National Security Presidential Memorandum (NSPM)-33 Directive to Federal Agencies
Federal agencies should require the following from research organizations:
- Provide regular cybersecurity awareness training for authorized users of information systems, including in recognizing and responding to social engineering threats and cyber breaches.
- Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
- Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
- Verify and control/limit connections to and use of external information systems.
- Control any non-public information posted or processed on publicly accessible information systems.
- Identify information system users, processes acting on behalf of users, or devices.
- Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
- Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
- Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
- Provide protection of scientific data from ransomware and other data integrity attack mechanisms.
- Identify, report, and correct information and information system flaws in a timely manner.
- Provide protection from malicious code at appropriate locations within organizational information systems.
- Update malicious code protection mechanisms when new releases are available.
- Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
UM's Implementation
For researchers, it is essential to uphold strong cybersecurity practices and grasp the appropriate security level to safeguard their research.
UM’s Information Security Office (ISO) protects the confidentiality, integrity, and availability of the University's data and information systems by providing proactive security expertise, creating and maintaining a resilient and secure infrastructure and fostering a culture of security awareness and compliance.
Training: UM Cybersecurity Awareness and Training
Resources:
NSPM-33 Directive to Federal Agencies
Federal agencies should require the following from research organizations:
- Maintain international travel policies for faculty and staff traveling for organization business, teaching, conference attendance, research purposes, or any offers of sponsored travel that would put a person at risk.
- Foreign Travel Security Training: Each Covered Institution must certify it provides periodic foreign travel security training to "Covered Individuals" engaged in international travel for business, teaching, conferences, or research. This training must begin within one year after a federal agency provides a "foreign travel security training resource," and then at least once every six years.
- Foreign Travel Reporting Program: Covered Institutions must implement a travel reporting program that includes an organizational record of international travel for covered individuals participating in R&D awards when a federal research agency determines security risks warrant travel reporting per the award terms.
The reporting program requirement applies to persons who (a) meet the definition of “Covered Individual”; and (b) are participating in an R&D award that the federal research agency has determined presents security risks that warrant travel reporting and includes this requirement in the award terms.
UM's Implementation
Before embarking on foreign travel, researchers should examine the following resources and policies to prevent data loss or theft and ascertain whether any documents or licenses are necessary.
Resources:
NSPM-33 Directive to Federal Agencies
Agencies should mandate that research organizations include training for relevant personnel on research security threat awareness and identification as part of their research security programs. This training should cover insider threat awareness where applicable. Additionally, research organizations should integrate pertinent aspects of research security into existing training programs focused on responsible and ethical research conduct for both faculty and students. In the event of a research security incident, tailored training sessions should be conducted.
UM's Implementation
Research security training is a critical component in safeguarding our institution's intellectual property, ensuring compliance with regulations, and maintaining the integrity of our research endeavors.
By administering this training through the UDisclose System, we aim to streamline the process, reducing the administrative burden on our faculty, researchers, and staff. This centralized approach not only fosters a more efficient and user-friendly experience but also ensures that UM’s Covered Persons are adequately informed and equipped to address security concerns. Ultimately, this initiative supports our commitment to excellence and innovation in research by protecting our valuable resources and intellectual contributions.
UM’s Research Security training is accessed on the 1st page of a user’s Disclosure Profile smart form in the UDisclose System along with the annual training on UM’s COI Policy.
Resources:
The National Science Foundation (NSF) offers four interactive online research security training modules designed to help researchers and institutions safeguard the integrity of their work. This modular training, available here, is intended to enhance awareness and to provide recipients of federal research funding with online training on the existing and emerging risks and threats to the global research ecosystem — and the knowledge and resources necessary to protect against such risks and threats.
NSPM-33 Directive to Federal Agencies
Agencies should mandate that research organizations engaged in R&D subject to export control restrictions provide training to relevant personnel. This training should cover the requirements and procedures for evaluating foreign sponsors, collaborators, and partnerships, as well as ensuring adherence to Federal export control requirements and restricted entities lists.
UM's Implementation
The University of Miami engages in targeted research to propel knowledge forward, enrich student learning encounters, and bolster its standing within scientific and technical circles. Simultaneously, the university adheres to the principles of free inquiry and open knowledge exchange. However, it remains vigilant about federal laws and regulations that oversee the exchange of research materials and results subject to export controls.
UM’s Export Control Compliance Policy
Resources:
UM Contacts regarding Export Control:
