Purdue University End-to-End CUI Workflows

All content developed under NSF #1840043

Purdue University mapped out the processes involved with their CUI researchers, from a unit ownership area. This helped all the roles involved see where hand-offs were happening and do local process improvement.

Supporting Controlled Unclassified Information with a Campus Awareness and Risk Management Framework

The Purdue CUI framework integrates NIST SP 800-171 and other related NIST publications as the foundation of the framework. This framework serves as a standard for campus IT to align with security regulations and best practices, and create a single process for intake, contracting, and facilitate easy mapping of controlled research to CI resources for the sponsored programs office, human subjects office, and export control office. The framework allows researchers to experience faster intake of new funded projects and be more competitive for research dollars. Using student-developed training materials and instruction, researchers, administrators, and campus IT are now able to more clearly understand previously complicated data security regulations affecting research projects. The ecosystem developed from this project enables new partnerships with government agencies, and industry partners from the defense, aerospace, and life science sectors. Experiences and best practices in providing cyberinfrastructure and security awareness developed from this collaboration are documented and shared with the broader CI and campus community through conferences, journals and workshop.


Controlled Research Program Guide

1. Define Your Program

Policy and Governance

Define the scope of your CUI research program

What is CUI?

Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls as defined by applicable law, regulations, and government-wide policies.

The regulations and safeguards apply if you, possess, use, share, or receive CUI or operate, use, or have access to Federal information and information systems on behalf of an agency.

Storing and Processing CUI

  • Determine how you will receive or generate CUI

  • Determine how you will process and store CUI

  • Determine who needs to access to CUI

  • Determine how you share research results with sponsors securely

Review Your Workflows

  • What type of office space do you have for controlled research, will you need to separate research teams so you can guard against shoulder surfing, and screen orientation?

  • Are you going to use controlled software, can you use shared systems?

  • Determine how you share research results with sponsors securely

  • Are you working with a project team at another university, how will this change your workflows?

  • Who is going to help you stay secure and compliant, do you need help?

  • How are you capturing or generating data currently, will this change?

  • How will you deal with a controlled thesis submission process?

Helpful Tips:

  1. CUI is not classified information.

  2. CUI Basic requires the baseline handling and dissemination controls.

  3. CUI Specified the subset of CUI in which the authorizing law, regulation, or Government-wide policy contains specific handling controls that it requires or permits agencies to use that differ from those for CUI Basic.

  4. Your normal cyberinfrastructure may not be authorized to host or process CUI. Contact your Regulatory Office or Research Computing.

  5. Specific security controls are required when safeguarding CUI within scope of clause 52.204.7012, this includes practices and processes in the newer model CMMC.

  6. If you are using a secure drop site, ensure the service is authorized to store CUI.

  7. There could be staff restrictions, U.S Persons only, for example.

  8. With controlled research project, using personally owned equipment is not recommended, consider utilizing central facilities for research computing or data storage. Have IT provide managed laptops or desktops. Include this in your budget request if possible.

  9. It's important to consider the potential for meetings to be overheard consider finding a private meeting space.

  10. If using teleconferencing, select an approved service. Work with your regulatory or security office.

  11. On your own? TrustedCI has resources to help.

2. Define Roles

Policy and Governance

Define Security and Compliance Roles for your Research Program

Research Team



Define an oversight role on your project team to ensure the compliance and security requirements you own are maintained throughout the lifecycle of the project. This should be given to people with leadership roles within the project. Create a partnership with your IT, Regulator and Security offices. 

This will help reduce work related to compliance and security activities by allowing for effective communication with trusted parties.

