6/12/2017

1

Click to edit Master title style

Click to edit Master subtitle style

FacilitatorsAlicia TurnerBusiness Relationship Manager, UFITUniversity of Florida aliciatu@ufl.edu

Stephanie GrayAssistant Vice President & Director, Division of Sponsored ProgramsUniversity of Floridaslgray@ufl.edu

6/12/2017

2

Agenda

• Framing the problem

• Regulations

• IT Standards

• Operations

• Key Takeaways

Framing the problem

6/12/2017

3

Part 1: Regulations

Regulatory Environment• Law

– Some apply to agencies: FISMA– Some apply to everyone but only on certain data types: HIPAA, FERPA,

ITAR/EAR

• Contract– 32 CFR 2002 “applies only to executive branch agencies, but that, in

written agreements (including contracts, grants, licenses, certificates, and other agreements) that involve CUI, agencies must include provisions that require the non-executive branch entity to handle the CUI in accordance with this rule.”

– DFAR – 252.204-7012– Other T&C requirements

• IT Standards/Controls– NIST– Local IT policy/guidelines

6/12/2017

4

Poll Question:

What is your current level of readiness/awareness in implementing CUI controls?

1. Already have a solution

2. Believe we’ll have a solution by December 31, 2017

3. Believe we’ll have a solution, but not until 2018

4. Don’t believe we’ll ever have a solution

5. Not sure, just here to learn

Relevant Examples: Laws vs Contract TermsAcronym Regulation Title Covers

ITAR International Traffic in Arms (22 CFR 120-130)

Controls export and import of defense-related articles/services on the United States Munitions List (USML)

HIPAA Health Insurance Portability and Accountability Act

Sets boundaries on the use and release of health records, and establishes safeguards to protect the privacy of personal health information (PHI).

FISMA 2002 & FISMA 2014

Federal Information Security Management (Modernization) Act

Requires consistent standards to protect federal information and federalinformation systems

HITECH Health Information Technology for Economic and Clinical Health Act

Promotes the adoption and meaningful use of health information technology, aka electronic medical record (EMR) or electronic health records (EHR)

DFAR 252.204-7012

Safeguarding of Unclassified Controlled Technical Information

Required safeguards for Covered Defense Information (CDI) and Cyber Incident Reporting; NIST 800-171 applies; Safeguards required by Dec 2017

FAR 52.204-21 Basic Safeguarding of Contractor Information Systems

Required safeguards for information systems owned or operated by a contractor that processes, stores, or transmits federal information

32 CFR 2002 Controlled UnclassifiedInformation

Required safeguards for federal information & systems: describes, defines, and provides guidance on the minimum protections for CUI

6/12/2017

5

32 CFR 2002 – CUIWhat is it?

§ 2002.4(h) “Controlled Unclassified Information (CUI) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government…CUI does not include classified information…or information a nonexecutive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency. “

§ 2002.12 CUI categories and subcategories. “(a) …CUI categories and subcategories are the exclusive designations…Agencies may not implement safeguarding or dissemination controls for any unclassified information other than those controls permitted by the CUI Program.”

Preamble: “Information that non-executive branch entities generate themselves and that they do not create, collect, or possess for the Federal Government by definition does not constitute Federal CUI, nor would it fall within the provisions of a contract or information sharing agreement covering CUI.”

32 CFR 2002 – CUIWhen does it apply?

§ 2002.1(f) “…This part does not apply directly to non-executive branch entities, but it does apply indirectly to non-executive branch CUI recipients, through incorporation into agreements”

Preamble: “…contracts or solicitations for projects in which CUI will not be involved should not include requirements for handling CUI. This will be handled through the FAR case and other contracting practices, rather than through this regulation. If a contractor feels CUI requirements are included erroneously, they may object through normal contracting channels.”

