WHAT: The Research Cybersecurity Baseline takes full advantage of the institutional resources established to support your work.

The Research Cybersecurity Baseline is comprised of basic practices you can implement to safeguard your research.  These practices are appropriate for "fundamental research". Restricted (i.e., non-fundamental) research will generally require additional safeguarding measures to comply with the specific standards specified by applicable laws, regulations, or contractual obligations established by sponsors, data sources, or other entities.

*The term "fundamental research" is used to refer to basic and applied research where there are no restrictions on your ability to disseminate/publish the results and no limitations are placed on who may be involved in the conduct of the research.

WHY:  Allows you to focus on those things that only you can do, your research and scholarship.

Even when you plan to publish all of your research results, it's important to protect them until you're ready to release them. Cumulatively, the data sets, techniques, software, analytical approaches, tools, methodologies, instruments, etc. that you've developed over the course of your career together form a unique resource that only you can bring to future research, providing an advantage you can leverage in future funding proposals.

WHO:  The Local Support Partners (LSPs) in your area should be your primary contacts.

If it's not something your LSP can provide or is outside of their expertise, they will be able to direct you to the appropriate department, school or institutional resources. If you don't know who your LSP is, ask your department, school or institute administrative office.

Baseline Practices

Use UVA owned and managed devices

Benefits

ITS Patch Management Service or HIT Desktop Management Service handles patching and updating your operating system(s) and supported software, including effective antivirus, antimalware and antispyware software.

Working with your local support partners (LSPs) and unit purchasing staff when buying technology helps prevent inadvertent purchases of equipment that cannot be purchased by, used for institutional work, or supported at UVA due to federal procurement prohibitions (e.g., Huawei and ZTE products or Kaspersky software). 

If you don't know your LSP(s), check the LSP Directory available from the LSP page of the ITS website.

Resources

  • See the Device Security page of the Information Security (InfoSec) website or consult a Local Support Partner (LSP) in your area for more information on securing your device and data.
  • FREE antivirus/antimalware/antispyware software Microsoft Defender for Endpoint (MDE) is provided by UVA if you aren't using a managed computer.
  • Federal prohibitions on the acquisition and use of devices, software and services are discussed in the "Prohibitions on Procurement (Federal Mandates)" section of Foreign Influence Best Practices page. A link to a list of prohibited manufacturers/suppliers is also provided.

Additional Information

Sponsored awards are made to the University, rather than directly to individual researchers, making the University ultimately responsible for assuring the security, integrity and appropriate accessibility of the resulting research data. A portion of the indirect (F&A) costs collected on sponsored programs is used to provide researchers with the IT hardware, software, and support services.

The results of University research, as defined in University policy RES-006, Patenting of Discoveries or Inventions at the University (Patent Policy), belong to the University rather than the individual researcher(s) regardless of whether or not the research was supported by internal funds or sponsored programs. As University property, research data should be collected, stored, processed and archived on UVA owned/managed devices, systems and services.

University research data (inputs or results) that have not been published/released, whether or not subject to regulatory or contractual confidentiality/privacy requirements, are "sensitive data" (at minimum) under University policy IRM-003, Data Protection of University Information, and must be protected from unauthorized access or release in accordance with the applicable University Data Protection Standard (UDPS).

Backup your data

Benefits

The simplest and most effective way to mitigate the threat of ransomware is to back up essential (e.g., source, primary or raw) data such that it is insulated from an attack on the device/system containing your active data.

Documenting your data storage strategy and backup policy and making sure everyone in your research team understands and follows the policy safeguards the data in case any individual device is lost, compromised, stolen or damaged. It also ensures that you retain access to the essential data for future use and to respond in the event of an allegation of research misconduct.

Resources

The University is exploring affordable solutions to safeguard research data. Additional information and resource links will be added to this website when available.

Use UVA-provided email and collaboration tools

Benefits

UVA-provided email and collaboration tools/services are protected by a host of security features and technologies that may not be provided by other products.

UVA contracts include provisions that establish the institution's ownership, protect the confidentiality user information and stored data, and prohibit their use without UVA authorization.

Exclusively using UVA-provided email and collaboration tools/services for you UVA activities limits the applicability of the Virginia Freedom of Information Act and Public Records Act to those tools/services. UVA strongly encourages you not to co-mingle your personal and institutional activities in the same accounts in order to assure the privacy of your personal information and records.

Resources

  • Collaboration Tools - A listing of UVA-provided tools for different host and participant combinations. 
  • Sponsored Accounts - UVA computing accounts for people who are not UVA employees or students. These accounts can be provisioned with access to UVA IT resources and services (e.g., email, Office 365, or UVA Box). A sponsored account may also be required to access certain locally-managed (e.g., school or department) IT systems.
  • What to do if you receive a suspicious email - provides a list of common phishing emails and UVA reporting instructions.
  • Web application developers should use secure authentication mechanisms such as single-sign-on (SSO).  NetBadge is the UVA branded SSO service. 

