University Security of Controlled Unclassified Information in Sponsored Research
GUIDANCE ON NIST 800-171 COMPLIANCE
National Institute of Standards and Technology (NIST) created information security standards to safeguard and distribute material or data deemed sensitive but not classified as Controlled Unclassified Information (CUI) in any Non-Federal Information Systems and Organizations doing research or procuring other goods and services for the US federal government. These standards (NIST 800-171) are included in Defense Federal Acquisition Regulation Supplement (DFARs) clauses (effective December 31, 2017) and are anticipated to be included in Federal Acquisition Regulation (FAR) clauses (in process, expected by end of 2019).
Under DFARs and FARs, Universities and federal agencies must jointly protect applicable agency assets and CUI. For institutions of higher education, information security (IS) and information technology (IT) investments should:
(i) be beneficial and relevant to the research enterprise.
(ii) balance the administrative burden for the conduct of research.
(iii) meet the needs and requirements of each agreed-upon research program and protocol.
The purpose of this document is to provide negotiation guidance, options, and strategies on how to work with federal agencies on required information security compliance for CUI. This guidance includes IT control alternatives for compliance and suggestions for projects where the compliance standards do not apply.
General Strategies and Approaches:
When applying for or accepting a research project that may include CUI or require NIST 800-171 compliance, always, as a first step, establish if CUI or data controls are needed and relevant for the scoped project, RFP, proposal, award, etc. For example, on April 24, 2018, DoD drafted guidance for procurements requiring implementation of National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, for comment. Previously, universities, including UT System members, had noted a concern that CUI data types are often not fully defined by prospective awarding agencies ahead of proposal and/or in award documents, nor are CUI and CUI data types and standards always fully categorized or tailored to individual project research needs. Many universities asked that assessment be a required element. The updated DoD assessment chart includes prescribed identification of CUI (there is a series of “must require” and “must identify” security items, which any DoD agency must address in its Solicitation or RFP). This is expected to be approved in at least this form. While it complements university preference to avoid circumstances where unnecessary IS or IT protections are requested or required beyond existing provisions and security compliance requirements, we suggest that universities still be vigilant to identify on each’s own, that CUI requirements apply or not, as silence on requirements may not mean absence of CUI protection.
When NIST requirements are invoked, a complete assessment will need to be made by the University Principal Investigator (PI), in coordination with centralized IT and IS experts, to determine how his or her data handling and administrative practices match the specific requirements as stipulated by funding agency.
NIST 800-171 controls can be distilled to three categories:
Administrative practices – Policies, standards and procedures that the PI must maintain (e.g. access control, awareness or technical training).
Physical security – Guard against data loss in the event of theft or environmental conditions (flood, fire, etc.), or unauthorized access (e.g. cable locks, computer cages, etc.)
Technical safeguards – Guard against unauthorized access, data corruption, data loss, malware, etc. (e.g. implementing encryption, backups, RAID arrays, antivirus, NetIQ authentication, etc.)
The PI should consider the consequences of potential data loss or corruption (such as reputation, compromised or scooped discovery, loss of future funding, etc.) in determining whether to implement best practices beyond the minimum requirements for compliance.
Each University may be at a different stage in the process of determining whether certain centrally provided resources meet specific controls pursuant to requirements in NIST 800-171. This guidance and the attached decision trees for proposal and award stage negotiations may be helpful to engage in research projects as appropriate.
The high-level objective is to clarify the involvement/inclusion of data and information requiring safeguard or dissemination controls (e.g., CUI) as early as possible, preferably at proposal or even pre-proposal. If not addressed at application, University still has options at award or agreement stage. If the prospective or actual awarding agency has not taken responsibility for making the determination, the PI and sponsored project office should assume responsibility to ask questions, drive answers as needed, and negotiate to applicable standards and administrative burdens.
Ultimately, always be prepared to meet the stipulated minimum requirements. If you are fortunate to have a fully compliant solution that is of the highest level to cover all data transmittal, storage, generation and use, then deploy it. If you do not have that solution, then implement only the level of specific control requirement that applies, and then document any gaps if required by the DFARs to show how University will bring itself into required compliance.
Typically, there are 3 available options for University compliance, each with differing cost structures. Decision points are detailed in the table below.
- *Isolated: CUI applicable technical controls, work for anyone who wants to use the solution, without necessarily requiring compliance for entire University IT infrastructure (e.g., self-encrypting hard drives or portable drives, designated scheme-compliant server(s)).
- ** Partially Compliant: Solution available for University-wide use by any PI, but which will be tailored as a single, one-off option (e.g., use resources as narrowed to project proposal or project at hand, including a PI-specific plan of action and milestones (sometimes abbreviated by industry consultants as POAM), to address any gaps or deficiencies to correct).
- ***Fully compliant: Third party compliant options or outside collaborator systems, or University internal or affiliated (such as TACC) systems. In some instances, the funding agency may be able to provide resources to the PI.
Detailed Options, Track Decision Tree:
The following chart shows more detailed information to suggested processes and tips, and selected NIST CUI standards for institutions to consider.
DETAILED OPTIONS, REFER TO APPLICABLE DECISION TREE
NIST STANDARDS (SP 800-171); SELECTED COMMENTS
Ask if controlled data (e.g., CUI) is applicable to the project. If the prospective awarding agency has not taken responsibility, University PI should assume responsibility to ask questions, drive answers as needed.
If planned data exchanges or storage DOES require controlled data compliance, AND University complies:
If planned data exchanges or storage DOES NOT require controlled data compliance:
If planned data exchanges or storage DOES require controlled data compliance AND University CANNOT or does NOT comply in whole or in part:
National Institute of Standards and Technology: “Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations” (2016) – regulates safeguarding and dissemination of CUI.
These ‘cyber security’ protections and requirements also map to ISO/IEC 27001 controls, which make compliance more feasible.
800-171 (Rev 1 is current as of this guidance) has 14 control families with (now) 110 requirements and is derived from 800-53 (which is intended for federal information systems and has 18 control families with 600+ requirements).
CUIs and CUI data types are often not defined in award documents, nor are the CUIs often categorized.
Institutions typically already comply with significant IS rules.
If University has not had the opportunity to review, or has not reviewed and considered data use at proposal stage, or has not been addressed, but has been fortunate to receive an award anyway:
If University CANNOT meet all requests: