Research Data Security

Properly protecting research data is a fundamental obligation that is grounded in the values of stewardship, data integrity, and honoring commitments to the providers and sources of the data.  It is also the responsibility of everyone involved in the development, proposal, conduct, administration/support, and reporting of research. Research data security is essential to the ongoing health of the research environment including, but not limited to, maintaining public trust in and support for research.

In an academic setting where the vast majority of research data is intended to be openly published it may seem counterintuitive to worry about data security; however, even when there is an intent to publish, it's still important to protect the integrity of the data, assure accessibility, and control access so the researchers who developed the idea, data, algorithm, methodology, hypothesis, model, analysis, etc. are the ones who decide what, when, how, and to whom it is released. With respect to sponsored research data, the data belongs to the institution (or in limited situations to the sponsor) with the Principal Investigator serving as the data custodian charged with making sure data is appropriately safeguarded and shared consistent with institutional policies, terms and conditions, and applicable laws/regulations.  

    Upcoming Federal Requirements (NSPM-33) for Grants

    Over the last several years all branches of the federal government have expressed growing concern regarding the safety and security of the US research enterprise and have taken a variety of steps to improve safeguarding (e.g., clarified investigator disclosure requirements, increased enforcement, increased threat communication, prohibited procurement from certain companies, modified contract clauses, etc.). 

    The initiative with the broadest impact was initiated by the release of the Presidential Memorandum on United states Government-Supported Research and Development National Security Policy (National Security Presidential Memorandum 33 (NSPM-33)) in January 2021. Concurrent with the release of NSPM-33 the White House Office of Science and Technology Policy (OSTP) released Recommended Practices for Strengthening the Security and Integrity of America's Science and Technology Research Enterprise which was broadly directed to the research community including, but not limited, institutions of higher education. In January 2022, OSTP released Guidance Implementing NSPM-33 to provide direction and specific recommendations to the federal research sponsoring agencies.

    Among the recommendations made to federal research sponsoring agencies was to create a common requirement that entities receiving >$50M annually in federal research assistance funding (grants and cooperative agreements) certify that they have a Research Security Program and recommended requiring the following four elements:

    1. Cybersecurity (identifies14 specific cybersecurity elements);
    2. Foreign travel security;
    3. Research security training; and 
    4. Export control training, as appropriate.

    The implementing guidance also recommends that compliance with the Research Security Program requirements be assessed as part of the single audit of Federal grant and assistance programs. UVA's single audit is performed by the Auditor of Public Accounts (APA) for the Commonwealth of Virginia as part of our annual institutional audit. 

    While the specific requirements and implementation timeline are not yet clear, we anticipate that the institutional certification statement will be finalized in 2022 with compliance required within one year of release. 

    Fundamental Research Data At Risk in Ransomware Attacks

    Think cybersecurity is only important for research data subject to privacy controls, confidentiality requirements, or US government access/dissemination controls? Think again!

    A ransomware attack that hit Michigan State University's physics and astronomy department left researchers without access to their research data; halted and delayed research programs; and in some cases, resulted in research data being unrecoverable.

    “In a ransomware attack, criminals encrypt a victim’s data in order to deny the victim the ability to carry out their business until they pay the ransom fee," said Von Welch, associate vice president for information security at Indiana University and director of Trusted CI. "The encrypted data are not necessarily valuable to the attackers. However, for researchers, loss of their data can mean lost productivity in terms of months or years.” 

    While MSU didn't pay the $6M ransom demand, it estimates the total cost of remediation for the incident at $1.09M. The costs included IT response and recovery, legal bills, as well as identity theft notification and mitigation measures for disclosure of personally identifiable data.

    For more information, check out the news article; watch the webinar from Trusted CI, the NSF Cybersecurity Center of Excellence; or read the report MSU made publicly available to warn the higher education community.  

    DOJ's Civil Cyber Fraud-Initiative

    On 10/6/2021, Deputy Attorney General Lisa O. Monaco announced the launch of a new Civil Cyber-Fraud Initiative to combat new and emerging cyber threats to the security of sensitive information and critical systems. The Initiative will utilize the False Claims Act to pursue cybersecurity related fraud by government contractors and grant recipients. The False Claims Act is the government’s primary civil tool to redress false claims for federal funds and property involving government programs and operations. The intent is to hold entities and individuals accountable for knowingly putting U.S. information or systems at risk by

    • providing deficient cybersecurity products or services,
    • misrepresenting their cybersecurity practices or protocols, or
    • violating obligations to monitor and report cybersecurity incidents and breaches

    The department will work closely on the Initiative with other federal agencies, subject matter experts and its law enforcement partners throughout the government. 

    Promoting Research Data Security at UVA

    The Vice President for Research has appointed a group to provide advice on research data security (RDS) issues; specifically, the group is tasked with 1) ongoing governance of the University's designated IT system for safeguarding controlled unclassified information (CUI); 2) monitoring evolving federal requirements and expectations; and 3) making recommendations on how to facilitate the conduct of University research in ways that effectively safeguard intellectual property and protect US national security.

    Contact Kelly Hochstetler, Director of Research Regulatory Affairs, for information about RDS, the advisory group, associated working groups, and ongoing activities related to upcoming federal requirements (e.g., Research Security Program and DOD's Cybersecurity Maturity Model Certification (CMMC) program for contracts).