Cybersecurity and Research
Cybersecurity is of utmost importance when handling sensitive data. Often overlooked as being sensitive data is research data. Although the research may not involve the usual pieces of information that is considered sensitive, identifiable, or personal, the very nature of the research itself may be deemed as sensitive. Accordingly, research, especially when associated with a grant, contract, or data use agreement, must be safeguarded by implementing security requirements, often specified.
Sponsors often impose restrictions on personnel, access to data, or information sharing. These restrictions lead to classified or restricted research projects. These restrictions will have implications for setting up and managing the project, including data management impacts. If incorporated and awarded, federal regulation requires plans and metrics for restricted research projects which can include compliance requirements such as DFARS clause 252.204-7012, NIST 800-171, Homeland Security Presidential Directive 12 (HSPD-12), Federal Information Processing Standards (FIPS), and/or Federal Information Security Management Act (FISMA). These plans must be in place prior to accessing or creating restricted data and timeframes can be as little as 30 days after receipt of the award.
The Cybersecurity Maturity Model Certification (CMMC) is a program developed by the U.S. Department of Defense as a standard of cybersecurity practices and requirements to ensure the protection of sensitive unclassified information. CMMC specifically protects Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
CMMC is associated with the following guidelines and clauses, which are identified as compliance requirements in the contract:
- NIST SP 800-171
- Federal Acquisition Regulation (FAR) Clause 52.204-21
- Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012
CMMC has 3 tiers: Level 1 - Foundational, Level 2 - Advanced, Level 3 - Expert. The type and sensitivity of data involved in the research will dictate the tier level and assessment requirements. The contract may also specify the CMMC level required to be achieved by a DoD contractor.
The CMMC level required will be the same if contractors and subcontractors are handling the same type of FCI and CUI data. If the prime contractor will only flow down select data to the subcontractor, a lower CMMC level may apply.
CMMC 2.0 is still being finalized. Once it is implemented, all organizations in contract with the DoD will be required to be certified at the appropriate CMMC tier/level.
CMMC at FIU
To ensure continued eligibility for DoD research projects, FIU is in the process of obtaining CMMC 2.0 certification. FIU plans to meet CMMC Level 2 - Advanced, which complies with NIST SP 800-171 and its 110 security requirements.
All research projects that involve Controlled Unclassified Information (CUI) will be stored within a secured enclave, specifically tailored to and governed by the requirements of CMMC Level 2 - Advanced. The secured enclave will also be the primary environment where project work will be performed.
CMMC compliance at FIU is shared effort between the Office of Research and Economic Development (ORED), the Division of Information Technology and the University Research Community. For questions related to CMMC compliance with a specific sponsored project, please reach out to the ORED Research Information System team at https://research.fiu.edu/ored/ris/.