Embedded Files
May 1, 2025 Edition of Ask the Assessor: Navigating Policy Hierarchies in Support of Compliance
Purdue University mapped out the processes involved with their CUI researchers, from a unit ownership area. This helped all the roles involved see where hand-offs were happening and do local process improvement.
Downloadable Deliverables:
Usable Templates:
SSP
Supporting Controlled Unclassified Information with a Campus Awareness and Risk Management Framework
The Purdue CUI framework integrates NIST SP 800-171 and other related NIST publications as the foundation of the framework. This framework serves as a standard for campus IT to align with security regulations and best practices, and create a single process for intake, contracting, and facilitate easy mapping of controlled research to CI resources for the sponsored programs office, human subjects office, and export control office. The framework allows researchers to experience faster intake of new funded projects and be more competitive for research dollars. Using student-developed training materials and instruction, researchers, administrators, and campus IT are now able to more clearly understand previously complicated data security regulations affecting research projects. The ecosystem developed from this project enables new partnerships with government agencies, and industry partners from the defense, aerospace, and life science sectors. Experiences and best practices in providing cyberinfrastructure and security awareness developed from this collaboration are documented and shared with the broader CI and campus community through conferences, journals and workshop.
Controlled Research Program Guide
1. Define Your Program
Policy and Governance
Define the scope of your CUI research program
What is CUI?
Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls as defined by applicable law, regulations, and government-wide policies.
The regulations and safeguards apply if you, possess, use, share, or receive CUI or operate, use, or have access to Federal information and information systems on behalf of an agency.
Storing and Processing CUI
Determine how you will receive or generate CUI
Determine how you will process and store CUI
Determine who needs to access to CUI
Determine how you share research results with sponsors securely
Review Your Workflows
What type of office space do you have for controlled research, will you need to separate research teams so you can guard against shoulder surfing, and screen orientation?
Are you going to use controlled software, can you use shared systems?
Determine how you share research results with sponsors securely
Are you working with a project team at another university, how will this change your workflows?
Who is going to help you stay secure and compliant, do you need help?
How are you capturing or generating data currently, will this change?
How will you deal with a controlled thesis submission process?
Helpful Tips:
CUI is not classified information.
CUI Basic requires the baseline handling and dissemination controls.
CUI Specified the subset of CUI in which the authorizing law, regulation, or Government-wide policy contains specific handling controls that it requires or permits agencies to use that differ from those for CUI Basic.
Your normal cyberinfrastructure may not be authorized to host or process CUI. Contact your Regulatory Office or Research Computing.
Specific security controls are required when safeguarding CUI within scope of clause 52.204.7012, this includes practices and processes in the newer model CMMC.
If you are using a secure drop site, ensure the service is authorized to store CUI.
There could be staff restrictions, U.S Persons only, for example.
With controlled research project, using personally owned equipment is not recommended, consider utilizing central facilities for research computing or data storage. Have IT provide managed laptops or desktops. Include this in your budget request if possible.
It's important to consider the potential for meetings to be overheard consider finding a private meeting space.
If using teleconferencing, select an approved service. Work with your regulatory or security office.
On your own? TrustedCI has resources to help.
2. Define Roles
Policy and Governance
Define Security and Compliance Roles for your Research Program
Research Team
Define an oversight role on your project team to ensure the compliance and security requirements you own are maintained throughout the lifecycle of the project. This should be given to people with leadership roles within the project. Create a partnership with your IT, Regulator and Security offices. This will help reduce work related to compliance and security activities by allowing for effective communication with trusted parties.
Regulatory Oversight
Your institution regulatory office should be reviewing the following:
Publication Approvals
Restrictions on Participants
Dissemination Limits
Jurisdiction Review (EAR v. ITAR)
Technology Review
Foreign Sponsors
Researcher's Roles In Cybersecurity
Protection
Protect People’s Privacy
Protect Research Data
Protect Systems, Update Software
Detection
Look for Insider Threat
Look for Malicious System activity using Antivirus
Use Approved Networks
Mitigation
Reduce incidents by using the defined processes
Report IT security incidents promptly
Reduce risk by keeping systems up to date
Institution's Role in Cybersecurity
Protection
Security Awareness Program
Data Security Plans
Automated System Updates
Detection
Have an Insider Threat Program
Alert on Malicious Activity
Centralized Event Logging
Mitigation
Annual Regulatory Review
Incident Response Policy and Procedures
Track Risk
Helpful Tips:
In some cases only U.S. Persons can access data. Your regulator office would inform you of the requirement.