6/12/2017

6

32 CFR 2002 – CUI When does it apply?

§ 2002.4(hh) “On behalf of an agency occurs when a non-executive branch entity uses or operates an information system or maintains or collects information for the purpose of processing, storing, or transmitting Federal information, and those activities are not incidental to providing a service or product to the Government.”

§ 2002.16 Accessing and disseminating. (a)(5)Agreements.“Agencies should enter into agreements with any nonexecutive branch or foreign entity with which the agency shares or intends to share CUI…(iv) Pre-existing agreements. When an agency entered into an information sharing agreement prior to November 14, 2016, the agency should modify any terms in that agreement.”

32 CFR 2002 – CUI What safeguards are required?

• § 2002.14 Safeguarding. (a) General Safeguarding Policy– (3) Agencies may increase CUI Basic’s confidentiality

impact level above moderate only…by means of agreements with agencies or nonexecutive branch …Agencies may not otherwise require controls for CUI Basic at a level higher than permitted in the CUI Basic requirements when disseminating the CUI Basic outside the agency.

– (4)(b)(1) CUI Basic – all information in the registry– (4)(b)(2) CUI Specified – listed in registry with

reference to applicable laws (i.e. ITAR)

6/12/2017

7

32 CFR 2002 – CUI What safeguards are required?

§ 2002.14 Safeguarding.(c) Protecting CUI …

(1) Establish controlled environments in which to protect CUI from unauthorized access or disclosure and make use of those controlled environments; (2) Reasonably ensure that unauthorized individuals cannot access or observe CUI, or overhear conversations discussing CUI;(3) Keep CUI under the authorized holder’s direct control or protect it with at least one physical barrier, and reasonably ensure that the authorized holder or the physical barrier protects the CUI from unauthorized access or observation when outside a controlled environment; and(4) Protect the confidentiality of CUI that agencies or authorized holders process, store, or transmit on Federal information systems in accordance with the applicable security requirements and controls established in FIPS PUB 199, FIPS PUB 200, and NIST SP 800–53, (incorporated by reference, see§ 2002.2), and paragraph (g) of this section.

(h) Information Systems (2) ...When a nonexecutive branch entity receives Federal information only incidental to providing a service or product to the Government other than processing services, its information systems are not considered Federal information systems. NIST SP 800–171 …defines the requirements necessary to protect CUI Basic.

Part 2: IT Standards

6/12/2017

8

Understanding FISMA vs NIST

• FISMA gives the National Institutes of Standards and Technology (NIST) statutory responsibilities to establish non-product specific guidelines and standards to ensure a reasonable level of security in government systems

• The term “FISMA compliance” is often used to describe the process organizations go through to implement the NIST standards and guidelines

NIST Standards & Guidelines

• NIST special publications

– 800-53: security and privacy controls for federal information systems

– 800-171: protecting CUI in non federal information systems

– 800-37: applying the risk management framework to federal information systems

– 800-65: integrating IT security into capital planning and investment control process

• NIST Federal Information Processing Standards (FIPS)– FIPS 197: Advanced Encryption Standard– FIPS 199: Standards for Security Categorization– FIPS 200: Minimum Security Requirements for Federal Information &

Info Systems

6/12/2017

9

Local IT Policy, Standards & Guidelines

• UF Information Security Policies – examples:– Mobile Computing and Storage Devices– Data Classification– Authentication Management– Risk Management

• UF Information Security, related standards – examples:– Password complexity standard– Data classification guidelines– Risk assessment standard– Data security standard

Regulation, laws and contract terms are not information security guidelines

Compliance with IT security guidelines does not mean security

Information SECURITY

6/12/2017

10

Part 3: Operations

Governance

Policies and decisions• Technical Owner

• Business owner

• Build or buy (cloud)

• Risk tolerance (i.e. who’s in/out?)

