Research Cybersecurity Baseline

BENEFITS:

ITS Patch Management Service or HIT Desktop Management Service handles patching and updating your operating system(s) and supported software, including effective antivirus, antimalware and antispyware software.

Working with your local support partners (LSPs) and unit purchasing staff when buying technology helps prevent inadvertent purchases of equipment that cannot be purchased by, used for institutional work, or supported at UVA due to federal procurement prohibitions (e.g., Huawei and ZTE products or Kaspersky software). If you don't know your LSP(s), check the LSP Directory available from the LSP page of the ITS website. 

RESOURCES:

• See the Device Security page of the Information Security (InfoSec) website or consult a Local Support Partner (LSP) in your area for more information on securing your device and data.
• FREE antivirus/antimalware/antispyware software Microsoft Defender for Endpoint (MDE) is provided by UVA if you aren't using a managed computer.  
• Federal prohibitions on the acquisition and use of devices, software and services are discussed in the "Prohibitions on Procurement (Federal Mandates)" section of Foreign Influence Best Practices page. A link to a list of prohibited manufacturers/suppliers is also provided.

ADDITIONAL INFORMATION:

Sponsored awards are made to the University, rather than directly to individual researchers, making the University ultimately responsible for assuring the security, integrity and appropriate accessibility of the resulting research data. A portion of the indirect (F&A) costs collected on sponsored programs is used to provide researchers with the IT hardware, software, and support services.

The results of University research, as defined in University policy RES-006, Patenting of Discoveries or Inventions at the University (Patent Policy), belong to the University rather than the individual researcher(s) regardless of whether or not the research was supported by internal funds or sponsored programs. As University property, research data should be collected, stored, processed and archived on UVA owned/managed devices, systems and services. 

University research data (inputs or results) that have not been published/released, whether or not subject to regulatory or contractual confidentiality/privacy requirements, are "sensitive data" (at minimum) under University policy IRM-003, Data Protection of University Information, and must be protected from unauthorized access or release in accordance with the applicable University Data Protection Standard (UDPS).  

BENEFITS:

The simplest and most effective way to mitigate the threat of ransomware is to back up essential (e.g., source, primary or raw) data such that it is insulated from an attack on the device/system containing your active data.

Documenting your data storage strategy and backup policy and making sure everyone in your research team understands and follows the policy safeguards the data in case any individual device is lost, compromised, stolen or damaged. It also ensures that you retain access to the essential data for future use and to respond in the event of an allegation of research misconduct. 

RESOURCES: 

The University is exploring affordable solutions to safeguard research data. Additional information and resource links will be added to this website when available. 

• Data Storage and Backups - A listing of information and resources compiled by Research Data Services & Sciences, a department of the University of Virginia Library.
• University Records Management Application (URMA), a web-based tool designed to assist departments in maintaining an inventory of their records.
• Storage, Hosting & Servers - A listing of available ITS services (some of them provided at no charge) for data storage, backup, and hosting. This includes information about UVABox, Cloud Services (e.g., Azure or AWS) and Data Centers. 

BENEFITS:

UVA-provided email and collaboration tools/services are protected by a host of security features and technologies that may not be provided by other products.

UVA contracts include provisions that establish the institution's ownership, protect the confidentiality user information and stored data, and prohibit their use without UVA authorization.

Exclusively using UVA-provided email and collaboration tools/services for you UVA activities limits the applicability of the Virginia Freedom of Information Act and Public Records Act to those tools/services. UVA strongly encourages you not to co-mingle your personal and institutional activities in the same accounts in order to assure the privacy of your personal information and records. 

RESOURCES:

• Collaboration Tools - A listing of UVA-provided tools for different host and participant combinations. 
• Sponsored Accounts - UVA computing accounts for people who are not UVA employees or students. These accounts can be provisioned with access to UVA IT resources and services (e.g., email, Office 365, or UVA Box). A sponsored account may also be required to access certain locally-managed (e.g., school or department) IT systems.
• What to do if you receive a suspicious email - provides a list of common phishing emails and UVA reporting instructions.
• Web application developers should use secure authentication mechanisms such as single-sign-on (SOS).  NetBadge is the UVA branded SOS service. 

ADDITIONAL INFORMATION:

Email remains the predominant method by which ransomware and other malware is introduced into the University environment. Using anything other than a virginia.edu account puts you at greater risk of a compromise. In addition, non-UVA-provided email may have rights to scan all your emails, which breaches your privacy and may invalidate intellectual property claims later.