Plan to update your IT systems regularly
Plan to train staff on compliance and security requirements
Plan to manage whole disk encryption
Plan to maintain Technology Control Plans and additional documentation
Plan to manage authorization to resources
Contract review is a key component to identify controlled research via specific contracting terms.
Technology Control Plans, or System Security Plans could be required when working with CUI.
Most institutions have required compliance training for staff on controlled research projects. This could be required before you begin your research activities.
Cybersecurity incidents within scope of DFARS 52.204.7012 must be reported to the DoD within 72 hours
The Department of Homeland Security National Cybersecurity and Communications Integration Center advises that “insider threats, to include sabotage, theft, espionage, fraud, and competitive advantage are often carried out through abusing access rights, theft of materials, and mishandling physical devices.” Learn More.
Updating systems has the biggest positive impact on your cybersecurity posture. Delegate this process to IT.
There are specific cybersecurity Incident reporting requirements for data within scope of DFARS 52.204.7012
Updating systems has the biggest negative impact on research when it is done incorrectly. IT must understand the research process before updating.
Complex research systems with fast data transfer requirements may have performance issues when located behind a network firewall. Use a Science DMZ.
Keeping systems current in research is a challenge all institutions are facing. Use risk management to reduce impact.
3. Review the Regulations
Policy and Governance
Policy and Regulatory Review
Laws, U.S. Codes and Regulation
There are many laws, U.S codes and regulations specific to each CUI type.
Develop a partnership with your Regulator Office, they are the experts. Start this process as early as possible.
This will help reduce delays in your research activities, and help you manage any additional budget requirements.
Institutional Policy
Institutional policies will apply alongside regulatory requirements. Dedicate time to read the policies and / or take training.
Apply the knowledge to the processes protecting your program. This makes it easier to maintain compliance overtime.
Work with your Regulatory Office, or Security and Policy Office to determine how a policy applies to your CUI research program.
Helpful Tips:
Executive Order 13556 , established a CUI program.
32 CFR Part 2002, established CUI policy for agencies
DFARS 252.204-7012, established the requirements for safeguarding CUI and the cyber incident reporting for the DoD
NIST SP 800-171 is the current standard used to defined the required safeguard for CUI. This standard will be combined with the Cybersecurity Maturity Model Certification starting in 2023 for the DoD contracts.
The institution should map policies to regulatory requirements and address gaps. This is out of scope for an individual researcher.
At a minimum, researchers should review the Acceptable Use Policy and the Incident Response Policy.
Try to use the existing institutional policy instead of creating policies from scratch. You won’t have to maintain the policies over time, just the processes related to the policies.
When is doubt, work with your institution to determine what policies are important.
4. Common Language
Policy and Governance
Use Common Language
CUI Tools
When working with Controlled Unclassified Information (CUI), you will be introduced to new terms, definitions and categories. The National Archives provides the information needed to learn the new concepts. Learning common terms will help you communicate to your regulatory office.
Identifying and Marking CUI
The DoD office or agency is responsible for identifying CUI.
Look for DFARS clause 52.204.7012 in your contracts or Grants. If included, determine if you are receiving or generating CUI. It is possible you won’t receive, generate or access CUI. This could be Fundamental Research.
If you create CUI think about your responsibility for identifying and marking CUI when applicable.
Helpful Tips:
Need to lookup a term related to Controlled Unclassified Information, use the Glossary
Need to lookup a Controlled Unclassified Information Category, use the CUI Registry
Need to read about the latest information, use the ISSO Blog
Need to read about the cybersecurity terms, use DFARS-252-204-7012
Want to learn more about marking, see “Introduction to Marking”
Previous research data published to the public domain is not considered CUI if you use it in new research projects covered by DFARS clause 52.204.7012. New results could be covered.
Think about when the data may be covered by the contract and considered CUI. Example, raw measurements may not be CUI until they are contextualized.
5. Categorize Information
Security and Compliance
Categorize Information
Access to Systems and Data
Determine the type of access level required for your research team before access is granted.
Create clear data boundaries between public, sensitive, and restricted research data.
Access Levels to Consider:
Access to Fundamental Research
Access to Sensitive Research
Access to Restricted Research
Access to Export Controlled Research
Access to Classified Research
Organize Access to Data
Take time to think about organizing data in a way to ensure only authorized individuals have access. This will be your data boundary. IT will help you understand when your data becomes in scope of a given regulation.
Keep controlled research data separated from open research data.
Some data may have marking requirements.
Helpful Tips:
There could be restrictions too
U.S Persons Only for access to the systems or data.
Be sure to include any paper copies in your planning.
Planning now reduces the risk to you and your project team.
