What is UConn’s Secured Research Infrastructure (SRI)?
Federal Government and Department of Defense related research contracts with the DFARS 252.204-7012 clause have required compliance with the NIST SP 800-171 security controls to safeguard Controlled Unclassified Information (CUI). CUI is data that requires protection through dissemination controls pursuant to and consistent with applicable law, regulations and government-wide policies but is not classified. NIST SP 800-171 applies to CUI shared by or through the federal government with a nonfederal entity. As a higher educational institution, UConn is a nonfederal entity. There are 109 technical and operational controls specified by the NIST standard and ITS has made every effort to reduce the compliance efforts for the Principal Investigator (PI).
The Secured Research Infrastructure (SRI) was developed with the intent of meeting the security control requirements while also reducing the workload on the PI to the smallest amount practical while still ensuring compliance. This solution meets 3 key design principles:
- The controls requirements established by the NIST standard are complex. Therefore it is impractical to implement unique controls for each project. Ensuring controls consistency reduces the time to bring a new project into the environment and increases the ability to ensure compliance.
- The system needs to provide the ability for researchers, whenever practical, to access and work with their data anywhere and have the environment be supported centrally.
- The security controls should be provided centrally. ITS made significant investments in our enterprise level security infrastructure and operational processes that enable us to protect CUI using centrally supported tools with more capabilities that can be provided locally.
Within the UConn Secured Research Infrastructure (SRI) Network, the PI and their researchers will access a virtual workstation remotely with the ability to share data with those in the same research project. Remote access to the SRI allows connectivity to a secure network through network segmentation (provided by the VPN) and two-factor authentication (provided by DUO). While VPN/DUO accomplish the control requirements set by the NIST standard, they provide the security needed to be able to access the SRI environment remotely.
Process of the Principal Investigator
The PI of the research project should have already met with a representative from OVPR’s Office of Sponsored Program Services and together determined that the research must comply with NIST SP 800-171 standards. In addition, the PI should have already met with a representative from OVPR’s Export Control office and completed a Technology Control Plan (TCP).
During this process, the SRI Intake Form should be filled out and meeting set with the CISO (or designated ITS-ISO representative).
NIST SP 800-171 Compliance Documentation
All compliance documentation related the research project will be stored in a repository called the ‘NIST Binder.’ This binder will enable any University audit or compliance staff to easily review research projects and its associated documentation in a single location. NIST also requires periodic risk assessments, which will be conducted periodically. Centralizing all project and technical documentation into a binder will greatly reduce the work related to risk assessments while showing our due diligence is met regarding the security of the environment.
The PI’s role is to ensure the binder is as current as possible. A PI should inform their system administrator and the CISO (or designated ITS-ISO representative) of any changes to their system. For example, installing new applications, new system requirements, and adding or removing access for research participants authorized in the TCP.
Roles and Responsibilities
Four roles were identified as the OVPR and the ITS-ISO worked through determining responsibility for compliance. Individuals assigned to these roles will be documented in the NIST binder.
- Information System Owner/Principal Investigator
- ITS Common Control Provider
- System Administrator
- Chief Information Security Officer
The Information System Owner/Principal Investigator, herein known as PI, is a University official responsible for the procurement, development, integration, modification, operation, maintenance, and disposal of an information system. The information system owner is, most likely, the faculty member with primary responsibility for ensuring the project is completed. However, there may be key staff appointed by the PI that have responsibilities as well. PIs must adhere to the SRI PI Checklist Summary.
The ITS Common Control Provider is an individual, group, or organization responsible for the development, implementation, assessment, and monitoring of common controls. Specifically this is any area within ITS that maintains a component of the secured research infrastructure. This may include the security office, server support, desktop support, etc.
The System Administrator is an individual responsible for ensuring that the appropriate operational security posture is maintained for an information system and as such, works in close collaboration with the information system owner. Typically the System Administrator works for the School or College the PI and their team is a part of. This individual is identified when the compliance initiative begins and will be documented as part of the NIST Binder.
The Chief Information Security Officer is an organizational official responsible for carrying out the chief information officer security responsibilities under FISMA and serves as the primary liaison for the Chief Information Officer to the organization’s authorizing officials, information system owners, common control providers, and information system security officers.
NIST SP 800-171 Training Video
The UConn NIST SP 800-171 and security awareness training video provides a better understanding of the security controls required to meet the DFARS clause requirements.
Those identified whose research contract is under the DFARS clause who are involved with CUI or potential CUI data, an e-mail will be sent to take the NIST 800-171 and security awareness training. This 30 minute online video course is required and must be completed for NIST compliance. Please login with your UConn NetID username and password to complete the training: NIST 800-171 and Security Awareness Training. Once logged in, click on Launch next to the course title to enroll and begin the training. This must be completed within 30 days of the research contract award date.
Intake Form for PI
For an upcoming research project that will or may contain CUI as part of the DFARS clause, the PI should use the Intake Form to begin the process before the contract has been awarded or upon award notification.
SRI IT Support
All DFARS clause research projects that contain or may contain CUI will have a designated technical representative or local system administrator to assist in the technical process.
Currently designated SRI and NIST SP 800-171 trained technical support include:
Electrical & Computer Engineering
Supports CLAS Avery Point
Department of Marine Sciences
|George Assard II
Engineering Technical Services
Supports ITS, CLAS Chemistry
ITS-Information Security Office