In federal grants, contracts, and subcontracts that involve sensitive data, including personally identifiable information, the Department of Defense (DOD) and certain other agencies now require institutional certifications that the institution’s electronic systems comply with National Institute of Standards and Technology (NIST) SP 800-171 (“NIST 800”) for the protection of electronic systems storing CUI. SPARC and Rice’s Information Security Office (ISO) are working together to incorporate procedures addressing NIST 800 requirements with regard to proposal and award processing.
SPARC will process an award only once SPARC confirms with ISO that an IT Security Management Plan has been completed. This can be a time consuming process, so it is best to start early, plan ahead, and seek guidance from SPARC and ISO.
For questions, contact:
Melissa Gambling, Associate Director for Research Compliance, firstname.lastname@example.org, x 3884
Barry Ribbeck at the Information Security Office, email@example.com, x4012 (include “CUI” in the subject line)
What is CUI?
CUI is non-classified information (i.e. information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the government) that requires safeguarding or dissemination controls compliant with law, regulations, and government-wide policies.
There are 23 categories and 84 subcategories of CUI. Categories relevant to research universities include:
What is NIST 800?
NIST 800 is a codification of the requirements that any non-Federal computer system must follow in order to store, process, or transmit CUI or provide security protection for such systems. NIST 800 compliance is currently required by some DOD contracts via DFARS clause 252.204-7012.
What does NIST SP 800-171 require?
There are over 100 mandatory controls , including access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, systems and communication, and system and information integrity.
These controls could mean the PI and his/her research team must implement an IT Security Plan with the following protections:
What does an IT security plan look like?
Each IT Security Plan is tailored to every particular research project, so the final draft may be longer than this 20-page template.
Why is this important?
How do I know if research involves CUI and is subject to NIST 800?
Here are three ways to know if these requirements apply:
**SPARC will be reviewing proposals and awards for these references. However, if a proposal requires submission of a CUI Risk Mitigation Plan, please contact SPARC (firstname.lastname@example.org) or ISO (email@example.com (include “CUI” in the subject line)) as soon as possible to ensure this document is completed before the proposal deadline.
What is the process here at Rice?
1. PROPOSAL STAGE
2. AWARD STAGE