OIT Research and Compliance Information
OIT Research and Compliance Information
The evolution of research is well implanted in the information technology field with technologies directly supporting research. OIT is committed to serving the security needs of our campus researchers and partnering when possible to advance the discovery and innovation process at UCCS.
As the cybersecurity landscape evolves, research is a direct target of intellectual propriety (IP) theft, or misuse. Protecting research using cybersecurity best practices should be top of mind for those conducting research. Compliance requirements have become more stringent and encompassing. The Department of Defense (DoD) and United States Federal government require Defense Federal Acquisition Regulation Supplement (DFARS) clauses and Cybersecurity Maturity Model Certification (CMMC) as written into awards to protect Controlled Unclassified Information (CUI). This website is meant as a support resource of researchers on campus to help navigate these emerging requirements.
Who Can Help Support You?
- firstname.lastname@example.org (OIT)
- email@example.com (compliance at OSP)
For research activities that incorporate Controlled Unclassified Information (CUI) by reference (or through NIST 800-171r1 or DFARS 252.204-7012), the Office of Information Technology Security will need to conduct an additional review, prior to award acceptance.
Once OIT Security is notified of an agreement that may include the requirement to manage CUI, OIT Security will contact the PI or assigned representative to initiate the cyber security review. They will work in conjunction with the PI or assigned representative to identify and plan to implement the necessary security controls. Once the review has been conducted, OCG will be notified by OIT Security whether the computing environment that is supporting the project, will be compliant. At that point, they will finalize the review of the contract.
A cookbook for your research security needs and questions:
Download the PDF here: Research-Compliance-Cookbook.pdf
Download the PDF here: ResearchSecurityOnePagers.pdf
Download the PDF here: DesicionTrees.pdf
What You Need to Know Before You Submit a Proposal
- Consult with OIT before you submit on your budget and what to include for compliance coverage in your proposal.
Congratulations, You're Funded; Now What?
- Meet with our OIT team to map out the research security plan.
Training for CUI
Training for CUI is provided by CDSE and the DoD. This training is free and provides a certificate upon completion. This training is mandatory for DoD and Government persons handling CUI. The OIT Security Office highly recommends that researchers handling CUI take this course.
- CUI Training - https://securityawareness.usalearning.gov/cui/index.html
- If your research involves HIPAA data, please visit the website below and contact firstname.lastname@example.org
- Those with GDPR needs; we are not GDPR compliant on the UCCS campus currently. We will work with the contract liaisons to help justify our Security and how we can best work within GDPR regulation
- Those with FERPA regulatory needs please visit the website below and contact email@example.com
- Acquisition of equipment and storing equipment:
- Do not buy equipment from eBay as the supply chain integrity could have been compromised
- If the research contract falls under DFARS, ITAR or will be processing CUI data, please reach out to firstname.lastname@example.org for specific guidance on buying compliant equipment for your research needs
What is Export Control?
Export control regulations are federal laws that prohibit the unlicensed export of certain commodities or information for reasons of national security or protections of trade. Export controls usually arise for one or more of the following reasons:
- The nature of the export has actual or potential military applications or economic protection issues.
- Government concerns about the destination country, organization, or individual.
- Government concerns about the declared or suspected end use or the end user of the export.
- The UCCS Export Control Officer reached at email@example.com. See also https://osp.uccs.edu/export-controls/export-control-definitions or https://osp.uccs.edu/export-controls
Government Compliance, Including STTR and SBIR and DOD
- DoD CUI - Information on CUI (Controlled Unclassified Information)
What is DFARS?
The main purpose of DFARS is to protect the confidentiality of Controlled Unclassified Information (CUI)—regulations apply to all DoD contractors and sub-contractors.
- DFARS 7012-252.204 – Safeguarding Covered Defense Information and Cyber Incident Reporting
- All DFARS regulatory clauses here
What is ITAR?
ITAR (International Traffic in Arms Regulations) Compliance is the United States regulation that controls the manufacture, sale, and distribution of defense and space-related articles and services as defined in the United States Munitions List (USML).
- ITAR mandates that access to physical materials or technical data related to defense and military technologies is restricted to US citizens only.
What is NIST 171-800v2 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations)?
NIST 171-800 is a set of technical and non-technical controls and requirements for defense contractors and sub-contractors on how to securely handle CUI data.
- Link to the publication for NIST 800-171v2, here
What We Cannot Support
Although UCCS cannot support the architectural needs for an environment to properly secure CUI and certain DFARS export-controlled data. We will work with Researchers on a case by case need to help support the research goals.
- Data repositories – see how we can help at https://kfl.uccs.edu/services/finding-open-repositories
Campus Wide and Campus Specific Policies:
- 100-020 HIPAA Compliance Policy (11/13/2018)
- 700-003 Information Technology Security (8/5/2016)
- Misconduct in Research, Scholarship, and Creative Activities
- FERPA (Family Education and Privacy ACT) https://registrar.uccs.edu/ferpa-the-family-educational-rights-and-privacy-act
- Restricted, Proprietary and Classified Research
- University of Colorado System Research Policies and Procedures (APS 1007) - https://www.cu.edu/ope/aps/1007
- UCCS Office of Sponsored Programs and Research Integrity - https://osp.uccs.edu/
OIT and OSPRI CMMC 2.0 FAQ
Research here at UCCS is very important. We have partnered with CU Boulder to better serve the Research Community here at UCCS. This research architecture has been years in the making and will support Research that handles; Cybersecurity Maturity Model Certification (CMMC) 2.0 Level 2, Controlled Unclassified Information (CUI) and certain Export Control regulations. More information about the Boulder Preserve https://www.colorado.edu/rc/secure-research-computing-resources
What is Fundamental research? – “Fundamental research means basic and applied research in science and engineering, the results of which ordinarily are published and shared broadly within the scientific community, as distinguished from proprietary research and from Industrial development, design, production, and product utilization, the results of which ordinarily are restricted for proprietary or national security reason.” [National Security Decision Directive (NSDD) 189, National Policy on the Transfer of Scientific, Technical, and Engineering Information]
Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) FAQs
The Office of the Under Secretary of Defense for Acquisition & Sustainment has a very informative website on Cybersecurity Maturity Model Certification.
If you need help understanding whether UCCS resources meet the standards imposed by the DoD CMMC, contact firstname.lastname@example.org and email@example.com
At this time, there is not “enterprise level” CMMC certification and therefore, the cost to comply is not University-wide.
The DoD will cover the cost of CMMC certification as a direct cost per project. These costs can be built into a budget, with proper justification/back-up documentation.
UCCS currently has no architecture that can be certified. However, there are plans to utilize an architecture that is currently in development at another CU University that UCCS researchers will be able to utilize in the near future.
There is a 72 hour window to report to firstname.lastname@example.org who will then report to directly to https://dibnet.dod.mil. In the event of a SBIR or STTR award event, the primary funder must report. When in doubt, immediately report the event to email@example.com
- CU Boulder Secure Computing Research Information - https://www.colorado.edu/rc/secure-research-computing-resources
- Skillsoft CUI Training - https://universityofcolorado.skillport.com/skillportfe/main.action?path=summary/CUSTOMER_DEFINED/_scorm12_cu_u00189_0001