FISMA Principal Investigator Requirements (.pptx)
FISMA Deliverables (.docx)
FISMA Information Sheet (.docx)
The following is a summary of the risks and implications associated with the failure to comply with cyber and IT requirements that may be applicable to your contract.
Limited Dissemination Control
No foreign dissemination
Information may not be disseminated in any form to foreign governments, foreign nationals, foreign or international organizations, or non-US citizens.
Federal Employees Only
Dissemination authorized only to (1) employees of United States Government Executive branch departments and agencies (as agency is defined in 5 U.S.C. 105), or (2) armed forces personnel of the United States or Active Guard and Reserve (as defined in 10 USC 101).
Federal Employees and Contractors Only
Dissemination authorized only to (1) employees of United States Government Executive branch departments and agencies (as agency is defined in 5 U.S.C. 105), (2) armed forces personnel of the United States or Active Guard and Reserve (as defined in 10 USC 101), or (3) individuals or employers who enter into a contract with the United States (any department or agency) to perform a specific job, supply labor and materials, or for the sale of products and services, so long as dissemination is in furtherance of that contractual purpose.
No dissemination to Contractors
No dissemination authorized to individuals or employers who enter into a contract with the United States (any department or agency) to perform a specific job, supply labor and materials, or for the sale of products and services. Note: This dissemination control is intended for use when dissemination is not permitted to federal contractors, but permits dissemination to State, local, or tribal employees.
Dissemination List Controlled
Dissemination authorized only to those individuals, organizations, or entities included on an accompanying dissemination list. Note: Use of this limited dissemination control supersedes other limited dissemination controls, but cannot supersede dissemination stipulated in federal law, regulation, or Government-wide policy.
Authorized for release to certain nationals only
Information has been predetermined by the designating agency to be releasable or has been released only to the foreign country(ies)/international organization(s) indicated, through established foreign disclosure procedures and channels. It is NOFORN to all foreign country(ies)/international organization(s) not indicated in the REL TO marking. Note: See list of approved country codes for use with REL TO here. USA must always appear first when using REL TO followed by additional permitted trigraph country codes in alphabetical order.
REL TO[USA, LIST] - see list
REL TO [USA, LIST] - see list
Information is authorized for disclosure to a foreign recipient, but without providing the foreign recipient with a physical copy for retention, regardless of medium to the foreign country(ies)/international organization(s) indicated, through established foreign disclosure procedures and channels.
(1) Establish controlled environments in which to protect CUI from unauthorized access;
(2) Reasonably ensure that unauthorized individuals cannot access or observe CUI, or overhear conversations discussing CUI;
(3) Keep CUI under the authorized holder’s direct control or protect it with at least one physical barrier; and
(4) Protect the confidentiality of CUI that agencies or authorized holders process, store, or transmit on Federal information systems in accordance with the applicable security requirements
(1) May use the United States Postal Service or any commercial delivery service when they need to transport or deliver CUI to another entity;
(2) Should use in-transit automated tracking and accountability tools when they send CUI;
(3) May use interoffice or interagency mail systems to transport CUI; and
(4) Must mark packages that contain CUI according to marking requirements
(1) May reproduce (e.g., copy, scan, print, electronically duplicate) CUI in furtherance of a lawful Government purpose; and
(2) Must ensure, when reproducing CUI documents on equipment such as printers, copiers, scanners, or fax machines, that the equipment does not retain data or the agency must otherwise sanitize it
(1) Authorized holders may destroy CUI when: (i) The agency no longer needs the information; and (ii) Records disposition schedules published or approved by NARA allow.
(2) When destroying CUI, including in electronic form, agencies must do so in a manner that makes it unreadable, indecipherable, and irrecoverable. Agencies must use any destruction method specifically required by law, regulation, or Government-wide policy for that CUI.
CUI Computing Security Plan Template 180105 (.doc)
CUI SBAR FINAL (.docx)
The General Data Protection Regulation (GDPR) is a new regulation affecting the European Economic Area (EEA), which includes all European Union (EU) countries and non-EU countries Iceland, Liechtenstein and Norway. Effective May 25, 2018, the GDPR is designed to harmonize data privacy laws across Europe and imposes stringent data protection requirements on entities, including those based outside of the EU, that process “personal data” of individuals in the EEA. It doesn’t apply to the processing of personal data of deceased persons or of legal entities.
GDPR grants a number of rights to people whose personal data is collected, stored, or “processed” by people or organizations, including:
In order to ensure those rights are upheld, users of personal data that is protected by the GDPRmay be required to do the following.
Compliance with GDPR is overseen by Data Protection Authorities (DPA) in the EU member states. DPAs have investigative and corrective powers related to the application of the data protection law.
It depends on the project.
Notify IT Security, the Privacy Office, and the CTSI Office of Sponsored Programs as early as possible so that we can evaluate the specific needs for your study and work with any collaborators or sponsors on the most appropriate agreements. Contact information is below.
The regulation requires implementation of appropriate technical and organizational measures which are designed to protect data from unauthorized access or disclosure; and that only the minimum quantity of personal data are processed for each authorized purpose.
European Commission: 2018 reform if EU data protection rules