2020 Community Workshops

Key Pillars of Regulated Research Programs

  1. Ownership & Roles

  2. Financial & Cost

  3. Training & Education

  4. Scoping

  5. Clarity on Controls

  6. Auditing


Download Full Report

The full report is available at the EDUCAUSE Cybersecurity Resources page at https://library.educause.edu/resources/2021/7/higher-education-regulated-research-workshop-series-a-collective-perspective

Workshop 6 Recording

Watch Video

Community Report

This page was taken from previous work through Purdue University & NSF #1840043 supporting Supporting Controlled Unclassified Information with a Campus Awareness and Risk Management Framework.

Higher Education Regulated Workshop Series: A Collective Perspective

After an eight month effort concluding in June of 2021, 155 participants from 84 research institutions from across the United States gathered for six facilitated, NSF-sponsored workshop sessions to determine if coming together as a community could improve the support of individual programs to secure regulated data in research involving the Department of Defense or health sciences.

The report represents the collective perspective of those who participated in the workshop series and the efforts of volunteer authors who helped put it together. The primary aim of the document is to identify challenges, share best practices, and provide recommendations to the community on how to handle regulated research data on campus.

The report was co-authored by contributors from Purdue University, Duke University, University of Florida, Indiana University, Case Western Reserve University, University of Central Florida, Clemson University, Georgia Institute of Technology, and University of South Carolina.

*The 2020 Workshops Series were supported by the National Science Foundation under Grant No. 1840043. Any opinions, recommendations, findings, or conclusions expressed are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.

Ownership and Roles

Content pulled from Cal Frye of Case Western Reserve University from the June 2nd, 2021 final workshop.

Ownership and Roles

    • Some of this is new to researchers

    • Some researchers will be new to thinking about compliance

    • Compliance isn’t just about IT. Other departments have a role

    • First, identify what roles will play in your program, and who fills those roles

    • Find a sponsor

    • Each institution may look very different


Identify Roles

    • Academic and Administrative leadership should all be on board

    • IT or Research Computing support building compliant environments

    • Finance, Grants and Contracts, both support the project and can apply brakes

    • Institutional Risk and Internal Audit help evaluate your progress to the goal

    • Training and Education are essential; this doesn’t come naturally to researchers

    • Research Administration already hosts similar processes and responsibilities

    • Your Institutional Review Board can be a model


Identify Ownership

    • Your organization does not look like mine. Adjust accordingly.

    • “I pay for it, I own it” can work, but may not be the best choice.

    • Information Security may be best equipped to take ownership, if you don’t have dedicated compliance resources.

    • Compliance or Risk Management may be suited for ownership.

    • Internal Audit could own it, but are better left to assess the results.

    • Research Administration may be best-received by the researchers as owners.


Assemble and Organize Your Team

    • Expect the makeup of your program team to change as it matures.

    • The implementation phase may require different offices and members than operation.

    • An independent program manager may be quite useful. This could be a consultant.

    • Once in operation, bringing larger labs into compliance may also be best treated as formal projects with designated managers to steer toward success.

    • Attend to communications with offices outside the team. Report often.

Considerations

  • Do your offices work together well enough to be successful?

  • Is there a champion among senior leadership to instill a sense of purpose?

  • Does your intended process owner have authority to make decisions?

  • Have you defined roles and responsibilities clearly enough?

  • Do your offices each take ownership of their portion of the task?

The ultimate success is when your researchers can easily obtain the grants, do the work, run their labs, and publish their results. They are responsible for compliance success. How do you best help them achieve the goal?

Financial and Cost Models

Content pulled from Henry Glaspie of University of Central Florida from the June 2nd, 2021 final workshop.

Ownership & Governance

  • Senior Level Involvement

    • Budget

    • Policies

    • Strategic Planning

  • Working Group

    • Knowledge of the research

    • Research administration

    • IT Support

    • Information Security

Gather the Evidence

  • How much of this research do you do?

  • Return on investment

  • SMEs

  • What is coming?

Examine the Evidence

  • What are you trying to achieve

  • What is your current state of compliance

  • What are your cost drivers

    • Personnel

    • Hardware

    • Software/Supporting Applications

  • Cloud services/MSP

  • Distributed vs Centralized IT

The Intersections

  • Centralized vs Decentralized IT

  • On-premise enclaves

    • One or many

  • Cloud Enclaves

    • One or many

  • Vendors/Business Partners

  • Cost Recovery

Challenges - just to name a few

  • Sustainability

  • Project Budgeting

  • Use of existing resources

  • Licensing

  • Physical security

  • Remote work

Training and Education

Content pulled from Kathy Riley of Clemson University from the June 2nd, 2021 final workshop.

Training Objectives (who and what)

  • Everyone: General CUI awareness along with specific responsibilities.

  • Research Team: System security and technology control requirements, incident response, how to use secure systems

  • Contract Officers: How to identify contract clauses for CUI

  • Grant Administrators: Overview of security requirements

  • IT Support: NIST 800-171 compliance requirements, incident reporting

  • Export Control & Research Security: NIST 800-171 overview, incident reporting

  • Internal Audit: DFARS and NIST 800-171 requirements

Gathering Information

  • Partner with internal and external stakeholders.

  • Refresh training material as policies, procedures, security controls, and responsibilities evolve.

  • Evaluate effectiveness of training by conducting surveys or follow-up discussions.

  • Determine how to develop basic guidelines for CUI markings and other requirements that apply to specific roles.

  • Provide technical training to assist with audits/assessments, and with security control discussions using non-technical language.

