Federal Cybersecurity Requirements for Sponsored Research
Due to an increase in cybersecurity attacks and the loss of sensitive information that has occurred across the Defense Industrial Base (DIB), the federal government has called for an increase in safeguards to protect certain types of unclassified information. The most common regulatory requirements you may need to comply with or you may hear about, are outlined below.
FAR 52.204-21: Basic Safeguarding of Covered Contractor Information Systems
As a Federal Acquisition Regulation (FAR), these 17 practices can be applied to any federal award (though typically not in a fundamental/basic research award) to protect Federal Contract Information not intended for public release.
DFARS 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting, or as referenced as NIST SP 800-171
The National Institute for Standards and Technology (NIST)’s Special Publication 800-171, referred to as NIST SP 800-171 and titled Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, provides the requirements for a non-federal system to store, process or transmit Controlled Unclassified Information. NIST SP 800-171 reflects a subset of the requirements a federal information system, or information system operated on behalf of a federal agency (per contractual requirement), must meet as detailed in NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations.
The Department of Defense is currently the only federal agency requiring NIST SP 800-171 via an acquisition clause, but a FAR to protect Controlled Unclassified Information is underway. In the interim, other federal agencies may refer to NIST 800-171 directly in the sponsored contract if Controlled Unclassified Information will be used or developed.
Make note, while the DFARS clause calls for implementation of NIST SP 800-171, it requires a little more. As the name implies, the clause requires reporting of cyber incidents within 72 hours that result in a compromise or adverse effect of an information system. The DFARS clause must also be flowed down to subcontractors whose performance will involve handling CUI. In total, compliance with this DFARS clause and NIST SP 800-171 requires implementation of 110 security controls which must be documented in a System Security Plan (SSP), with a Plan of Action and Milestones (POAM) document highlighting any controls not yet met with an estimated date of completion. While companies can be hired to perform a NIST SP 800-171 assessment, only self-attestation is required unless otherwise specified in the contract.
Cybersecurity Maturity Model Certification (CMMC)
CMMC is a Department of Defense effort, led by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) to apply cybersecurity protections across the board, as a foundational principle in all acquisitions. CMMC Model v1 was released January 31, 2020. CMMC will be slowly introduced into contracts over a 5-year period through the specification of the required CMMC level in the Request for Proposal (RFP) and contract. It is critical to prepare for the full implementation, as no contract will eventually be issued to an organization by DoD that does not meet the required level.
CMMC builds upon DFARS 252.204-7012, adding some additional controls beyond NIST 800-171 from known industry standards and best practices, but it also groups the controls into smaller subsets referred to as maturity levels. There are five levels, with each reflecting a status of cyber hygiene an organization has achieved. Unlike NIST SP 800-171 that allows for self-attestation, CMMC requires verification by a third-party auditing organization (C3PAO). CMMC also does not allow for the use of a Plan of Action and Milestones (POAM) document to indicate unmet controls and when they might be implemented to achieve a given level. An organization must fully meet all requirements of a level to be certified at that level.
CMMC Levels:
Level 1: Basic Cyber Hygiene. Addresses FAR Clause 52.20421 (Basic Safeguarding of Federal Contract Information).
Level 2: Intermediate Cyber Hygiene. Addresses more than level 1, but not quite at level 3.
Level 3: Good Cyber Hygiene. Includes NIST 800-171 plus 20 additional controls (130 in all).
Level 4: Proactive. TBD, pulls from DRAFT of NIST 800-171B plus other sources.
Level 5: Advanced / Progressive. TBD, pulls from DRAFT of NIST 800-171B plus other sources.
What is Controlled Unclassified Information?
Controlled Unclassified Information (CUI) is a term initiated by 32 CFR 2002 (effective November 2016) that called for the establishment of a uniform program to manage and mark unclassified information that requires protection, across federal agencies, in order to apply consistent safeguarding and dissemination controls. The different types and categories of CUI are reflected in the National Archives and Records Administration (NARA) CUI Registry. The two types of CUI are: Basic and Specified. Basic CUI requires general markings and the protections in NIST SP 800-171. Specified CUI requires the protections of NIST 800-171, as well as the requirements specified in the law or regulation issued to protect the information (such as ITAR; HIPAA).