Compliance is rapidly emerging as a major challenge for IT organizations supporting research, particularly those with little or no prior experience with regulated data. Research environments within and outside academia are suddenly finding themselves head to head with cybersecurity and privacy requirements such as HIPAA, DFARS, CMMC, FISMA, and GDPR. CACR specializes in cybersecurity and compliance in such environments, and offers its expertise, guidance, and consulting to research organizations, including IU.
CACR has over a decade of experience with regulated data from helping the University Information Technology Services (UITS), Indiana University’s central IT organization, secure protected health information (PHI). UITS began facing HIPAA in 2007 when a growing need for data storage, analysis, and management began pushing clinical researchers toward central research systems. Anticipating this trend and the need for compliance, IU made a decision to launch an effort to make its central research cyberinfrastructure HIPAA compliant. This early and unique exposure to a federal regulation affecting research and experience gained since has resulted in CACR developing and implementing a NIST standards-based, comprehensive, flexible, and reusable cybersecurity risk management framework (RMF) at IU. Highly security centric, the RMF leads to compliance as a natural by-product of good security, not and end in and of itself, thereby avoiding the checkbox pitfall. As new systems are added, the RMF expands, making the institution more secure and compliance easier for subsequent systems. CACR has aligned more than fifty IU central systems with HIPAA using this approach, beginning with research systems and later adding enterprise systems.
Supporting Indiana University
IU has a substantial clinical footprint. Its School of Medicine, second largest in the US, and the Schools of Optometry, Nursing, Public Health, and Speech and Hearing comprise thousands of faculty, staff, and students. Clinical researchers in these Schools use a number of technology services UITS provides. CACR ensures that these services meet the HIPAA Security Rule requirements. The CACR RMF for HIPAA includes institutional governance, NIST 800-53 controls, risk assessment and response, awareness and training, and annual reviews. CACR leverages the RMF in a manner that not only serves UITS but also other units on campus. CACR has developed custom documentation templates for both UITS and departmental IT units and research groups that utilize UITS systems to make it easier to join the RMF. CACR additionally provides HIPAA assistance, consulting, and training to UITS and helps IU researchers tackle cybersecurity and compliance through a new service called SecureMyResearch. CACR is also playing a key role in devising an institutional strategy for recent and future compliance regimes such as DFARS/CUI and CMMC.
CACR has provided regulated data resources and assisted numerous research and academic institutions with compliance over the years. National organizations that leverage or have leveraged CACR's regulated data expertise include Trusted CI, where CACR provides regulated data training and assistance to NSF-funded institutions and projects, and the Coalition for Advanced Scientific Computation (CASC), where CACR played a key role in the formation of a Regulated Data Working Group to address the growing need for compliance. CACR is also a regular presence at national conferences such as the American Medical Center (AMC) Conference on Privacy and Security and the NSF Cybersecurity Summit.
Regulated Data Resources
- Documentation Templates and Instructions
- To help document compliance (system, software, controls, and risk), CACR provides a collection of FISMA derived templates with in-line instructions and example text that can be used to address multiple compliance regimes simultaneously.
- Analysis of the Cybersecurity Maturity Model Certification (CMMC)
- A CACR synopsis (May 2020) and analysis of the new DOD compliance regime to be included in future DOD contracts.
- HigherEdCUI Slack Channel - Subscription link
- A place for the research community to share information and discuss DOD related compliance (DFARS, CUI, CMMC).
- NIST SP 800-171 and its potential impact on NSF science
- A Trusted CI blog post.
- Regulated Data Security and Privacy: DFARS/CUI, HIPAA, FISMA, and GDPR
- Powerpoint presentation from a half-day tutorial at the 2019 NSF Cybersecurity Summit covering the regulations and strategies for compliance.
- Setting up a Compliance Program for CUI
- Powerpoint presentation from a half-day tutorial at the 2019 NSF Cybersecurity Summit about how to handle CUI in a research environment, with worksheets.
- Trusted CI Compliance Programs Site
- A collection of Trusted CI webinar presentations on how various institutions are handling compliance and other sources.
- HHS HIPAA Site - The primary HIPAA site managed by the Dept. of Health and Human Services.
- DFARS 252.204-7012 - The Defense Federal Acquisition Regulation Supplement required for DOD contractors with CUI.
- CUI Registry Site - Defines different categories of Controlled Unclassified Information.
- DOD CMMC Site - Provides documents defining CMMC and other information.
- CMMC Accreditation Body (AB) Site - Information about how CMMC will be implemented.
- GDPR Site - Provides information about the EU General Data Protection Regulation to protect privacy.
- DHS FISMA Site - The main FISMA site managed by the Dept. of Homeland Security.
- NIST Special Publications 800 Site - Including SP 800-53, 800-171, 800-66, etc.
- HIPAA Security Risk Assessment Tool - Spreadsheets with questions pertaining to each HIPAA Security Rule that document risk and remediation from the Office of the National Coordinator for Health IT.
- NIST HIPAA Security Rule Toolkit - (Now defunct) Java based tool which asked a thousand questions and exported a document with answers.
Please email firstname.lastname@example.org for help or more information.