Data Security

Overview 

Certain grants and contracts may have additional requirements for data security.  FAQs for specialized data security requirements can be found below for the following:

  • FISMA - The Federal Information Security Management Act
  • CUI - Controlled Unclassified Information
  • GDPR - General Data Protection Regulation

What is FISMA?

  • FISMA is a law which provides protection for federal information systems against natural, man-made, or system-generated threats
  • FISMA is different from standard data security controls in that it requires additional controls for which we have a specialized environment.
  • Each federal agency, vendor, or contractor must develop, document, and implement an institution-wide program to provide information security for the information systems that support the operations and assets of the institution, contractors, or other sources.
  • NIST provides guidance for FISMA compliance via its Special Publications (SP) 800 series.

What is CUI?

  • Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.
  • Executive Order 13556 establishes a program for managing CUI across the Executive branch and designates the National Archives and Records Administration (NARA) as Executive Agent to implement the Order and oversee agency actions to ensure compliance. The Archivist of the United States delegated these responsibilities to the Information Security Oversight Office (ISOO).
  • The Order standardizes the way in which departments and agencies handle unclassified information that requires safeguarding or dissemination controls, pursuant to and consistent with applicable law, regulations, and Government-wide policies.
  • Successful implementation of this Order by agencies will enhance the efficient and effective management, control, and sharing of CUI and further the administration’s goals of openness and uniformity of government practices.

What is GDPR?

  • The General Data Protection Regulation (GDPR) is a new regulation affecting the European Economic Area (EEA), which includes all European Union (EU) countries and non-EU countries Iceland, Liechtenstein and Norway. Effective May 25, 2018, the GDPR is designed to harmonize data privacy laws across Europe and imposes stringent data protection requirements on entities, including those based outside of the EU, that process “personal data” of individuals in the EEA. It doesn’t apply to the processing of personal data of deceased persons or of legal entities.
  • GDPR defines “personal data’’ broadly to include:
    • “[A]ny information relating to an identified or identifiable natural person (“data subject”).”
    • “An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.’’