  • Provide tools to assist with assessments

Training Resources

Delivery Opportunities

  • Leverage IRB training, new faculty orientation, sponsored program newsletters, information security awareness programs, department meetings, and campus publications.

  • Conduct In-person training, which can enhance the effectiveness beyond on-line training materials.

  • Include CUI with Information Security Awareness and other compliance training.

  • Consider augmenting annual training with just in time training…could include short online training segments about specific topics.

Peer Practices

  • Utilizing a learning management system (LMS) for on-line training courses.

  • Track course enrollments and completion dates.

  • Develop customized courses using government website information.

  • Establish an annual requirement for on-line training.

  • Offer semesterly workshops targeting the University’s research community and include guest speakers from federal partners such as DCSA, DHS, FBI.

  • Include research information in a Data Governance program.

  • Engage third-party subject matter expert to assist with course development.

  • Use the CDSE CUI training and have individuals submit certificates

Challenges

  • Utilizing a learning management system (LMS) for on-line training courses.

  • Track course enrollments and completion dates.

  • Develop customized courses using government website information.

  • Establish an annual requirement for on-line training.

  • Offer semesterly workshops targeting the University’s research community and include guest speakers from federal partners such as DCSA, DHS, FBI.

  • Include research information in a Data Governance program.

  • Engage third-party subject matter expert to assist with course development.

  • Use the CDSE CUI training and have individuals submit certificates


Auditing

Content pulled from Anurag Shankar of Indiana University from the June 2nd, 2021 final workshop.

In compliance, proving due diligence and readiness for external audits requires auditing and documenting the controls one has in place. This includes, e.g., system access, anomalies, log analysis, training records, documentation reviews, and more.

Identify Ownership

    • Establish institutional audit process ownership and governance.

    • Consider having the Office of Research as the owner and ISO and Compliance as principal agents and liaison to the Office of Research (or another process owner).

    • Decide who makes remediation decisions for any gaps found.

Manage the Audit Process

  • Use network segmentation to limit the scope of the audit, especially if on-prem.

  • Create a central document repository.

  • Document the audit process. Create a checklist of process steps for various stakeholders, e.g., those who gather evidence.

  • Automate as much as possible. For example, use scripts to collect the audit information.

  • Group related audits together (e.g., by compliance regime).

  • Use pre-audits to prepare for external audits. Leverage Internal Audit.

  • Use the audits as an opportunity to organize and update documentation.

  • Standardize documentation, e.g., like HECVAT has done for 3PAs. However, audits may also need to pull randomly, for instance CMMC audits, since the auditors are being asked to examine, test, and interview.

  • Shift from focusing on (annual) audits toward continuous monitoring/assessment. Use the FedRAMP provided continuous monitoring plan template as a guide.

  • Bake in auditing from the get go when building research solutions.

  • Budget for pre-assessments. Keep in mind that pre-assessments are not a recoverable expense in CMMC, only the certification.


Gather and Organize Evidence

  • Leverage existing resources, for instance Internal Audit.

  • Make external audits easy for auditors, remembering that they often charge by the hour. This can be done by following, e.g., control framework audit guidance (e.g., NIST SP 800-171a), to guide the format of reports and data. Auditors often use the same documents to perform their audits. Store all documents in a single, auditor-ready digital document repository.

  • Document where each control is applied and how it is audited.

  • Create an index that points to the documentation (policies/standards/processes/procedures) created for each requirement. Each paragraph in those documents should identify the requirement for which they are written.

  • Add researchers’ data security plans to the document repository.


Leverage and Empower the Community

  • Explore peer assessments to prepare for audits and to share learning across the community. Ask others with CUI compliance programs to audit you. There is also a REN-ISAC peer assessment service.

  • Share or have peers share audit experiences since this information is highly useful to the community.

  • Use the Slack HigherEdCUI and RSOC-CSR lists. EDUCAUSE and REN-ISAC also have CUI lists.

  • Share any locally developed templates with the community.

  • Share lessons learned when CMMC audits start. This will help us hold C3PAOs to a single standard.

  • DoD is developing automated mechanisms for continuous monitoring, which they may also introduce into the CMMC process also. Use the power of community to keep the process sane if implemented.

Peer Practices

  • Strategy

    • Building cloud enclaves, e.g., in AWS GovCloud/AWS.

  • Process

    • Interviewing researchers/IT professionals to discover their processes and procedures, documentation.

    • Creating SSPs, system inventories and personnel lists.

    • Reviewing 800-171 requirements, e.g., FIPS 140-2 encryption, strategizing on how to comply.

    • Auditing the current state of controls (implemented, partially implemented, incorrectly implemented, not implemented) using NIST 800-53. Documenting the controls into a SSP, assessing risk from improper, partial, or no implementation of each control, and crafting a risk response to each.

    • Addressing compliance with specific regulations (DFARS, HIPAA) by mapping it to 800-53.

  • Tools

    • Using PowerShell and other scripts to audit technical controls.

    • Looking at CSET (cybersecurity evaluation tool): https://us-cert.cisa.gov/ics/Downloading-and-Installing-CSET

    • Using a SIEM to check against specific control sets and vulnerability scanning to cover the rest.

    • Implementing 800-171 through GPOs, firewall rules, configuration management (SCCM), log management and analysis.

Challenges

  • Silos - each campus area has its own audit process, approach, or no auditing at all.

  • Lack of Audit tools - forced to forge one offs, no guidance or standard tools to audit controls.

  • Lack of Standardization - no standard checklists or a common audit process across the institution.

  • Difficulty of control interpretation - without understanding what a control means, it is difficult to audit it.

  • Legacy technologies - how to audit lab instruments with obsolete OS and software.