Research Security

Apply these additional controls when working with DoD CUI (Department of Defense Controlled Unclassified Information) on UARC (UA Research Cloud).

• All data must be encrypted with AES 256 encryption.
• If portable storage devices must be used, they must be approved Apricorn Aegis drives with FIPS 140-2 level 2 validated hardware encryption modules. Contact security@ua.edu for assistance purchasing these drives.
• Digital and non-digital media must be securely destroyed or sanitized prior to disposal. For digital media sanitization and destruction, contact security@ua.edu. Non-digital media must be destroyed by crosscut shredding or incineration.
• All digital media must be encrypted in transit using TLS 1.2 or higher or via SFTP using AES 256 and SHA-2.
• Only store or process DoD CUI on approved UARC systems.
• Personal devices may not be connected to UARC and may not be used to store or process DoD CUI.
• Mobile devices, such as phones or laptops, may not be connected to UARC.
• Only individuals authorized by ORSEC or OIT Security may access UARC systems or data.
• DoD CUI may not be posted or processed on publicly accessible information system.
• All physical and digital media containing CUI must be marked according to DoD standards.
• Use cover sheets to protect CUI documents while in use.
• CUI must always be kept under direct control of an authorized holder, and must be protected by at least one physical barrier, such as a locked desk drawer, file cabinet, or safe when not in use or left unattended.
• Any visitors to areas containing CUI must be escorted at all times and each researcher is responsible for maintaining a sign-in sheet to track visitor activity.
• When being transported, CUI must always be kept under direct control and protected by at least one physical barrier. Do not view CUI in public. Contact security@ua.edu for guidance.
• Software not managed by Intune must be configured to automatically update or be updated according to the Patch Schedule
• Networked collaboration devices, such as white boards, videoconferencing systems, etc. may not be used on the CUI network or with CUI data.

OIT may report an incident to the sponsoring agency and suspend access to systems or accounts if this standard is not met.

Change Management Procedure

All changes to the environment must be submitted to OIT Security for review and security impact analysis at least one week prior to the change. Approval from the CISO or ISSM is required before a change can be made. Emergency changes with less than one week notice require CISO approval. The change management tracking sheet is available in the GCCH & Azure Gov Project Team -> Files -> Change Management.

Only individuals authorized by the CISO or ISSM may perform changes or maintenance activities.

Vulnerability Management

All UARC devices must have the Tenable.io agent installed and be configured to scan for vulnerabilities weekly. Critical findings must be remediated within 24 hours. All others must be remediated within 14 days.

Security Control Assessment and Risk Assessment

Security controls and risks are to be assessed at least annually. Deficiencies should be recorded in a plan of action and be addressed in a timely manner. Any critical findings must be addressed within 24 hours.

Annual Training and Account Management

Annually, by January 31st, all users and administrators must complete the training below and submit training certificates to the CISO or ISSM.

• DoD Mandatory Controlled Unclassified Information (CUI) Training (usalearning.gov)
• Insider Threat Awareness (usalearning.gov)

Users that do not send training certificates by January 31st 11:59pm will have their accounts locked out until they provide them.

Users who have not logged in to accounts for 1 year will also be locked out February 1.