Want to learn more about marking CUI, see “Introduction to Marking”
Think about who needs access and how long.
Don’t accept regulated data without the proper approvals.
Keep the process as simple as possible.
VeraCrypt can be used to create an encrypted container to help protect your data
Check out 5 Data Boundary Concepts
Multiple Projects
Open Data Source as Input
Open and Controlled Projects
Noncontextualized
Shared Equipment
6. Practices and Processes
Security and Compliance
Security Practices and Processes
Risk Assessments
Work with your Security Office to perform a security risk assessment for new and existing projects.
Prioritize your risk and document the process.
Review Risk Assessments at least yearly to ensure the reports stay current.
Manage risk, this includes accepted, unaccepted and risk with a temporary mitigation in place.
Cybersecurity Baseline for FCI
Federal Contract Information (FCI) has special cybersecurity requirements defined in FAR 52.204-21.
Review required safeguards to ensure the are performed. The requirements are basic cybersecurity protections. If your data is meant to be private and protected the safeguards should already be performed for your research programs.
You should have documented procedures to ensure the security controls are performed. Work with your IT department if you have managed systems.
Technology Control Plan (TCP) for Export Control (ITAR,EAR,OFAC)
A TCP is a plan to provide clear guidelines and controls deemed necessary to safeguard controlled technical data, information or equipment that is subject to export control regulations. Your institution should have a process for creating and or reviewing TCPs. Contact your regulatory office for more details.
There are several different export control regulations, but the 3 most likely to impact university activity are those of the State Department (ITAR), the Commerce Department (EAR), and the Treasury Department (OFAC). The following activities could be in scope:
Performing Controlled or Proprietary Research
Performing Research Outside the United States
Traveling Outside the United States
Presenting at Conferences Outside the United States
Hosting International Visitors
Shipping Equipment, Software or Technical Information Internationally
Engaging in international Collaborations or Partnerships
Paying someone in another country for items or services
Advising Students from Countries subject to U.S. comprehensive sanctions
Technology Control Baseline
A Technology Control Plan should address:
Authorized personnel
Dissemination and publication rules (including how to handled student theses that may result from the controlled research)
Physical security
Information technology security
Plans should be signed, by at least the Principal Investigator and the projects team. It is good to have Department Heads and representatives from your regulatory offices to sign as well.
To keep the TCP current, amend the document for:
Significant changes to the scope or project plan
Personnel additions or deletions
IT hardware additions or deletions
IT storage or software changes
Physical location (office or lab additions or change)
Significant changes to the physical security
Change to student thesis/dissertation committee or new plan of study submission.
Cybersecurity Baseline for CUI
The publication and supplemental material can be found at the 800-171 Re.2 publication.
800-171 Rev.2 provides the security requirements for protecting CUI when the information resides on nonfederal systems. All requirements in 800-171 Rev.2 must be addressed.
A system security plan (SSP) must be created and maintained. Review the plan at least yearly. Update the plan when changes arise to the protections or infrastructure. Use a change management process to help monitor changes and to record risk.
Exceptions or deficiencies to the security requirements are managed using a plans of action. This document helps you manage risk, don’t use it as a supplement to implementing controls
Self attest to compliance. 800-171A provides assessment procedures and a methodology for conducting assessments of the CUI security.
To meet compliance you will need to work with your institution, start with your security and policy offices along with your regulatory offices.
System Security Plan (SSP) for CUI
The goals for a System Security Plan:
Record system categorization
Define owners for the data, system and security.
Provide a genal description and purpose for the system.
Describe the environment
Hardware components
Software components
Maintenance Options
Status of the required security controls.
Implemented
Planned to be implemented
Variance to the original control
Diagrams:
System Boundaries
System Interconnections
Key Devices
Network Boundaries
Data Flow
Additional Plans to Consider
Have a plan to deal with publication restrictions or to track approvals.
Have a plan to deal with potential shipping restrictions.
If you have CUI specified there could be additional handling controls outlined by an agencies that differ from those for CUI Basic.
Configuration Management
Create or adopt a change management process, meet regularly and record and track changes to:
Information Systems
Installed software
Process Workflows
User Permissions
Data Sharing
Adjust the System Security Plan as needed.
Helpful Tips:
SP 800-30 v1 (September 2012) provides a guide for Risk Management.
SP 800-39 v1 provides a guide for organization-wide Risk Management.
TrustedCI provides supporting documentation.
Make sure you have a risk management policy.
FAR 52.204-21 is in scope when included as clause in a contract to develop or deliver a product or service to the Government.
FCI would include Information provided by or generated by the Government.
FCI is not intended for public release excluding information already provided by the Government to the public. Example: Information on a public website.
