Research Cybersecurity

Your role (as a researcher, faculty, or staff) is to adhere to university policies and federal mandates to protect sensitive research data.

• Implement Safeguards: Apply fundamental protocols to protect your research and data. This includes participating in required training and following data protection regulations found in NSPM-33 publications.
• Training: Complete mandatory training like the Research Security Awareness Training Program and any other required courses provided by the Office of Research.

As departmental leaders, investigators, and supervisors, you are responsible for ensuring that your teams and research groups are compliant with all relevant policies and training requirements.

• Compliance Oversight: Ensure your team members comply with the cybersecurity elements of research security programs.
• Training Requests: Submit requests for research security training for all employees in your unit who handle specific research data.

As local IT technical teams, you are responsible for the following.

• Review Requirements: As a member of a technical team, you should review regulatory recommendations to understand the controls needed to meet these requirements.  Work with the Information Security Office (ISO) Compliance Team who can provide guidance on the controls needed to meet regulatory requirements.
• Implement Safeguards: Implement controls that follow those recommendations. The document provides examples, such as limiting system access to authorized users and protecting scientific data from cyber threats, but you should follow the specific regulatory recommendations.

Your role (as a researcher, faculty, or staff) is to adhere to university policies and federal mandates to protect sensitive research data. If you have any questions, information and resources are available to assist you. Please refer to the contact details below.

• University Ethics and Compliance: For questions about ethics and conflicts of interest, contact the University Ethics & Compliance (UEC) office at ethics@uec.rutgers.edu
• Office for Research: For research-related questions, contact the Research Integrity department at the Rutgers Office for Research at researchintegrity@research.rutgers.edu
• Information Security Office: For Cybersecurity and Information Security questions, contact the Information Security Office at info_security@oit.rutgers.edu

For guided help, learn about Central Offices and Rutgers Office for Research (office and its affiliated departments) below.

• Central Offices: The Rutgers Research Security Program, under the Office for Research, provides guidance on complying with data protection regulations. The Information Security Office Compliance team, along with UEC and the University Policy Manager, maintains official university policies in the Rutgers Policy Library and updates them to reflect evolving federal requirements from sources like the CHIPS and Science Act.
• Rutgers Office for Research: This office and its affiliated departments provide the central policies, but it is the responsibility of the investigator, department, or school to ensure personnel complete the required training and implement necessary safeguarding procedures.

Cybersecurity Policies and Frameworks

NIST IR 8484 (Safeguarding International Science: Research Security Framework) provides guidelines on how an organization must integrate information technology (IT) security system elements, including cybersecurity. Implementing both cybersecurity and IT security best practices creates a risk-balanced approach to determine logical access to science and research information resources, as well as how and when that access is managed.

Examples of IT non-intrusive countermeasures include:

• Limit the use of personally owned devices on the host organization’s network to internet use only with no connection to internal organization systems
• Monitor remote access to an organization’s network [e.g., User Activity Monitoring (UAM)]
• Recognize the sensitivity of data and restrict proprietary information to authorized networks and personnel only
• Meet IT-applicable export control requirements (EAR)

NIST SP 800-171 is a foundational cybersecurity framework that helps research institutions protect Controlled Unclassified Information (CUI) in non-federal systems. It plays a key role in meeting federal mandates such as NSPM-33 (National Security Presidential Memorandum 33) and the CHIPS and Science Act, both of which emphasize the need for strong cybersecurity in federally funded research.

This framework outlines 14 control families that address critical areas such as access control, incident response, system integrity, audit and accountability, and configuration management. These controls are designed to ensure the confidentiality, integrity, and availability of sensitive research data.

By implementing NIST 800-171, research institutions can meet federal cybersecurity requirements, protect sensitive data from cyber threats and foreign interference, and demonstrate due diligence in their research security practices. The framework also offers practical benefits: it prepares institutions for federal audits and reviews, supports eligibility for Department of Defense and other federal research grants, and reduces the risk of data breaches and reputational harm.

The NIST Cybersecurity Framework (CSF) 2.0

NSPM-33 mandates that federally funded research institutions implement robust cybersecurity practices to protect research integrity, prevent unauthorized access, and manage insider threats. The NIST Cybersecurity Framework (CSF) 2.0 provides a flexible, outcome-based structure that aligns well with these goals.

CSF 2.0 is organized into six core functions—Govern, Identify, Protect, Detect, Respond, and Recover.

• Govern cybersecurity strategy by establishing roles, responsibilities, policies, and oversight mechanisms that ensure institutional accountability and alignment with legal and regulatory requirements.
• Identify critical research assets and assess vulnerabilities.
• Protect sensitive data through access controls, encryption, and secure configurations.
• Detect anomalies and unauthorized access using tools like User Activity Monitoring (UAM).
• Respond to incidents with defined protocols to preserve research continuity.
• Recover from disruptions while maintaining compliance and minimizing data loss.

This framework supports the development of a Research Security Program that meets NSPM-33’s call for basic safeguarding protocols, such as logical access control, export control compliance, and protection of proprietary information. It also integrates well with other NIST resources like SP 800-171 and IR 8484, which are referenced in federal guidance for research security.

The CHIPS and Science Act requires:

• Researchers on federal research awards to complete annual research security training. (Section 10634)
• Researchers to certify at the time of proposal submission and annually during the duration of an award that they are not part of a malign foreign talent recruitment program. (Section 10632)
• Institutions to certify that researchers are aware of the prohibition of participating in malign foreign talent recruitment programs. (Section 10634)

Refer to this link for more information:

Frequently Asked Questions: CHIPS R&D Research Security and Technology Protection