OIT Research and Compliance Information

OIT Research and Compliance Information

Overview

The evolution of research is well implanted in the information technology field with technologies directly supporting research. OIT is committed to serving the security needs of our campus researchers and partnering when possible to advance the discovery and innovation process at UCCS.

As the cybersecurity landscape evolves, research is a direct target of intellectual propriety (IP) theft, or misuse. Protecting research using cybersecurity best practices should be top of mind for those conducting research. Compliance requirements have become more stringent and encompassing. The Department of Defense (DoD) and United States Federal government require Defense Federal Acquisition Regulation Supplement (DFARS) clauses and Cybersecurity Maturity Model Certification (CMMC) as written into awards to protect Controlled Unclassified Information (CUI).  This website is meant as a support resource of researchers on campus to help navigate these emerging requirements.

Who Can Help Support You?

Research Impact

For research activities that incorporate Controlled Unclassified Information (CUI) by reference (or through NIST 800-171r1 or DFARS 252.204-7012), the Office of Information Technology Security will need to conduct an additional review, prior to award acceptance.

Review Process

Once OIT Security is notified of an agreement that may include the requirement to manage CUI, OIT Security will contact the PI or assigned representative to initiate the cyber security review. They will work in conjunction with the PI or assigned representative to identify and plan to implement the necessary security controls. Once the review has been conducted, OCG will be notified by OIT Security whether the computing environment that is supporting the project, will be compliant. At that point, they will finalize the review of the contract.

Getting Oriented

A cookbook for your research security needs and questions: 


Research Security One Pagers


Decision Trees


Research Steps

What You Need to Know Before You Submit a Proposal

  • Consult with OIT before you submit on your budget and what to include for compliance coverage in your proposal.

Congratulations, You're Funded; Now What?

  • Meet with our OIT team to map out the research security plan.

Training for CUI

Training for CUI is provided by CDSE and the DoD. This training is free and provides a certificate upon completion. This training is mandatory for DoD and Government persons handling CUI. The OIT Security Office highly recommends that researchers handling CUI take this course.

Privacy

Security

  • Acquisition of equipment and storing equipment:
    • Do not buy equipment from eBay as the supply chain integrity could have been compromised.
    • If the research contract falls under DFARS, ITAR or will be processing CUI data, please reach out to security@uccs.edu for specific guidance on buying compliant equipment for your research needs.

What is Export Control?

Export control regulations are federal laws that prohibit the unlicensed export of certain commodities or information for reasons of national security or protections of trade. Export controls usually arise for one or more of the following reasons:

  • The nature of the export has actual or potential military applications or economic protection issues.
  • Government concerns about the destination country, organization, or individual.
  • Government concerns about the declared or suspected end use or the end user of the export.
  • The UCCS Export Control Officer reached at exportcontrol@uccs.edu. See also Export Control Definitions or Export Controls.

Government Compliance, Including STTR and SBIR and DOD

What is DFARS?

The main purpose of DFARS is to protect the confidentiality of Controlled Unclassified Information (CUI)—regulations apply to all DoD contractors and sub-contractors.

What is ITAR?

ITAR (International Traffic in Arms Regulations) Compliance is the United States regulation that controls the manufacture, sale, and distribution of defense and space-related articles and services as defined in the United States Munitions List (USML).

  • ITAR mandates that access to physical materials or technical data related to defense and military technologies is restricted to US citizens only.

What is NIST 171-800v2 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations)?

NIST 171-800 is a set of technical and non-technical controls and requirements for defense contractors and sub-contractors on how to securely handle CUI data.

  • Publication for NIST 800-171v2
  • As of May 2024, NIST 800-171v3 has been released. However, the DoD has stated that they will be complying with NIST 800-171v2 for now.  

What We Cannot Support

Although UCCS cannot support the architectural needs for an environment to properly secure CUI and certain DFARS export-controlled data. We will work with Researchers on a case by case need to help support the research goals.

Campus Wide and Campus Specific Policies:

Last updated May 2024

OIT and OSPRI CMMC 2.0 FAQ

Research here at UCCS is very important. We have partnered with CU Boulder to better serve the Research Community here at UCCS. This research architecture has been years in the making and will support Research that handles; Cybersecurity Maturity Model Certification (CMMC) 2.0 Level 2Controlled Unclassified Information (CUI) and certain Export Control Regulations. More information about the Boulder Preserve.

What is Fundamental Research? – “Fundamental research means basic and applied research in science and engineering, the results of which ordinarily are published and shared broadly within the scientific community, as distinguished from proprietary research and from Industrial development, design, production, and product utilization, the results of which ordinarily are restricted for proprietary or national security reason.” [National Security Decision Directive (NSDD) 189, National Policy on the Transfer of Scientific, Technical, and Engineering Information]

Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) FAQs

The Office of the Under Secretary of Defense for Acquisition & Sustainment has a very informative website on Cybersecurity Maturity Model Certification.

If you need help understanding whether UCCS resources meet the standards imposed by the DoD CMMC, contact ospri@uccs.edu and security@uccs.edu

Assessment and Certification of Cybersecurity Measures as required by the Department of Defense is a requirement that we cannot meet at this time. We can, however, help assess your current level of security based on many of the standards listed previously.

Only those parts of the institution conducting DoD-sponsored research under a contract either as prime or subcontractor, must obtain CMMC certification at the level appropriate to the work they are doing for DoD.

There is no exemption from CMMC for fundamental research.

At this time, there is not “enterprise level” CMMC certification and therefore, the cost to comply is not University-wide.

The DoD will cover the cost of CMMC certification as a direct cost per project. These costs can be built into a budget, with proper justification/back-up documentation.

UCCS currently has no architecture that can be certified. However, there are plans to utilize an architecture that is currently in development at another CU University that UCCS researchers will be able to utilize in the near future.

At this time, it is understood this will apply to DoD contract funding only.

There is a 72 hour window to report to security@uccs.edu who will then report to directly to the U.S. Defense Industrial Base. In the event of a SBIR or STTR award event, the primary funder must report. When in doubt, immediately report the event to security@uccs.edu.