Regulatory Oversight

Your institution regulatory office should be reviewing the following:

  • Publication Approvals

  • Restrictions on Participants

  • Dissemination Limits

  • Jurisdiction Review (EAR v. ITAR)

  • Technology Review

  • Foreign Sponsors

Researcher's Roles In Cybersecurity

Protection

  • Protect People’s Privacy

  • Protect Research Data

  • Protect Systems, Update Software

Detection

  • Look for Insider Threat

  • Look for Malicious System activity using Antivirus

  • Use Approved Networks

Mitigation

  • Reduce incidents by using the defined processes

  • Report IT security incidents promptly

  • Reduce risk by keeping systems up to date

Institution's Role in Cybersecurity

Protection

  • Security Awareness Program

  • Data Security Plans

  • Automated System Updates

Detection

  • Have an Insider Threat Program

  • Alert on Malicious Activity

  • Centralized Event Logging

Mitigation

  • Annual Regulatory Review

  • Incident Response Policy and Procedures

  • Track Risk

Helpful Tips:

  1. In some cases only U.S. Persons can access data. Your regulator office would inform you of the requirement.

  2. Plan to update your IT systems regularly

  3. Plan to train staff on compliance and security requirements

  4. Plan to manage whole disk encryption

  5. Plan to maintain Technology Control Plans and additional documentation

  6. Plan to manage authorization to resources

  7. Contract review is a key component to identify controlled research via specific contracting terms.

  8. Technology Control Plans, or System Security Plans could be required when working with CUI.

  9. Most institutions have required compliance training for staff on controlled research projects. This could be required before you begin your research activities.

  10. Cybersecurity incidents within scope of DFARS 52.204.7012 must be reported to the DoD within 72 hours

  11. The Department of Homeland Security National Cybersecurity and Communications Integration Center advises that “insider threats, to include sabotage, theft, espionage, fraud, and competitive advantage are often carried out through abusing access rights, theft of materials, and mishandling physical devices.” Learn More.

  12. Updating systems has the biggest positive impact on your cybersecurity posture. Delegate this process to IT.

  13. There are specific cybersecurity Incident reporting requirements for data within scope of DFARS 52.204.7012

  14. Updating systems has the biggest negative impact on research when it is done incorrectly. IT must understand the research process before updating.

  15. Complex research systems with fast data transfer requirements may have performance issues when located behind a network firewall. Use a Science DMZ.

  16. Keeping systems current in research is a challenge all institutions are facing. Use risk management to reduce impact.

3. Review the Regulations

Policy and Governance

Policy and Regulatory Review

Laws, U.S. Codes and Regulation



There are many laws, U.S codes and regulations specific to each CUI type.

Develop a partnership with your Regulator Office, they are the experts. Start this process as early as possible.

This will help reduce delays in your research activities, and help you manage any additional budget requirements.

Institutional Policy

  • Institutional policies will apply alongside regulatory requirements. Dedicate time to read the policies and / or take training.

  • Apply the knowledge to the processes protecting your program. This makes it easier to maintain compliance overtime.

  • Work with your Regulatory Office, or Security and Policy Office to determine how a policy applies to your CUI research program.

Helpful Tips:

  1. Executive Order 13556 , established a CUI program.

  2. 32 CFR Part 2002, established CUI policy for agencies

  3. DFARS 252.204-7012, established the requirements for safeguarding CUI and the cyber incident reporting for the DoD

  4. NIST SP 800-171 is the current standard used to defined the required safeguard for CUI. This standard will be combined with the Cybersecurity Maturity Model Certification starting in 2023 for the DoD contracts.

  5. The institution should map policies to regulatory requirements and address gaps. This is out of scope for an individual researcher.

  6. At a minimum, researchers should review the Acceptable Use Policy and the Incident Response Policy.

  7. Try to use the existing institutional policy instead of creating policies from scratch. You won’t have to maintain the policies over time, just the processes related to the policies.

  8. When is doubt, work with your institution to determine what policies are important.

4. Common Language

Policy and Governance

Use Common Language

CUI Tools



When working with Controlled Unclassified Information (CUI), you will be introduced to new terms, definitions and categories. The National Archives provides the information needed to learn the new concepts. Learning common terms will help you communicate to your regulatory office.

