The draft Research Security Program standard states that "Covered research organizations must implement baseline safeguarding protocols and procedures for information systems used to store, transmit, and conduct federally funded R&D." The following 12 protocols are explicitly required:
- Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems), as described in Office of Management and Budget Memorandum M-21-31 on Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents.
- Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
- Verify and control/limit connections to and use of external information systems.
- Control any non-public information posted or processed on publicly accessible information systems.
- Identify information system users, processes acting on behalf of users, or devices.
- Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
- Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
- Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
- Identify, report, and correct information and information system flaws in a timely manner.
- Provide protection from malicious code at appropriate locations within organizational information systems.
- Update malicious code protection mechanisms when new releases are available.
- Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
Note: Absent any further clarification from federal research sponsoring agencies, it is UVA's interpretation that these cybersecurity protocols must be employed on all University IT systems, devices and services supporting research funded by federal grants, contracts, cooperative agreements and other transactional authorities. Additional safeguards may be required for specific types of data or programs at the sponsor's discretion.