• Cost model

• Institutional policies (i.e. mandated use)

Key stakeholders• Faculty

• Vice President for Research

• Director of Sponsored Programs

• Chief Information Officer

• Chief Information Security Officer

• Research Computing Director

• Chief Privacy Officer

• General Counsel

6/12/2017

11

Managing Risks & Costs

NIST SP 800-65: “…once all corrective action dollars have been expended, the remaining corrective actions are still prioritized according to cost and impact criteria. Therefore, they can be addressed in order of priority during the subsequent budget cycle.”

Just like any other business or contract decision, who determines level of implementation risk willing to accept?

Controls: Interpretation & Implementation

Physical Protection Family (800-171)Basic Security Requirements: • 3.10.1 Limit physical access to organizational information systems,

equipment, and the respective operating environments to authorized individuals.

• 3.10.2 Protect and monitor the physical facility and support infrastructure for those information systems.

Derived Security Requirements: • 3.10.3 Escort visitors and monitor visitor activity. • 3.10.4 Maintain audit logs of physical access. • 3.10.5 Control and manage physical access devices. • 3.10.6 Enforce safeguarding measures for CUI at alternate work

sites (e.g., telework sites).

6/12/2017

12

UF Process: identify & onboard

• How do you identify all research data that needs to be controlled?• Research Administrators and Contracts• Other “Triggers”

o IRBo Export Reviewo ISM (Department Information Security Managers)

• How do you prioritize onboarding and track progress?

• Governance team sets prioritieso Size of award

o Risk of data loss

o Others?

• Internal tracking systems

UF Solutions: one size does not fit allSolutions Pros Cons

Research Shield: compliant solution

for research projects with complex

collaborations and data processing

-Pre-assessed environment speeds up

review/onboarding

-Low cost to researcher due to institutional subsidy

-Available now for projects of any size/complexity

-Onboarding can take 1 – 4 months

depending on complexity

Research Vault: compliant solution

for research projects that only need

to work with software/data

storage/data processing

-Pre-assessed environment speeds up

review/onboarding

-Low cost due to researcher due to institutional

subsidy

-Available now for projects with single user and

software only

-External devices or equipment cannot be

used with ResVault

-Complex collaborations or shared

databases not supported until fall 2017

Pre-Built Computer Images: install

pre-built configuration in a secure

network environment

-Pre-assessed environment speeds up

review/onboarding

-Low cost, about the price of a new computer/laptop

-Supports all special requirements, external devices

-Local IT installs images and supports the machine

-Pre-Built images and secure network not

available until fall 2017

Custom built computing

environment

-Custom build supports all special requirements,

external devices, etc

-Local IT maintain and control the environment

-Requires full risk assessment, approx. 1 – 6

months

-High cost since building from scratch

6/12/2017

13

UF solutions: cost rateSolutions Processor Core (RNCU) Replicated Storage (RRSU) User Fees

Research

Shield

$300 per RNCU

• One (1) priority dedicated CPU core configured with 4 GB of RAM

• Approximately 3 GB per core usable by the software application

$1,400 per RRSU

• One (1) TB of storage capacity (not use) with replication and tape backup

• The second TB (for the replicated copy) is included

$152 per User

• Covers software license fees

Research

Vault

$300 per RNCU

• One (1) priority dedicated CPU core configured with 4 GB of RAM

• Approximately 3 GB per core usable by the software application

$1,400 per RRSU

• One (1) TB of storage capacity (not use) with replication and tape backup

• The second TB (for the replicated copy) is included

$152 per User

• Covers software license fees

• For more information: https://www.rc.ufl.edu/services/rates/hardware-purchases/• Additional notes

• Cost for pre-configured desktop images is very low, about the price of a new desktop or laptop• Custom built solutions are very expensive, as you must build from scratch• Recent estimate from a FedRAMP certified vendor: $27,000/month

Key Takeaways• It’s a big investment

• Landscape is always changing…who decides?

• Business owners must guide risk decisions alongside IT

• Design business process effectively when triggers tripped

– How can you ensure faculty can continue to do work with least administrative burden?