Maturity Model Certification?
The Department of War Cybersecurity Maturity Model Certification (CMMC) program formalizes how DoW intends to assess contractor cybersecurity practices and safeguard sensitive unclassified information across its industrial base.
When CMMC is part of a project, applicant certification is required at the time of proposal or when requested from a pass-through entity. In these cases, you must follow steps to secure Feasibility Review & the IT Director Memo.
Should the UW receive an award, all covered individuals will need to complete CUI training before the UW can accept the contract. Contact researchsecurity@uw.edu for further CUI training instructions.
Does CMMC apply to a proposal?
Review:
Policy, Regulation, and Guidance
- GIM 01 – Review and Submission Requirements for Proposals
- Export Control Measures
- Executive Order 8: Classified, Proprietary, and Restricted Research
- Homeland Security Presidential Decision Directive 12 (HSPD-12)
- National Institute of Standards and Technology (NIST)
- Defense Federal Acquisition Regulation Standards (DFARS) 252.204-7012
- Set up: Classified Research