Additional Information

Email remains the predominant method by which ransomware and other malware is introduced into the University environment. Using anything other than a virginia.edu account puts you at greater risk of a compromise. In addition, non-UVA-provided email may have rights to scan all your emails, which breaches your privacy and may invalidate intellectual property claims later.

Regularly reassess data access permissions

Benefits

Being clear about your expectations not only for data access but also future use of data when onboarding new team members or assembling a new project/study team will prevent (or at least minimize) misunderstandings and conflicts in the future. Be willing to reassess and revise if roles and responsibilities change over time.

Limiting access to active data to only those individual who need it to perform their work/studies reduces the potential for data loss, theft or compromise.

Regularly reassessing access permissions allows you to consider any changes in the sensitivity and value of the aggregated data to which an individual has access. Also consider what type of access is appropriate (e.g., read-only vs. edit rights).

Moving data from an active to archive state when a study is complete is important to assuring data integrity.  


Resources

  • Consult with the LSP or system administrator who manages your data environment to design an architecture that appropriately balances your needs for safeguarding and collaboration; supports your data back-up policy/plan; and uses secure authentication mechanisms are in place to control access.
  • Contact the Office of the Vice President for Research prior to agreeing to release or transfer research data.

Additional Information

For fundamental research, restricting access to individuals actively working with the data is intended to limit the potential for inadvertent data loss or compromise and to improve accountability.  However, when research involves restricted or confidential data limiting access may be required to assure compliance with laws, regulations, or contractual obligations.

The more people, particularly those not working on the specific research project, who have access the more likely files are to be inappropriately moved, deleted, transferred, shared or altered; while this may be the result of an accident or malicious activity, either has the potential to negatively impact the research and researchers.

In an academic environment, reviewing data sensitivity and access controls at the start of each semester may be a good cadence if that is when individuals typically join or leave your research group.

The results of University research, as defined in University policy RES-006, Patenting of Discoveries or Inventions at the University (Patent Policy), belong to the University rather than the individual researcher(s) regardless of whether or not the research was supported by internal funds or sponsored programs. Transfers or releases of University research data require an associated agreement that specifies the parties responsibilities and rights to the data; this is typically done through a data use and transfer agreement executed by a contract negotiator in the Office of Sponsored Programs.

Federal Requirements

Some contracts for federally-funded research & development or for access to certain Federal data/systems may mandate additional data safeguarding standards. The following are examples:

FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems

Minimum Security Controls

  1. Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
  2. Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
  3. Verify and control/limit connections to and use of external information systems.
  4. Control information posted or processed on publicly accessible information systems.
  5. Identify information system users, processes acting on behalf of users, or devices.
  6. Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
  7. Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
  8. Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
  9. Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.
  10. Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
  11. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
  12. Identify, report, and correct information and information system flaws in a timely manner.
  13. Provide protection from malicious code at appropriate locations within organizational information systems.
  14. Update malicious code protection mechanisms when new releases are available.
  15. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

See the Controlled Unclassified Information (CUI) page of this website.

Cybersecurity Maturity Model Certification (CMMC) Levels 1-5

CMMC is a program being developed for use by the Department of Defense (DoD).  Additional information about the CMMC program, it's rollout by DoD, and UVA's plans for CMMC compliance are available on the Controlled Unclassified Information (CUI) page.

 

CMMC LEVEL 1: BASIC CYBER HYGIENE

Level 1 focuses on the protection of Federal Contract Information and consists of only practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21 ("Basic Safeguarding of Covered Contractor Information Systems"). Note: 48 CFR 52.204-21 is a Federal Acquisition Regulation clause for use in contracts and may be used by any Federal agency, not just the DoD, but currently DoD is the only agency implementing CMMC.

The CMMC uses the term practices rather than security controls, but the requirements are the same. The only difference between CMMC Level 1 practices from the FAR 52.204-21 security controls is that #9 is separated into 3 distinct controls; this results in 15 FAR controls and 17 CMMC Level 1 practices.  However, the CMMC Assessment Guide for Level 1 goes one step further in that it identifies specific assessment objectives for each practice that must be validated by an authorized external assessor in order to be certified.

 

CMMC LEVEL 2: GOOD CYBER HYGIENE (Protection of CUI, including DoD CTI/CDI)

Level 2 focuses on the protection of CUI and encompasses all of the security requirements specified in NIST SP 800-171. Once CMMC is fully implemented, contractors will be required to have a CMMC Level 2 certification or their system issued by a certified third-party assessment organizations (C3PAO) prior the issuance of any contract involving CUI.  Certifications must be renewed at least every three years. 

The CMMC Assessment Guide for Level 2 provides specific assessment objectives for each practice that must be validated by an authorized external assessor in order for the non-government information system to be certified.  These assessment objectives build and expand on those provided in NIST SP 800-171A.