University Times

Perhaps some people ignore any mention of FISMA as just one of many acronyms in government and academic shorthand. But Pitt researchers cannot ignore FISMA and its implications for their proposals and for the sustainability of their research.

The Federal Information Security Management Act protects sensitive data and information systems engaged with those sensitive data.

Why should Pitt researchers care?

FISMA requirements could pass from the federal government to the University when researchers hold grants or contracts with certain federal agencies, such as the National Science Foundation (NSF) or National Institutes of Health (NIH). The requirements apply to information used, created or stored as part of research projects — and to the information systems holding or shaping that data.

Pitt’s ability to provide a FISMA-compliant environment to support research projects is a distinct advantage for faculty submitting competitive funding proposals. Pitt’s FISMA environment contains a well-defined security perimeter and computing resources that support projects up to the “moderate security” category level.

That competitive edge is the positive reason for caring about FISMA and about Pitt’s ability to provide researchers with a FISMA environment for their projects.

On the cautionary side, compliance with federal law is mandatory. Failure to meet FISMA compliance requirements after an award has been accepted could lead to contract termination and revocation of funds (best case scenario) or criminal penalties (worst case scenario).

While CSSD has prepared a secure environment for hosting research projects that need FISMA infrastructures, researchers ultimately are responsible for their projects’ compliance with the federal law.

Pitt’s FISMA environment

Complying with FISMA requirements is not easy. A recent review of federal agencies’ compliance showed that while some agencies, such as the Nuclear Regulatory Commission, achieved scores of 99 percent, others scored below 66 percent.

The Pitt FISMA environment helps University researchers comply with the law’s requirements by providing a research computing environment developed to protect sensitive research data. CSSD followed the detailed certification and accreditation process required by federal law to establish a minimum set of security controls. Each project hosted in the FISMA environment will undergo annual audits by CSSD security, and will be subject to periodic audits by external reviewers. We now are formally and officially prepared to host research projects needing FISMA infrastructures.

All data in the Pitt FISMA environment is encrypted, and the entire environment is monitored for compliance with various security controls. The Pitt FISMA environment provides the policies, procedures and administrative support that are required in the FISMA certification process.

Because this has been done — by CSSD, as a centralized University service — individual researchers or research groups do not have to invest their own energy, effort and capital into the most stringently detailed steps of the certification process and auditing procedures.

Researchers are responsible for securing the applications involved in their projects. In consultation with CSSD, controls and policies also will need to be put in place at workstations involved in the research project.

The NOC

The physical environment hosting the largest portion of the Pitt FISMA environment is at the Network Operations Center (NOC), a secure 15,000 square foot facility located off-campus. In addition to managing and monitoring centralized servers for University-wide applications, the NOC also hosts servers for departments and for research computing, including high-performance computing.

Servers hosted at the NOC receive skilled on-site and round-the-clock monitoring, management and security for their services and their data.

In addition to network security, the NOC has strict controls in place to keep data safe.

Does your proposal or award involve FISMA requirements?

You are responsible for reviewing the language of the proposal or award for potential FISMA requirements, but the Office of Research and CSSD’s security team can help you.

You also should work with the Office of Research to review contracts coming up for renewal or modification, since existing federal research awards may have FISMA language added.

Sometimes the FISMA requirement is explicitly stated, often with wording to the effect that a System Security Plan (SSP) or, for NIH, an IT Security Plan, is required. Other times, the references are less obvious.

If you see any security language in your research award or RFP, you should contact your federal contracts officer or grants and contracts officer in the Office of Research.

If the Office of Research confirms that the security requirements apply, the first step is to reach out to CSSD’s security team by placing a help ticket online (http://technology.pitt.edu/helprequest/) or by calling the Technology Help Desk at 412/624-HELP. Ask for a “data evaluation for security purposes.”

The security team will schedule a meeting with you to begin work on a security assessment. If FISMA does apply, you will be going through a much-abbreviated form of the law’s certification and accreditation process and, working with CSSD, will draft a department-specific security plan that defines your department’s responsibilities to safeguard the data.

Costs are involved. The cost to the project will depend on a range of factors, including the current security status of the project and the number of people involved with its secure information.

Talk to us

Meeting FISMA regulations involves both human and technical factors. Many different FISMA-regulated research projects will take place within the broader Pitt FISMA environment, and customizing that environment to meet the specific security needs of a project involves an ongoing series of consultations between the research team and the CSSD security team.

Please contact me at sweeney2@pitt.edu with any questions about FISMA or how its requirements may apply to your research project and its data sets.

Sean Sweeney is the University’s information security officer.