Identifying and Marking CUI

The DoD office or agency is responsible for identifying CUI. 



Look for DFARS clause 52.204.7012 in your contracts or Grants. If included, determine if you are receiving or generating CUI. It is possible you won’t receive, generate or access CUI. This could be Fundamental Research.



If you create CUI think about your responsibility for identifying and marking CUI when applicable.


Helpful Tips:

  1. Need to lookup a term related to Controlled Unclassified Information, use the Glossary

  2. Need to lookup a Controlled Unclassified Information Category, use the CUI Registry

  3. Need to read about the latest information, use the ISSO Blog

  4. Need to read about the cybersecurity terms, use DFARS-252-204-7012

  5. Want to learn more about marking, see “Introduction to Marking

  6. Previous research data published to the public domain is not considered CUI if you use it in new research projects covered by DFARS clause 52.204.7012. New results could be covered.

  7. Think about when the data may be covered by the contract and considered CUI. Example, raw measurements may not be CUI until they are contextualized.

5. Categorize Information

Security and Compliance

Categorize Information

Access to Systems and Data

Determine the type of access level required for your research team before access is granted.

Create clear data boundaries between public, sensitive, and restricted research data.

Access Levels to Consider:

  • Access to Fundamental Research

  • Access to Sensitive Research

  • Access to Restricted Research

  • Access to Export Controlled Research

  • Access to Classified Research

Organize Access to Data

Take time to think about organizing data in a way to ensure only authorized individuals have access. This will be your data boundary. IT will help you understand when your data becomes in scope of a given regulation.

Keep controlled research data separated from open research data.

Some data may have marking requirements.

Helpful Tips:

  1. There could be restrictions too

  2. U.S Persons Only for access to the systems or data.

  3. Be sure to include any paper copies in your planning.

  4. Planning now reduces the risk to you and your project team.

  5. Want to learn more about marking CUI, see “Introduction to Marking

  6. Think about who needs access and how long.

  7. Don’t accept regulated data without the proper approvals.

  8. Keep the process as simple as possible.

  9. VeraCrypt can be used to create an encrypted container to help protect your data

Check out 5 Data Boundary Concepts

Multiple Projects


Open Data Source as Input


Open and Controlled Projects


Noncontextualized


Shared Equipment


6. Practices and Processes

Security and Compliance

Security Practices and Processes

Risk Assessments

Work with your Security Office to perform a security risk assessment for new and existing projects.

Prioritize your risk and document the process.

Review Risk Assessments at least yearly to ensure the reports stay current.

Manage risk, this includes accepted, unaccepted and risk with a temporary mitigation in place.

Cybersecurity Baseline for FCI

Federal Contract Information (FCI) has special cybersecurity requirements defined in FAR 52.204-21.

Review required safeguards to ensure the are performed. The requirements are basic cybersecurity protections. If your data is meant to be private and protected the safeguards should already be performed for your research programs.

You should have documented procedures to ensure the security controls are performed. Work with your IT department if you have managed systems.

Technology Control Plan (TCP) for Export Control (ITAR,EAR,OFAC)

A TCP is a plan to provide clear guidelines and controls deemed necessary to safeguard controlled technical data, information or equipment that is subject to export control regulations. Your institution should have a process for creating and or reviewing TCPs. Contact your regulatory office for more details.

There are several different export control regulations, but the 3 most likely to impact university activity are those of the State Department (ITAR), the Commerce Department (EAR), and the Treasury Department (OFAC). The following activities could be in scope:

  • Performing Controlled or Proprietary Research

  • Performing Research Outside the United States

  • Traveling Outside the United States

  • Presenting at Conferences Outside the United States

  • Hosting International Visitors

  • Shipping Equipment, Software or Technical Information Internationally

  • Engaging in international Collaborations or Partnerships

  • Paying someone in another country for items or services

  • Advising Students from Countries subject to U.S. comprehensive sanctions

Technology Control Baseline

A Technology Control Plan should address:

  • Authorized personnel

  • Dissemination and publication rules (including how to handled student theses that may result from the controlled research)

  • Physical security

  • Information technology security

  • Plans should be signed, by at least the Principal Investigator and the projects team. It is good to have Department Heads and representatives from your regulatory offices to sign as well.