This is the starting point for cybersecurity requirements when working with the Government, start planning to ensure these requirements are in place.
Export control regulations apply to technical information as well as physical items — and when controlled information is given to a Foreign Person it's considered to be an export to that person's country, even if it happens in the US, even if it happens on a university campus.
If you collaborate with people in other countries, your emails are exports. When you travel, you're exporting everything you take with you. And, of course, you're exporting when you ship an item outside the US. These could all lead to export control violations with consequences for you and for your institution.
Don't Discuss non-public domain technology with foreign companies and foreign nationals.
Export control regulations apply to technical information as well as physical items — and when controlled information is given to a Foreign Person it's considered to be an export to that person's country, even if it happens in the US, even if it happens on a university campus.
If you collaborate with people in other countries, your emails are exports. When you travel, you're exporting everything you take with you. And, of course, you're exporting when you ship an item outside the US. These could all lead to export control violations with consequences for you and for your institution.
Don’t discuss non-public domain technology with foreign companies and foreign nationals.
DFARS 252.204-7012 could be included as clause in a contract to develop or deliver a product or service to the Government.
The security requirements contained in 800-171 Rev.2 are only applicable to a nonfederal system or organization when mandated by a federal agency in a contract, grant, or other agreement.
The requirements apply only to the components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components.
A template for an SSP is provided by NIST for 800-171 as supplement material.
3.12.4 in NIST 800-171 covers the requirement to create and maintain a System Security Plan.
Update the plan when major changes are implemented. Audit the plan at least yearly.
It is good practice to collect a signature within the document from the data, system, and security owners.
Reminder: Every international shipment is an export and is subject to US export control laws.
US law restricts the shipment of some materials to certain individuals, institutions, and countries and for certain end uses.
A contract may have a publication or dissemination restriction. Ensure you understand the restrictions.
Use a program like a ticketing system to submit, track and approve or decline changes. Stick to the process, and requires security reviews for major architecture changes.
Some controlled software may have regulation restrictions, use you change management process to review the software prior to installation to ensure compliance.
SP 800-128 provides a detailed methodology for management of information systems that is suited for larger projects.
7. Implement Security Controls
Security and Compliance
Install Security Requirements
Install Security Controls
Implement security controls outlined in your System Security Plan. Amend Security Plan if the controls change.
Communicate milestones to your project team, researchers, regulatory office and IT teams.
Helpful Tips:
You will need to adjust your System Security Plan ensure you use your change management process to track changes.
It is key to conduct new security reviews if you have major changes to the plan.
When making changes, ensure you are following your organization’s and the changes still meet regulatory requirements.
8. Test Security Controls
Security and Compliance
Test Security Requirements
Testing
Test the security and compliance controls prior to go live.
Create a security report outlining any findings.
Adjust any findings or determine if its safe to operate. Add the remaining findings to risk assessment or adjust the Security Plan.
Helpful Tips:
Use automated tools when possible and setup repeatable processes.
Test controls using privilege and unprivileged access.
Add changes to your System Security Plan or POAM.
9. Conduct Training
Security and Compliance
Conduct Training
Training Options and Ideas
Conduct in person training for new complex and high-risk projects. Use online as the project continues.
Review past security and compliance incidents for new training opportunities.
Ensure to budget for training.
Helpful Tips:
Training will be required by many regulations, find ways to make it engaging.
For large groups you will need a tool to automate the process.
Add a Tabletop exercise as a training option.
Conduct communications based on immediate risk as a method of training.
10. Stay Compliant
Security and Compliance
Mature the Program - Program Growth
Continue to work with all stakeholders to mature your practices and processes by identifying gaps and documenting gaps.
Ensure you strengthen the governance program by review the gaps and ensure you document the final response for future reference.
Staying Compliant
Systems, environments, and priorities will change, and this is important to provide appropriate growth. It is not up to one person to ensure compliance; all stakeholder are part of the process.
If you don’t have a strong governance model and buy in form senior leaders, staying compliant could be a struggle.
Helpful Tips:
You will have competing priorities overtime; ensure you have honest and open conversations often.
Ensure you have a governance process that allows each stakeholder to have a vote but does not paralyze the process.
Has senior leaders change ensure they have an overview of the practice and process to help with the transition.
Many new regulations are requiring you to continually monitor your security controls to lower your risk of falling out of compliance and to ensure security controls are operational. This action requires established processes, practices and staff resources.
800-171 A provides a guide to assessing your 800-171 controls.
Documentation is a big part of staying compliant, ensure you have resources dedicated to this task.
Page updated
Google Sites
Report abuse