2020 Community Workshops
Key Pillars of Regulated Research Programs
Scoping
Clarity on Controls
Download Full Report
The full report is available at the EDUCAUSE Cybersecurity Resources page at https://library.educause.edu/resources/2021/7/higher-education-regulated-research-workshop-series-a-collective-perspective
Workshop 6 Recording
Community Report
This page was taken from previous work through Purdue University & NSF #1840043 supporting Supporting Controlled Unclassified Information with a Campus Awareness and Risk Management Framework.
Higher Education Regulated Research Workshop Series: A Collective Perspective
After an eight month effort concluding in June of 2021, 155 participants from 84 research institutions from across the United States gathered for six facilitated, NSF-sponsored workshop sessions to determine if coming together as a community could improve the support of individual programs to secure regulated data in research involving the Department of Defense or health sciences.
The report represents the collective perspective of those who participated in the workshop series and the efforts of volunteer authors who helped put it together. The primary aim of the document is to identify challenges, share best practices, and provide recommendations to the community on how to handle regulated research data on campus.
The report was co-authored by contributors from Purdue University, Duke University, University of Florida, Indiana University, Case Western Reserve University, University of Central Florida, Clemson University, Georgia Institute of Technology, and University of South Carolina.
*The 2020 Workshops Series were supported by the National Science Foundation under Grant No. 1840043. Any opinions, recommendations, findings, or conclusions expressed are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.
Ownership and Roles
Content pulled from Cal Frye of Case Western Reserve University from the June 2nd, 2021 final workshop.
Ownership and Roles
Some of this is new to researchers
Some researchers will be new to thinking about compliance
Compliance isn’t just about IT. Other departments have a role
First, identify what roles will play in your program, and who fills those roles
Find a sponsor
Each institution may look very different
Identify Roles
Academic and Administrative leadership should all be on board
IT or Research Computing support building compliant environments
Finance, Grants and Contracts, both support the project and can apply brakes
Institutional Risk and Internal Audit help evaluate your progress to the goal
Training and Education are essential; this doesn’t come naturally to researchers
Research Administration already hosts similar processes and responsibilities
Your Institutional Review Board can be a model
Identify Ownership
Your organization does not look like mine. Adjust accordingly.
“I pay for it, I own it” can work, but may not be the best choice.
Information Security may be best equipped to take ownership, if you don’t have dedicated compliance resources.
Compliance or Risk Management may be suited for ownership.
Internal Audit could own it, but are better left to assess the results.
Research Administration may be best-received by the researchers as owners.
Assemble and Organize Your Team
Expect the makeup of your program team to change as it matures.
The implementation phase may require different offices and members than operation.
An independent program manager may be quite useful. This could be a consultant.
Once in operation, bringing larger labs into compliance may also be best treated as formal projects with designated managers to steer toward success.
Attend to communications with offices outside the team. Report often.
Considerations
Do your offices work together well enough to be successful?
Is there a champion among senior leadership to instill a sense of purpose?
Does your intended process owner have authority to make decisions?
Have you defined roles and responsibilities clearly enough?
Do your offices each take ownership of their portion of the task?
The ultimate success is when your researchers can easily obtain the grants, do the work, run their labs, and publish their results. They are responsible for compliance success. How do you best help them achieve the goal?
Financial and Cost Models
Content pulled from Henry Glaspie of University of Central Florida from the June 2nd, 2021 final workshop.
Ownership & Governance
Senior Level Involvement
Budget
Policies
Strategic Planning
Working Group
Knowledge of the research
Research administration
IT Support
Information Security
Gather the Evidence
How much of this research do you do?
Return on investment
SMEs
What is coming?
Examine the Evidence
What are you trying to achieve
What is your current state of compliance
What are your cost drivers
Personnel
Hardware
Software/Supporting Applications
Cloud services/MSP
Distributed vs Centralized IT
The Intersections
Centralized vs Decentralized IT
On-premise enclaves
One or many
Cloud Enclaves
One or many
Vendors/Business Partners
Cost Recovery
Challenges - just to name a few
Sustainability
Project Budgeting
Use of existing resources
Licensing
Physical security
Remote work
Training and Education
Content pulled from Kathy Riley of Clemson University from the June 2nd, 2021 final workshop.
Training Objectives (who and what)
Everyone: General CUI awareness along with specific responsibilities.
Research Team: System security and technology control requirements, incident response, how to use secure systems
Contract Officers: How to identify contract clauses for CUI
Grant Administrators: Overview of security requirements
IT Support: NIST 800-171 compliance requirements, incident reporting
Export Control & Research Security: NIST 800-171 overview, incident reporting
Internal Audit: DFARS and NIST 800-171 requirements
Gathering Information
Partner with internal and external stakeholders.
Refresh training material as policies, procedures, security controls, and responsibilities evolve.
Evaluate effectiveness of training by conducting surveys or follow-up discussions.
Determine how to develop basic guidelines for CUI markings and other requirements that apply to specific roles.
Provide technical training to assist with audits/assessments, and with security control discussions using non-technical language.
Provide tools to assist with assessments
Training Resources
National Archives and Records Administration (NARA) – CUI Registry
Center for Development of Security Excellence (CDSE) – DoD CUI Program
DoD Cyber Awareness Challenge with Insider Threat information
Delivery Opportunities
Leverage IRB training, new faculty orientation, sponsored program newsletters, information security awareness programs, department meetings, and campus publications.
