BU Information Security Update on Federal Research Requirements for Cyber and Data Security

As a researcher, you may have noticed an increase in what your sponsors and data providers are requiring in terms of cyber and data security assurances. BU Information Security, BU Sponsored Programs (SP), and BU Industry Engagement are here to help! Our goal is to reduce your security and compliance burdens, letting you do what you do best: groundbreaking research.

We have seen a significant increase in the number of federal agencies, including the Department of Defense (DOD) and the National Institutes of Health (NIH), requiring compliance with the National Institute of Standards and Technology (NIST, nist.gov) Special Publications 800-53 or 800-171 or announcing their intent to do so in the near future. The DOD is now starting to require compliance with the Cybersecurity Maturity Model Certification (CMMC) 2.0 program. If a research project requires “CMMC Level 2” compliance, that is analogous to NIST 800-171 with an added requirement for an external audit.

How do I know if this applies to me?

These requirements may be clearly stated in proposal solicitation or award agreement but sometimes these new requirements may be obscured behind seemingly innocuous phrases such as “Defense Federal Acquisition Regulation Supplement (DFARS)” or “Federal Risk and Authorization Management Program (FedRAMP).” BU SP Pre-Award can help review proposal solicitations for this language. If you see this kind of language in a solicitation or proposal guidelines, think it might apply, or are unsure, additional conversations are needed to determine whether your computing environment will meet the sponsor requirements. Please reach out to your SP Pre-Award Officer or BU Information Security at buinfosec@bu.edu.

If you require a Data Use Agreement associated with your proposal or existing grant, please reach out to the BU Industry contracting team at industry@bu.edu or for more guidance on Data Use Agreements, please following the following link: https://www.bu.edu/research/collaboration-partnership/industry-collaboration/data-use-agreements-duas/

If these new requirements do apply to me, what do I have to do?

The Boston University technology environment is designed to facilitate easy collaboration and sharing and does not broadly comply with these new requirements, but we do have a solution for you! We have partnered with Sherlock Cloud Solutions & Services (“Sherlock”), a part of the San Diego Supercomputer Center, at the University of California, San Diego to provide a compliant solution. We will require the use of this solution until we can meet these requirements using our own resources. This solution is not without costs, but we are here to support you! For assistance in estimating costs, please reach out to BU Information Security at buinfosec@bu.edu.