Rutgers logo
Rutgers logo
Rutgers logo
Rutgers logo
  • Home

  • Research Security

Research Cybersecurity

Navigate to

Cybersecurity Governance and Compliance

Rutgers’ Research Security Program provides guidance to compliance with key sector-specific data protection regulations to safeguard sensitive research data. HIPAA protects health-related research by securing patient information, GLBA governs the handling of financial data such as student aid records, and PCI-DSS ensures the secure processing of payment card information in research transactions. These frameworks collectively support a robust cybersecurity posture, aligning with federal mandates like NSPM-33 and the CHIPS and Science Act, and reinforcing the integrity, confidentiality, and legal compliance of research activities.

This page exists for the purpose of educating researchers and stakeholders and serves as an informational repository on applicable frameworks and their requirements for the University.

Key Elements and Compliance Requirements

NSPM-33 (NATIONAL SECURITY PRESIDENTIAL MEMORANDUM - 33), issued on January 14, 2022, outlines cybersecurity expectations for research security programs, directing agencies to ensure that research organizations implement fundamental safeguarding protocols and procedures to meet these requirements.

Agencies should require that research organizations satisfy the cybersecurity element of the research security program requirement by applying the following basic safeguarding protocols and procedures. (The information below was taken from the section Research Security Programs, subsection 6: Ensuring that cybersecurity elements of research security programs meet the objectives of the requirement.)

Basic Safeguarding Protocols and Procedures

  • Provide regular cybersecurity awareness training for authorized users of information systems, including recognizing and responding to social engineering threats and cyber breaches.
  • Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
  • Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
  • Verify and control/limit connections to and use of external information systems.
  • Control any non-public information posted or processed on publicly accessible information systems.
  • Identify information system users, processes acting on behalf of users, or devices.
  • Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
  • Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
  • Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
  • Provide protection of scientific data from ransomware and other data integrity attack mechanisms.
  • Identify, report, and correct information and information system flaws in a timely manner.
  • Provide protection from malicious code at appropriate locations within organizational information systems.
  • Update malicious code protection mechanisms when new releases are available.
  • Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

CHIPS and Science Act: Protection of federally funded research and Intellectual property (IP)

The CHIPS and Science Act requires:

  • Researchers on federal research awards to complete annual research security training. (Section 10634)
  • Researchers to certify at the time of proposal submission and annually during the duration of an award that they are not part of a malign foreign talent recruitment program. (Section 10632)
  • Institutions to certify that researchers are aware of the prohibition of participating in malign foreign talent recruitment programs. (Section 10634)

Refer to this link for more information:

Frequently Asked Questions: CHIPS R&D Research Security and Technology Protection

Cybersecurity Policies and Frameworks

NIST IR 8484 (Safeguarding International Science: Research Security Framework) provides guidelines on how an organization must integrate information technology (IT) security system elements, including cybersecurity. Implementing both cybersecurity and IT security best practices creates a risk-balanced approach to determine logical access to science and research information resources, as well as how and when that access is managed.

Examples of IT non-intrusive countermeasures include:

  • Limit the use of personally owned devices on the host organization’s network to internet use only with no connection to internal organization systems
  • Monitor remote access to an organization’s network [e.g., User Activity Monitoring (UAM)]
  • Recognize the sensitivity of data and restrict proprietary information to authorized networks and personnel only
  • Meet IT-applicable export control requirements (EAR)

NIST SP 800-171 is a foundational cybersecurity framework that helps research institutions protect Controlled Unclassified Information (CUI) in non-federal systems. It plays a key role in meeting federal mandates such as NSPM-33 (National Security Presidential Memorandum 33) and the CHIPS and Science Act, both of which emphasize the need for strong cybersecurity in federally funded research.

This framework outlines 14 control families that address critical areas such as access control, incident response, system integrity, audit and accountability, and configuration management. These controls are designed to ensure the confidentiality, integrity, and availability of sensitive research data.

By implementing NIST 800-171, research institutions can meet federal cybersecurity requirements, protect sensitive data from cyber threats and foreign interference, and demonstrate due diligence in their research security practices. The framework also offers practical benefits: it prepares institutions for federal audits and reviews, supports eligibility for Department of Defense and other federal research grants, and reduces the risk of data breaches and reputational harm.

# The NIST Cybersecurity Framework (CSF) 2.0

NSPM-33 mandates that federally funded research institutions implement robust cybersecurity practices to protect research integrity, prevent unauthorized access, and manage insider threats. The NIST Cybersecurity Framework (CSF) 2.0 provides a flexible, outcome-based structure that aligns well with these goals.

CSF 2.0 is organized into six core functions—Govern, Identify, Protect, Detect, Respond, and Recover.

  • Govern cybersecurity strategy by establishing roles, responsibilities, policies, and oversight mechanisms that ensure institutional accountability and alignment with legal and regulatory requirements.
  • Identify critical research assets and assess vulnerabilities.
  • Protect sensitive data through access controls, encryption, and secure configurations.
  • Detect anomalies and unauthorized access using tools like User Activity Monitoring (UAM).
  • Respond to incidents with defined protocols to preserve research continuity.
  • Recover from disruptions while maintaining compliance and minimizing data loss.

This framework supports the development of a Research Security Program that meets NSPM-33’s call for basic safeguarding protocols, such as logical access control, export control compliance, and protection of proprietary information. It also integrates well with other NIST resources like SP 800-171 and IR 8484, which are referenced in federal guidance for research security.

Rutgers Policy Library

How the Rutgers Policy Library Supports NSPM-33 Compliance

  1. Centralized Governance and Transparency
    The Rutgers Policy Library offers a structured and searchable platform for accessing official university policies, including those related to research, cybersecurity, data protection, and compliance. This transparency supports NSPM-33’s emphasis on institutional accountability and standardized research security practices.
  2. Research-Specific Policies
    The Research Policies and Regulations (Policy 10.1.8) outline Rutgers’ commitment to conducting research in compliance with federal and state laws, including cybersecurity and export control requirements. These policies address areas such as:
    • Human subjects protection
    • Data privacy and proprietary information
    • Use of computer services and equipment
    • Classified and sensitive research
    • Post-award compliance and monitoring
  3. Cybersecurity and IT Governance
    While specific cybersecurity policies may be housed under IT or compliance sections, the Policy Library ensures that all relevant stakeholders—from researchers to administrators—can access and adhere to protocols that support secure research environments, as required by NSPM-33.
  4. Policy Development and Maintenance
    The Policy Library is maintained by University Ethics & Compliance (UEC), which ensures that policies are regularly updated to reflect evolving federal requirements, including those from the White House Office of Science and Technology Policy (OSTP) and the CHIPS and Science Act.