Conduct In-person training, which can enhance the effectiveness beyond on-line training materials.
Include CUI with Information Security Awareness and other compliance training.
Consider augmenting annual training with just in time training…could include short online training segments about specific topics.
Peer Practices
Utilizing a learning management system (LMS) for on-line training courses.
Track course enrollments and completion dates.
Develop customized courses using government website information.
Establish an annual requirement for on-line training.
Offer semesterly workshops targeting the University’s research community and include guest speakers from federal partners such as DCSA, DHS, FBI.
Include research information in a Data Governance program.
Engage third-party subject matter expert to assist with course development.
Use the CDSE CUI training and have individuals submit certificates
Challenges
Utilizing a learning management system (LMS) for on-line training courses.
Track course enrollments and completion dates.
Develop customized courses using government website information.
Establish an annual requirement for on-line training.
Offer semesterly workshops targeting the University’s research community and include guest speakers from federal partners such as DCSA, DHS, FBI.
Include research information in a Data Governance program.
Engage third-party subject matter expert to assist with course development.
Use the CDSE CUI training and have individuals submit certificates
Auditing
Content pulled from Anurag Shankar of Indiana University from the June 2nd, 2021 final workshop.
In compliance, proving due diligence and readiness for external audits requires auditing and documenting the controls one has in place. This includes, e.g., system access, anomalies, log analysis, training records, documentation reviews, and more.
Identify Ownership
Establish institutional audit process ownership and governance.
Consider having the Office of Research as the owner and ISO and Compliance as principal agents and liaison to the Office of Research (or another process owner).
Decide who makes remediation decisions for any gaps found.
Manage the Audit Process
Use network segmentation to limit the scope of the audit, especially if on-prem.
Create a central document repository.
Document the audit process. Create a checklist of process steps for various stakeholders, e.g., those who gather evidence.
Automate as much as possible. For example, use scripts to collect the audit information.
Group related audits together (e.g., by compliance regime).
Use pre-audits to prepare for external audits. Leverage Internal Audit.
Use the audits as an opportunity to organize and update documentation.
Standardize documentation, e.g., like HECVAT has done for 3PAs. However, audits may also need to pull randomly, for instance CMMC audits, since the auditors are being asked to examine, test, and interview.
Shift from focusing on (annual) audits toward continuous monitoring/assessment. Use the FedRAMP provided continuous monitoring plan template as a guide.
Bake in auditing from the get go when building research solutions.
Budget for pre-assessments. Keep in mind that pre-assessments are not a recoverable expense in CMMC, only the certification.
Gather and Organize Evidence
Leverage existing resources, for instance Internal Audit.
Make external audits easy for auditors, remembering that they often charge by the hour. This can be done by following, e.g., control framework audit guidance (e.g., NIST SP 800-171a), to guide the format of reports and data. Auditors often use the same documents to perform their audits. Store all documents in a single, auditor-ready digital document repository.
Document where each control is applied and how it is audited.
Create an index that points to the documentation (policies/standards/processes/procedures) created for each requirement. Each paragraph in those documents should identify the requirement for which they are written.
Add researchers’ data security plans to the document repository.
Leverage and Empower the Community
Explore peer assessments to prepare for audits and to share learning across the community. Ask others with CUI compliance programs to audit you. There is also a REN-ISAC peer assessment service.
Share or have peers share audit experiences since this information is highly useful to the community.
Use the Slack HigherEdCUI and RSOC-CSR lists. EDUCAUSE and REN-ISAC also have CUI lists.
Share any locally developed templates with the community.
Share lessons learned when CMMC audits start. This will help us hold C3PAOs to a single standard.
DoD is developing automated mechanisms for continuous monitoring, which they may also introduce into the CMMC process also. Use the power of community to keep the process sane if implemented.
Peer Practices
Strategy
Building cloud enclaves, e.g., in AWS GovCloud/AWS.
Process
Interviewing researchers/IT professionals to discover their processes and procedures, documentation.
Creating SSPs, system inventories and personnel lists.
Reviewing 800-171 requirements, e.g., FIPS 140-2 encryption, strategizing on how to comply.
Auditing the current state of controls (implemented, partially implemented, incorrectly implemented, not implemented) using NIST 800-53. Documenting the controls into a SSP, assessing risk from improper, partial, or no implementation of each control, and crafting a risk response to each.
Addressing compliance with specific regulations (DFARS, HIPAA) by mapping it to 800-53.
Tools
Using PowerShell and other scripts to audit technical controls.
Looking at CSET (cybersecurity evaluation tool): https://us-cert.cisa.gov/ics/Downloading-and-Installing-CSET
Using a SIEM to check against specific control sets and vulnerability scanning to cover the rest.
Implementing 800-171 through GPOs, firewall rules, configuration management (SCCM), log management and analysis.
Challenges
Silos - each campus area has its own audit process, approach, or no auditing at all.
Lack of Audit tools - forced to forge one offs, no guidance or standard tools to audit controls.
Lack of Standardization - no standard checklists or a common audit process across the institution.
Difficulty of control interpretation - without understanding what a control means, it is difficult to audit it.
Legacy technologies - how to audit lab instruments with obsolete OS and software.