In addition to basic protection of research data, there may be additional compliance requirements involved in some sponsored research contracts and grants. Below are some commonly seen requirements to pay special attention to.
FAR | DFARS | NSPM-33 | CJIS | IS-3
FAR
The Federal Acquisition Regulation (FAR) is the principal set of rules regarding government procurement in the United States and covers many of the contracts issued by the US military and NASA, as well as US civilian federal agencies. It contains standard provisions and contract clauses, which can apply in federal research contracts that contain Federal Contract Information (FCI).
FAR 52.204-21 – Basic Safeguarding of Covered Contractor Information Systems (15 controls)
OIT provides the Secure Research Environment (SRE) to help comply with these requirements.
OIT also provides guidelines for how to use OIT Enterprise Infrastructure services in order to align with these requirements.
DFARS
The Defense Federal Acquisition Regulation Supplement (DFARS) is a supplement to FARS administered by the Department of Defense. Any non-federal organization that stores, processes, or transmits Controlled Unclassified Information (CUI) (aka Covered Defense Information, CDI) is required to follow the rules of DFARS. The DOJ is stricly enforcing compliance via the False Claims Act.
DFARS 252.204-7012 – Safeguarding Covered Defense Information and Cyber Incident Reporting
-
- Must follow DFARS 252.239-7010 and meet cloud computing security requirements if using cloud services
- Must follow incident response and reporting requirements
- Must meet all requirements in NIST SP 800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations)
- 110 controls in 14 control families
- Includes System Security Plan (SSP) and Plan of Action & Milestones (POAM)
DFARS 252.204-7020 – NIST SP 800-171 DoD Assessment Requirements
-
- Defines the assessment methodology and requirements for NIST SP 800-171
- Basic assessments require only a self-assessment and summary score submitted to the Supplier Performance Risk System (SPRS)
- Medium and High assessments also require review by DoD personnel using NIST SP 800-171A
DFARS 252.204-7021 – Cybersecurity Maturity Model Certification Requirements
-
- Must have current CMMC certificate at the CMMC level required by the contract and maintain for duration of the contract
- CMMC 1.0 Level 1 / CMMC 2.o Level 1 – Basic safeguarding of FCI (FAR 52.204-21)
- CMMC 1.0 Level 3 / CMMC 2.0 Level 2 – Safeguarding of CUI (DFARS 252.204-7012 / NIST SP 800-171)
- CMMC 1.0 Level 5 / CMMC 2.0 Level 3 – Full 171 practices across 17 domains
Consult with the Research Cyber Infrastructure Center (RCIC) on options for a DoD compliant environment.
NSPM-33
National Security Presidential Memorandum 33 (NSPM-33) requires all federal research funding agencies to strengthen and standardize disclosure requirements for federally funded awards. Also requires a certification from research organizations awarded more than $50 million per year in total Federal research funding, that they have implemented a research security program that includes the four elements: cybersecurity, foreign travel security, research security training, and export control training.
NSPM-33 Implementation Guidance defines the cybersecurity requirements of the research security program in subsection 6 on page 20.
-
- 14 requirements, 12 overlap with FAR 52.204-21 with 2 additional (cybersecurity awareness training, protection of data from ransomware)
Office of Research has published UCI Research Security Program guidance.
CJIS
The Criminal Justice Information Services (CJIS) Division of the US Federal Bureau of Investigation (FBI) gives state, local, and federal law enforcement and criminal justice agencies access to criminal justice information (CJI) and agencies must ensure the transmission, storage, or processing of CJI complies with the CJIS Security Policy.
UC IS-3
All research data must also comply with all UC IS-3 policy requirements. This includes the proper classification of data, ensuring P3/P4 assets are recorded in the Protected Data & Systems Inventory (PDSI), and all applicable controls from the UCI Information Security Standard (ISS) are implemented.