Secured Research Computing Standards

The Cybersecurity Maturity Model Certification (CMMC) is a framework developed by the U.S. Department of Defense (DoD) to better protect sensitive unclassified information within the Defense Industrial Base. It aligns with existing DoD cybersecurity requirements and introduces a tiered model that mandates progressively advanced cybersecurity practices based on the sensitivity of the information handled.

CMMC assessments verify that Universities meet these standards, particularly for safeguarding Federal Contract Information and Controlled Unclassified Information. Compliance with specific CMMC levels is required as a condition for DoD contract awards, ensuring that cybersecurity is integrated into the defense supply chain.

Learn more at: https://dodcio.defense.gov/CMMC/About/ 

NIST Special Publication 800-171 provides a standardized set of requirements for protecting Controlled Unclassified Information (CUI) in nonfederal systems and organizations. Developed by the National Institute of Standards and Technology (NIST), this security framework is essential for Universities working with the Department of Defense (DoD), National Institute of Health, NASA, and other federal or state agencies. 

The publication outlines 14 families of security requirements—ranging from access control to incident response—that Universities must implement to ensure the confidentiality of CUI. Compliance with NIST SP 800-171 is mandated by the Defense Federal Acquisition Regulation Supplement clause 252.204-7012, making it a critical component for maintaining eligibility for federal contracts.

Learn more at: https://www.nist.gov/blogs/manufacturing-innovation-blog/what-nist-sp-800-171-and-who-needs-follow-it-0 

DFARS Clause 252.204-7012 requires DoD contractors to safeguard Covered Defense Information using security controls from NIST SP 800-171 and to report cyber incidents within 72 hours. Additionally, contractors must retain incident data for analysis and ensure subcontractors comply with the same requirements.

Learn more at: https://www.acquisition.gov/dfars/252.204-7012-safeguarding-covered-defense-information-and-cyber-incident-reporting 

Controlled Unclassified Information (CUI) refers to sensitive information that requires safeguarding or dissemination controls but is not classified under federal law. It includes data such as technical drawings, research data, or proprietary information shared with or generated for the federal government. The CUI program, established by Executive Order 13556, standardizes how executive branch agencies and their contractors handle this type of information to ensure consistent protection across organizations and systems.

The International Traffic in Arms Regulations (ITAR) is a set of U.S. government regulations administered by the Department of State that controls the export and import of defense-related articles and services listed on the United States Munitions List.

ITAR aims to safeguard U.S. national security and foreign policy interests by ensuring that sensitive defense technologies are not transferred to foreign entities without proper authorization. Universities involved in manufacturing, exporting, or brokering defense articles or services must register with the Directorate of Defense Trade Controls and comply with strict licensing and reporting requirements.

Learn more at: https://www.pmddtc.state.gov/ddtc_public/ddtc_public?id=ddtc_kb_article_page&sys_id=4f06583fdb78d300d0a370131f961913

Bulk data refers to large-scale collections of sensitive personal or government-related information that, when aggregated, can pose significant national security risks if accessed by foreign adversaries. The U.S. Department of Justice has implemented regulations to restrict or prohibit certain data transactions involving bulk sensitive personal data—such as biometric, genomic, financial, and precise geolocation data—especially when these transactions involve entities from designated “countries of concern”. These rules aim to prevent the exploitation of Americans’ data for espionage, blackmail, or other malicious activities.

Bulk Data Thresholds Table:

The DOJ’s final rule outlines specific thresholds that define when data qualifies as “bulk” and subject to regulation. These thresholds vary by data type and are generally based on the number of U.S. persons or devices involved in a transaction.

Learn more at: https://www.justice.gov/archives/opa/media/1382526/dl 

Controlled access data at the NIH refers to sensitive datasets—often involving human genomic or health-related information—that require special authorization for use due to privacy, ethical, or legal considerations. These datasets are typically stored in NIH-supported repositories such as dbGaP, BioData Catalyst, and the Genomic Data Commons.

Researchers must apply for access through a formal Data Access Request process and agree to specific terms outlined in a Data Use Certification. As of January 25, 2025, all users and repositories must comply with updated NIH Security Best Practices, which include enhanced data protection standards and responsibilities for safeguarding participant privacy.

Learn more at: https://sharing.nih.gov/sites/default/files/flmngr/NIH_Best_Practices_for_Controlled-Access_Data_Subject_to_the_NIH_GDS_Policy.pdf

The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. government-wide initiative that standardizes the security assessment, authorization, and continuous monitoring of cloud services used by federal agencies and their contractors. Its goal is to better guarantee that cloud technologies meet cybersecurity requirements, enabling agencies to adopt secure, modern solutions while protecting federal data.

Learn more at: https://www.gsa.gov/technology/government-it-initiatives/fedramp