Information Security Requirements
Sponsors may include strict information security requirements to protect the data and systems used in funded projects. Find out what to watch for in solicitations and who to consult.
Sponsors are imposing increasingly stringent requirements in an effort to ensure the security of project data and the IT systems used in their funded projects. These requirements, such as those mandated by the Federal Information Security Modernization Act (FISMA), most often appear in federal contracts, and the cost of meeting them can be significant. If not budgeted as part of the original proposal, sponsor security requirements may result in an award being turned down outright or an unwelcome cost-sharing commitment.
Tips for proposals
Carefully review solicitations to check for sponsor requirements around information security. Check for language that refers to specific laws, regulations, security frameworks and/or security standards such as those listed below. Also note, that sponsors may also have their own security requirements that are unrelated to these laws or regulations.
If any of these terms apply, contact a research information security liaison in the U-M Office of the Vice President for Research at [email protected] before submitting the proposal. Efforts will be coordinated between the Office of Research and Sponsored Projects, the unit, appropriate U-M information security professional and potentially the sponsor.
Only submit the proposal after ensuring the project can meet the security standards imposed by the sponsor and sufficiently accounts for the cost of compliance.
Information security regulations
A non-comprehensive list of laws/regulations includes:
Federal laws, regulations, executive orders, and programs
- ISO/IEC 27000-series (ISMS Family of Standards/ISO27k)
- Federal Information Security Modernization Act of 2014 (FISMA)
- Executive Order 13556, Controlled Unclassified Information (CUI)
- Federal Risk and Authorization Management Program (FedRAMP)
- 32 CFR 2002, Controlled Unclassified Information
NIST Publications
- Special Publication 800-171, Protecting Controlled Unclassified Information in Non-federal Information Systems and Organizations
- Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations
- Federal Information Processing Standard Publication 199 (FIPS-199), Standards for Security Categorization of Federal Information and Information Systems
- Federal Information Processing Standard Publication 200 (FIPS-200), Minimum Security Requirements for Federal Information and Information
Federal Acquisition Regulations (FAR)
Defense Federal Acquisition Regulations Supplement (DFARS)
- 252.204-7008, Compliance with Safeguarding Covered Defense Information Controls
- 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting
- 252.239-7999 Cloud Computing Services (DEVIATION 2015-O0011) (February 2015)
Health and Human Services Acquisition Regulation (HHSAR)