Yes, for example if you are collecting personally identifiable health information, we recommend storing identifiers on a BU Restricted Use network drive or BU Microsoft Teams/SharePoint/OneDrive if you are collaborating with others outside BU, then analyze the anonymized data on our high performance Shared Computing Cluster (SCC).

 

Yes, we can implement most requirements on BU managed computers and servers, but for the highest security requirements of NIST 800-53, NIST 800-171, and CMMC, we are now encouraging researchers to contract with a UCSD program called Sherlock through IS&T.  Cost for this service should be taken into consideration for grant proposals, but we will handle the contracting and security requirements for you. In some circumstances we have implemented isolated (no internet) systems, but we encourage you to consider Sherlock instead.

For example, the Centers for Medicare and Medicaid Services (CMS) now require all researchers to comply with NIST 800-53, and submit a Data Management Plan Security Attestation Questionnaire (DMPSAQ), detailing their plans for complying with NIST 800-53.  Researchers will need to contract with Sherlock through IS&T, but we’ve completed the DMPSAQ for you.

 

We can help with that! We regularly help researchers as well as our research contracting offices understand specific security requirements.

 

Yes. The Department of Defense will soon start requiring compliance with a new compliance program called Cybersecurity Maturity Model Certification (CMMC) that requires third party audits. We are working on making Shared Computing Cluster compliant with CMMC Level 1 but expect most CMMC Level 2 research will need to go to Sherlock.

We have a few answers to common security questions here. Users of the Shared Computing Cluster (SCC) may also wish to refer to BU’s Cyberinfrastructure Plan. We can always help you with other questions, just reach out to buinfosec@bu.edu.

Yes, we regularly review security requirements in proposals to ensure we can agree to any requirements. If the proposal is approved we will work with you to implement any additional controls.

In some cases, we may be reaching out to you. When research contracts have regulatory or non-standard cybersecurity requirements, the Office of Sponsored Programs and/or Industry Engagement will ask us to work with you to ensure your computing environment will meet contractual requirements. Some of the changes we’ve seen here range from an increased focus on encryption to requiring assertions or audits of compliance with federal standards like the National Institute of Science and Technology Special Publication 800-53 (NIST 800-53). Unfortunately, not all solutions are free or fast, so if you are considering research with CMS, CHIA, or other regulated data, we encourage you to contact us early to understand the requirements, and to take advantage of templates we have prepared.