BENEFITS:

Being clear about your expectations not only for data access but also future use of data when onboarding new team members or assembling a new project/study team will prevent (or at least minimize) misunderstandings and conflicts in the future. Be willing to reassess and revise if roles and responsibilities change over time.

Limiting access to active data to only those individual who need it to perform their work/studies reduces the potential for data loss, theft or compromise.

Regularly reassessing access permissions allows you to consider any changes in the sensitivity and value of the aggregated data to which an individual has access. Also consider what type of access is appropriate (e.g., read-only vs. edit rights).

Moving data from an active to archive state when a study is complete is important to assuring data integrity.  

RESOURCES:

• Consult with the LSP or system administrator who manages your data environment to design an architecture that appropriately balances your needs for safeguarding and collaboration; supports your data back-up policy/plan; and uses secure authentication mechanisms are in place to control access.
• Contact the Office of the Vice President for Research prior to agreeing to release or transfer research data.

ADDITIONAL INFORMATION:

For fundamental research, restricting access to individuals actively working with the data is intended to limit the potential for inadvertent data loss or compromise and to improve accountability.  However, when research involves restricted or confidential data limiting access may be required to assure compliance with laws, regulations, or contractual obligations.

The more people, particularly those not working on the specific research project, who have access the more likely files are to be inappropriately moved, deleted, transferred, shared or altered; while this may be the result of an accident or malicious activity, either has the potential to negatively impact the research and researchers. 

In an academic environment, reviewing data sensitivity and access controls at the start of each semester may be a good cadence if that is when individuals typically join or leave your research group. 

The results of University research, as defined in University policy RES-006, Patenting of Discoveries or Inventions at the University (Patent Policy), belong to the University rather than the individual researcher(s) regardless of whether or not the research was supported by internal funds or sponsored programs. Transfers or releases of University research data should be effect through an agreement that specifies the parties responsibilities and rights to the data going forward; this is typically done through a data use and transfer agreement executed by a contract negotiator in the Office of Sponsored Programs.

Minimum Security Controls

1. Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
2. Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
3. Verify and control/limit connections to and use of external information systems.
4. Control information posted or processed on publicly accessible information systems.
5. Identify information system users, processes acting on behalf of users, or devices.
6. Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
7. Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
8. Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
9. Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.
10. Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
11. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
12. Identify, report, and correct information and information system flaws in a timely manner.
13. Provide protection from malicious code at appropriate locations within organizational information systems.
14. Update malicious code protection mechanisms when new releases are available.
15. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

See the Controlled Unclassified Information (CUI) page of this website.

CMMC is a program being developed for use by the Department of Defense (DoD).  Additional information about the CMMC program, it's rollout by DoD, and UVA's plans for CMMC compliance are available on the Controlled Unclassified Information (CUI) page.

CMMC LEVEL 1: BASIC CYBER HYGIENE

Level 1 focuses on the protection of Federal Contract Information and consists of only practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21 ("Basic Safeguarding of Covered Contractor Information Systems"). Note: 48 CFR 52.204-21 is a Federal Acquisition Regulation clause for use in contracts and may be used by any Federal agency, not just the DoD, but currently DoD is the only agency implementing CMMC.

The CMMC uses the term practices rather than security controls, but the requirements are the same. The only difference between CMMC Level 1 practices from the FAR 52.204-21 security controls is that #9 is separated into 3 distinct controls; this results in 15 FAR controls and 17 CMMC Level 1 practices.  However, the CMMC Assessment Guide for Level 1 goes one step further in that it identifies specific assessment objectives for each practice that must be validated by an authorized external assessor in order to be certified.

CMMC LEVEL 2: GOOD CYBER HYGIENE (Protection of CUI, including DoD CTI/CDI)

Level 2 focuses on the protection of CUI and encompasses all of the security requirements specified in NIST SP 800-171. Once CMMC is fully implemented, contractors will be required to have a CMMC Level 2 certification or their system issued by a certified third-party assessment organizations (C3PAO) prior the issuance of any contract involving CUI.  Certifications must be renewed at least every three years. 

The CMMC Assessment Guide for Level 2 provides specific assessment objectives for each practice that must be validated by an authorized external assessor in order for the non-government information system to be certified.  These assessment objectives build and expand on those provided in NIST SP 800-171A.