Research Data Security and
Controlled Unclassified Information
Florida State University’s information security and privacy policies and procedures effectively addresses the need to protect confidential and sensitive information that is maintained in the various spheres of University activities. The research setting poses particular information security risks and challenges, including regulatory and contractual constraints that require additional policy provisions and protective measures. To protect research data appropriately and effectively, FSU’s researchers, research oversight bodies, and information technology staff must understand and carry out their responsibilities related to data security.
Controlled Unclassified Information (CUI) is information the federal government creates or possesses or the university creates or possesses on behalf of the government to which access or distribution controls have been applied in accordance with laws, regulations, or government-wide policies. CUI does not include classified information nor information the university possesses and maintains in its own systems that did not come from, nor was created or possessed by or for a government agency. A full list of controlled unclassified information types (categories & subcategories) is available at the CUI Registry.
Some agencies require that CUI be protected consistent with The National Institutes of Standards and Technology (NIST) Special Publication 800-171 (NIST 800-171), which outlines specific controls which must be met while handling CUI. These controls already apply to some research being conducted at FSU, and will be required by more contracts as the University’s research portfolio grows and as federal agencies increasingly adopt these heightened security frameworks. For a more detailed overview, please see An Introduction to NIST Special Publication 800-171 for Higher Education Institutions.
The Department of Defense was the first to enact specific requirements for the protection of CUI. Other federal agencies are expected to adopt comparable regulations over the next year or two. The Offices of Research and Information Technology Services are committed to providing solutions to meet requirements for protecting CUI in compliance with its Federal or contractual obligations.
Code of Federal Regulations
32 CFR Part 2002, "Controlled Unclassified Information" established the policy for agencies on designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI; self-inspection and oversight requirements; and other facets of the CUI Program. This rule affects federal executive branch agencies that handle CUI and all organizations (sources) that handle, possess, use, share, or receive CUI—or which operate, use, or have access to federal information and information systems on behalf of an agency.
Department of Defense (DOD)
When CUI may be shared with FSU, a DOD contract or subcontract may include DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. This clause requires that the researcher and the university meet specific National Institute of Standards and Technology (NIST) standards (NIST 800-171 Rev. 1) to safeguard CUI.
FSU’s Compliance Plan
There are multiple components required for compliance with the NIST standards. The regulation allows the contractor to self-attest to compliance if it can demonstrate implementation or planned implementation of the security requirements with a system security plan and associated plans of action documentation. FSU has developed the following documents which may be submitted with the proposal as required by the solicitation or the funding agency's contracting officer.
- System Security Plan (SSP) – A document that is periodically updated to describe system boundaries, system environments of operation, how security requirements are implemented and the relationships with or connections to other systems. This Plan is the university-wide IT platform for securing research-based CUI. Operational details for individual research contracts (e.g., Principal Investigator, department, contract number, computing requirements) will be prepared as supplements to this Plan.
- Plans of Action & Milestones (POAMs) – A document used to describe individual, isolated, or temporary deficiencies and the management plan designed to correct the deficiencies and reduce or eliminate vulnerabilities in the University’s systems utilized by the researcher.
Federal agencies may consider the University’s SSP and POAMs as critical inputs to the evaluation factor in the contract selection process. How and if this will be used in the proposal evaluation must be stated in the solicitation.
FSU has contracted with Amazon GovCloud to satisfy NIST 800-171’s infrastructure requirements. This secure enclave is branded for FSU as:
See additional information on securing human subjects research data on the Human Subjects website.
Diana Key, Director
Office of Research Compliance Programs
Michael Boll, Research Data Security Specialist
Office of Information Technology Services