You are here
External Funding and Information Security Requirements - FISMA
If you suspect any one of the above terms will apply to your resulting award, do not submit your proposal until you have consulted with FISMA Help (Research.Information.Secu
Sponsors, particularly the Federal government, are imposing increasingly stringent requirements in an effort to ensure the security of project data and the Information Technology (IT) systems used in their funded projects. These requirements most often appear in Federal contracts, and the cost of meeting them can be significant. If not budgeted as part of the original proposal, these sponsor security requirements may result in (1) an award being turned down outright, or (2) an unwelcome cost-sharing commitment.
To avoid these situations, please be sure to review any RFP you are working on for language that refers to specific laws, regulations, security frameworks and/or security standards such as those listed below. Also note, that sponsors may also have their own security requirements that are unrelated to law or regulation. A non-comprehensive list of laws/regulations includes:
Laws, Regulations, Executive Orders, and Programs
-
ISO/IEC 27000-series (ISMS Family of Standards/ISO27k)
-
Federal Information Security Modernization Act of 2014 (FISMA)
-
Executive Order 13556, Controlled Unclassified Information (CUI)
NIST Publications
Federal Acquisition Regulations (FAR)
Defense Federal Acquisition Regulations Supplement (DFARS)
-
252.204-7008, Compliance with Safeguarding Covered Defense Information Controls
-
252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting
-
252.239-7999 Cloud Computing Services (DEVIATION 2015-O0011) (February 2015)
Health and Human Services Acquisition Regulation (HHSAR)
Questions?
The appearance of any one of the terms listed above is a red flag that should compel you to contact the Research Information Security liaison in the U-M Office of Research (OVPR) at Research.Information.Security@umich.edu or 734-764-7248. Efforts will be coordinated between the Office of Research and Sponsored Projects (ORSP), your unit, the appropriate U-M information security professional, and potentially the sponsor.
Only submit once you are certain that your unit can comply with the security standards that may be imposed by the sponsor or you have requested sufficient funding in your budget to account for the cost of compliance.