Data security requirements

Allocate funds for data security in research proposals

Sponsors are imposing increasingly stringent requirements to ensure the security of project data and the information technology (IT) systems used in their funded projects. These requirements most often appear in federal government contracts. The cost of meeting them can be significant.

Importance of anticipating data security costs

If not budgeted as part of the original proposal, sponsor security requirements may result in either of the following:

• Award being turned down outright
• Unwelcome cost-sharing commitment

To avoid these situations, please review any RFP you are working on for language that refers to specific laws, regulations, security frameworks and/or security standards.

If you suspect that any such law, regulation, or sponsor policy will apply to your award, do not submit your proposal until you have consulted with the ORSO contracts manager.

Only submit once you are certain that your unit can comply with the security standards that may be imposed by the sponsor or you have requested sufficient funding in your budget to account for the cost of compliance.

Who to contact for help

If you come across terms related to specific laws, regulations, security frameworks/standards, please contact:

Krista Cole
Contracts manager, WSU Office of Research Support and Operations (ORSO)
krista.cole1@wsu.edu

Krista will coordinate efforts between ORSO, your unit, the appropriate WSU information security professional, and potentially the sponsor.

Partial list of data security laws and regulations

A non-comprehensive list of relevant laws and regulations is supplied below. In addition, sponsors may have their own security requirements that are unrelated to law or regulation.

Laws, regulations, executive orders and programs

• Federal Information Security Modernization Act of 2014 (pdf) (FISMA)
• Executive Order 13556, Controlled Unclassified Information (CUI)
• Federal Risk and Authorization Management Program (FedRAMP)
• The National Archives and Record Administration (NARA) final rule on Controlled Unclassified Information (pdf) (CUI) – (81 FR 63324, September 14, 2016)
• ISO/IEC 27000-series (also known as the ISMS Family of Standards or ISO27k)

National Institute of Standards and Technology publications

• Special Publication 800-171, Protecting Controlled Unclassified Information in Non-federal Information Systems and Organizations (pdf)
• Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations (pdf)
• Federal Information Processing Standard Publication 199 (FIPS-199), Standards for Security Categorization of Federal Information and Information Systems (pdf)
• Federal Information Processing Standard Publication 200 (FIPS-200), Minimum Security Requirements for Federal Information and Information (pdf)

Federal Acquisition Regulations (FAR)

52.204-21, Basic Safeguarding of Covered Contractor Information Systems

Defense Federal Acquisition Regulations Supplement (DFARS)

• 252.204-7008, Compliance with Safeguarding Covered Defense Information Controls
• 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting
• 252.239-7999 Cloud Computing Services (DEVIATION 2015-O0011) (February 2015)

Health and Human Services Acquisition Regulation (HHSAR)

352.239-70 through 352.239-73, Standard for Security Configurations, Standard for Encryption Language, Security Requirements for Federal Information Technology Resources, Electronic and Information Technology Accessibility (pdf)