Email, Safeguards for Email Containing CUI
As a subcontractor for the federal government, the University is required to handle controlled unclassified information (CUI) in a manner compliant with federal standards. When communicating via email, federal agencies may label their email as CUI. The University utilizes Proofpoint to protect CUI-flagged emails and enforce federal requirements for their handling and distribution.
What is CUI?
CUI is a designation for non-classified information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies. Please see Research IT's CUI resource page for more information.
Why are some emails considered CUI?
Generally, Federal government entities or entities working on behalf of the federal government will include a CUI designation in electronic communications if required. Proofpoint checks the subject line and body of an email for CUI-related markings. If it detects these in incoming or outgoing email, it will flag the email as CUI and apply certain policies.
CUI Flagged Email
Emails with CUI markings will not be delivered directly to mailboxes. Instead, an email will come in from the original sender with the original subject line, but the text will display as follows:
The "Click here" link in the email will direct the user to a secure mailbox at mail-encrypt.uillinois.edu. This portal will require sign-in with University credentials and 2FA.
These emails will be displayed with a banner informing the end user that the message contains CUI and will link back to this article.
Important Note: Additional processing for CUI emails will slow down delivery. As such, it may take a few moments after receiving the email for it to show in the quarantined mailbox. If you get an error, please wait a few minutes before trying to access the email again.
Per Federal guidelines, emails flagged with CUI are treated differently than regular email. Incoming CUI emails will be quarantined, encrypted, and restricted from forwarding. CUI emails, both incoming and outgoing, will be flagged internally, quarantined, and tracked. The encrypted email portal will automatically log out after a period of inactivity. Please note that decryption keys have an expiration time, after which the emails will no longer be available.
Dissemination of CUI is intended to be limited to those with a direct need to access the information. Please exercise caution and good judgement in storage and sharing of emails labeled as CUI.