Does the entire school have to meet CMMC level 3, since IST-SMST is a mix of academic and the research, or just certain enclaves?

When we request a third-party organization to perform a Certified Maturity Model Certification (CMMC) audit, we will specify the level we are seeking to achieve (currently level 3) and we will define the boundary for those systems intended to meet the stated requirements of that level.  The systems within scope of the audit therefore reflect a subset of all systems at IST-SMST.  There are key servers along with network devices that naturally support all systems within scope and out of scope, that are additionally included (e.g., Active Directory, DHCP, network switches, firewall, etc).

Does the IST-SMST-002 Policy: Controlling information posted or provided to publicly accessible information systems, apply only to systems within scope, or to everyone?

The IST-SMST-002 Policy: Controlling information posted or provided to publicly accessible information systems, applies to everyone who manages and maintains an IST-SMST publicly accessible site or who post content to such a site physically managed elsewhere (ie, it is still an IST-SMST site, but it is hosted in the cloud).  The policy applies to more than just those personnel who operate a controlled system or handle controlled information as the focus of the federal requirements is broader, stating the requirements applies to “systems controlled by the organization and accessible to the public”. 

Federal agencies are requiring contractors to ensure nonpublic information does not make its way to any public website the organization is responsible for.  The essence of this requirement is already part of university policy, see UCF Data Classification and Protection Policy, 4-008.1, which states highly restricted and restricted information “must not be posted on any public website, blog, or other publicly-accessible Internet site”.  The university policy does not yet additionally address the other aspects of the federal requirements though which require designation of individuals, training, and a frequency for overall site reviews to be performed for nonpublic information, which the IST-SMST policy does.

In short, the IST-SMST-002 policy states the corresponding director, department/lab head or project lead (principal investigator) responsible for a IST-SMST public site will designate one or more individuals to be authorized to post, those individuals will take a short training session, review all information before posting, and then annually (at a minimum) verify the public site does not contain nonpublic information.

As for federal references, the requirement to control information posted to a public site is in all three of the federal regulations discussed during the August 19, 2020 IST-SMST All Hands Meeting.  Even the simplest of all the regulations: FAR Clause 52.204-21: Basic Safeguarding of Covered Contractor Information Systems states the requirement under b.1.iv: Control information posted or processed on publicly accessible information systems.).  In NIST 800-171, 3.1.22 Control CUI posted on publicly accessible systems and CMMC, AC.1.004: Control information posted or process on publicly accessible information systems, is where you will see the additional clarification that the requirement addresses “systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Individuals authorized to post CUI onto publicly accessible systems are designated. The content of information is reviewed prior to posting onto publicly accessible systems to ensure that nonpublic information is not included.”

I have personal flash drives in my office with personal documents or those unrelated to IST-SMST. Do I need to label or remove them from my office? What about flash drives I have purchased to hold my syllabi, research papers and non-confidential research, do these flash drives require a label?

The IST‐SMST‐003 Policy: Use of Removable Storage Devices or Media policy discusses use of removable media in an IST-SMST managed system separate from the labeling of removable media produced by IST-SMST.

With regards to use, the policy aims to guard against unknown devices or those not trusted from being used in an IST-SMST system. For example, an unmarked flash/USB stick found in the parking lot or lobby, should not be taken and inserted into your computer at the office.  The policy states devices without an identifiable owner, unknown or trusted by the user, are not to be used in an IST-SMST system, but rather turned into the Help Desk so the device can be viewed in a secured environment to identify a rightful owner.  A flash drive that you own and trust, therefore can be used in an IST-SMST managed system.  If you wish to store personal flash drives in your office, that is fine too.  The only exception with respect to use, is that a USB/flash drive cannot be freely inserted in a system authorized to handle and process Controlled Unclassified Information.  Due to the additional restrictions placed upon “controlled systems”, the ability to use a specific USB device requires separate management approval and authorization.

With regards to labeling, the policy states removable media produced by IST-SMST personnel will minimally be labeled with an identifiable owner.  It does not speak to media produced outside of IST-SMST. An identifiable owner can be an employee name, lab, or project that is added to the device, as room allows.  For example, depending on the type of media, you might find you only have room for initials written in a sharpie pen to identify who the media belongs to.  If one of the 3 sizes of the standardized labels will fit, those labels will ideally be used.  If however the media contents is highly restricted and contains Controlled Unclassified Information, in accordance with federal CUI handling requirements, the label or marking must reflect both an identifiable owner and the word CONTROLLED or CUI, to reflect the presence of such data.  Other requirements will also apply to the handling of such media (locked cabinet, chain of custody, etc).

Is a Gov Cloud subscription for AWS being worked on?

The UCF NIST committee is discussing GovCloud solutions and IST-SMST will still provide a compliant on-premise solution for projects not suited for the cloud.