To keep the TCP current, amend the document for:

  • Significant changes to the scope or project plan

  • Personnel additions or deletions

  • IT hardware additions or deletions

  • IT storage or software changes

  • Physical location (office or lab additions or change)

  • Significant changes to the physical security

  • Change to student thesis/dissertation committee or new plan of study submission.

Cybersecurity Baseline for CUI

The publication and supplemental material can be found at the 800-171 Re.2 publication.

800-171 Rev.2 provides the security requirements for protecting CUI when the information resides on nonfederal systems. All requirements in 800-171 Rev.2 must be addressed.

A system security plan (SSP) must be created and maintained. Review the plan at least yearly. Update the plan when changes arise to the protections or infrastructure. Use a change management process to help monitor changes and to record risk.

Exceptions or deficiencies to the security requirements are managed using a plans of action. This document helps you manage risk, don’t use it as a supplement to implementing controls

Self attest to compliance. 800-171A provides assessment procedures and a methodology for conducting assessments of the CUI security.

To meet compliance you will need to work with your institution, start with your security and policy offices along with your regulatory offices.

System Security Plan (SSP) for CUI

The goals for a System Security Plan:

  • Record system categorization

  • Define owners for the data, system and security.

  • Provide a genal description and purpose for the system.

  • Describe the environment

    • Hardware components

    • Software components

    • Maintenance Options

  • Status of the required security controls.

    • Implemented

    • Planned to be implemented

    • Variance to the original control

  • Diagrams:

    • System Boundaries

    • System Interconnections

    • Key Devices

    • Network Boundaries

    • Data Flow

Additional Plans to Consider

Have a plan to deal with publication restrictions or to track approvals.

Have a plan to deal with potential shipping restrictions.

If you have CUI specified there could be additional handling controls outlined by an agencies that differ from those for CUI Basic.

Configuration Management

Create or adopt a change management process, meet regularly and record and track changes to:

  • Information Systems

  • Installed software

  • Process Workflows

  • User Permissions

  • Data Sharing

Adjust the System Security Plan as needed.

Helpful Tips:

  1. SP 800-30 v1 (September 2012) provides a guide for Risk Management.

  2. SP 800-39 v1 provides a guide for organization-wide Risk Management.

  3. TrustedCI provides supporting documentation.

  4. Make sure you have a risk management policy.

  5. FAR 52.204-21 is in scope when included as clause in a contract to develop or deliver a product or service to the Government.

  6. FCI would include Information provided by or generated by the Government.

  7. FCI is not intended for public release excluding information already provided by the Government to the public. Example: Information on a public website.

  8. This is the starting point for cybersecurity requirements when working with the Government, start planning to ensure these requirements are in place.

  9. Export control regulations apply to technical information as well as physical items — and when controlled information is given to a Foreign Person it's considered to be an export to that person's country, even if it happens in the US, even if it happens on a university campus.

  10. If you collaborate with people in other countries, your emails are exports. When you travel, you're exporting everything you take with you. And, of course, you're exporting when you ship an item outside the US. These could all lead to export control violations with consequences for you and for your institution.

  11. Don't Discuss non-public domain technology with foreign companies and foreign nationals.

  12. Export control regulations apply to technical information as well as physical items — and when controlled information is given to a Foreign Person it's considered to be an export to that person's country, even if it happens in the US, even if it happens on a university campus.

  13. If you collaborate with people in other countries, your emails are exports. When you travel, you're exporting everything you take with you. And, of course, you're exporting when you ship an item outside the US. These could all lead to export control violations with consequences for you and for your institution.

  14. Don’t discuss non-public domain technology with foreign companies and foreign nationals.

  15. DFARS 252.204-7012 could be included as clause in a contract to develop or deliver a product or service to the Government.

  16. The security requirements contained in 800-171 Rev.2 are only applicable to a nonfederal system or organization when mandated by a federal agency in a contract, grant, or other agreement.

  17. The requirements apply only to the components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components.

  18. A template for an SSP is provided by NIST for 800-171 as supplement material.

  19. 3.12.4 in NIST 800-171 covers the requirement to create and maintain a System Security Plan.

  20. Update the plan when major changes are implemented. Audit the plan at least yearly.

  21. It is good practice to collect a signature within the document from the data, system, and security owners.

  22. Reminder: Every international shipment is an export and is subject to US export control laws.

  23. US law restricts the shipment of some materials to certain individuals, institutions, and countries and for certain end uses.

  24. A contract may have a publication or dissemination restriction. Ensure you understand the restrictions.

  25. Use a program like a ticketing system to submit, track and approve or decline changes. Stick to the process, and requires security reviews for major architecture changes.

  26. Some controlled software may have regulation restrictions, use you change management process to review the software prior to installation to ensure compliance.

  27. SP 800-128 provides a detailed methodology for management of information systems that is suited for larger projects.

7. Implement Security Controls

Security and Compliance

Install Security Requirements

Install Security Controls

Implement security controls outlined in your System Security Plan. Amend Security Plan if the controls change.

Communicate milestones to your project team, researchers, regulatory office and IT teams.

Helpful Tips:

  1. You will need to adjust your System Security Plan ensure you use your change management process to track changes.

  2. It is key to conduct new security reviews if you have major changes to the plan.

  3. When making changes, ensure you are following your organization’s and the changes still meet regulatory requirements.

8. Test Security Controls

Security and Compliance

Test Security Requirements

Testing

Test the security and compliance controls prior to go live.

Create a security report outlining any findings.

Adjust any findings or determine if its safe to operate. Add the remaining findings to risk assessment or adjust the Security Plan.

Helpful Tips:

  1. Use automated tools when possible and setup repeatable processes.

  2. Test controls using privilege and unprivileged access.

  3. Add changes to your System Security Plan or POAM.

9. Conduct Training

Security and Compliance

Conduct Training

Training Options and Ideas

Conduct in person training for new complex and high-risk projects. Use online as the project continues.

Review past security and compliance incidents for new training opportunities.

Ensure to budget for training.

Helpful Tips:

  1. Training will be required by many regulations, find ways to make it engaging.

  2. For large groups you will need a tool to automate the process.

  3. Add a Tabletop exercise as a training option.

  4. Conduct communications based on immediate risk as a method of training.

10. Stay Compliant

Security and Compliance

Mature the Program - Program Growth

Continue to work with all stakeholders to mature your practices and processes by identifying gaps and documenting gaps.

Ensure you strengthen the governance program by review the gaps and ensure you document the final response for future reference.

Staying Compliant

Systems, environments, and priorities will change, and this is important to provide appropriate growth. It is not up to one person to ensure compliance; all stakeholder are part of the process.

If you don’t have a strong governance model and buy in form senior leaders, staying compliant could be a struggle.

Helpful Tips:

  1. You will have competing priorities overtime; ensure you have honest and open conversations often.

  2. Ensure you have a governance process that allows each stakeholder to have a vote but does not paralyze the process.

  3. Has senior leaders change ensure they have an overview of the practice and process to help with the transition.

  4. Many new regulations are requiring you to continually monitor your security controls to lower your risk of falling out of compliance and to ensure security controls are operational. This action requires established processes, practices and staff resources.

  5. 800-171 A provides a guide to assessing your 800-171 controls.

  6. Documentation is a big part of staying compliant, ensure you have resources dedicated to this task.