AD105 Safeguarding Controlled Unclassified Information in LionSHIELD

Contents

• Purpose
• Overview
• Scope
• Definitions
• Policy
  • LionSHIELD Control Family Policies
  • LionSHIELD Plans
  • Acceptable Use of LionSHIELD
  • Roles and Responsibilities
• Incident Response
• Exceptions
• Policy Violations
• Cross References

PURPOSE

The Pennsylvania State University (the “University”) is committed to executing its research, teaching, and operations missions in a secure manner consistent with applicable laws and regulations. The purpose of this Policy is to establish an institution-wide program for safeguarding Controlled Unclassified Information (“CUI”) received or generated under federal research awards and the information assets within the boundary of the Secure Hybrid Infrastructure for Enhanced Learning and Discovery (“LionSHIELD”), as defined below.

OVERVIEW

CUI is defined in Executive Order 13556 as “information possessed by or generated on behalf of the Federal Government that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies that is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.”

In pursuit of fulfilling its research mission, the University may receive or generate CUI in the performance of its federal research. The federal Contracting Officer is responsible for marking CUI it transmits to the University and for providing marking instructions for CUI the University may generate under an award. CUI safeguarding requirements and dissemination controls are only applicable to the University and LionSHIELD, as defined below, when required by a federal agency in a regulation or by contract.

32 CFR 2002 Controlled Unclassified Information implements the executive branch’s CUI Program and establishes policies for handling and designating CUI. The CUI Program specifies National Institute of Standards and Technology (“NIST”) Special Publications (“SP”) 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (“NIST SP 800-171”) for safeguarding requirements applicable to nonfederal information systems that store, transmit, or process CUI. NIST SP 800-171 consists of physical, technical, and administrative controls that must be implemented in any nonfederal information system that stores, transmits, or processes CUI. The University developed LionSHIELD in accordance with NIST SP 800-171 for storing, processing, and transmitting CUI.

SCOPE

This Policy is applicable to LionSHIELD Users, as defined below, and any faculty and staff who assist in the administration of research awards involving the receipt or generation of CUI. This Policy applies to all locations and operations of the University, except for Penn State Health, the Pennsylvania College of Technology, and the Applied Research Laboratory, which follow separate policies, as applicable.

DEFINITIONS

Secure Hybrid Infrastructure for Enhanced Learning and Discovery (“LionSHIELD”)

consists of the University’s:

1. Microsoft Government Community Cloud High Tenant,
2. Azure Government Environment, and
3. authorized physical facilities containing on-premises instrumentation, storage solutions, or other equipment used to process, generate, or store CUI.

LionSHIELD Administrators

any University faculty, staff, contractor, or other third party to whom the University grants access to LionSHIELD and authorizes to conduct privileged functions, to include, audit log review and maintenance, among other activities. Such authorization is granted by the System Security Officer.

LionSHIELD Users

any University faculty, staff, student, contractor, or other third party to whom the University grants access to LionSHIELD and authorizes to access, process, generate, or receive CUI on behalf of the University. Such authorization is requested by the Information Owner and granted by the System Owner.

Information Owner

the Principal Investigator (“PI”) of an award which the sponsor has indicated will involve the receipt or generation of CUI.

System Owner

the University’s Vice President of Information Technology and Chief Information Officer (its “CIO”).

System Security Officer

the University’s Chief Information Security Officer (its “CISO”).

Unless otherwise expressly indicated, terms not otherwise defined in this Policy, the LionSHIELD Control Family Policies, or the LionSHIELD Plans, but included herein or therein have the meaning defined in the NIST Computer Security Resource Center Glossary.

POLICY

LionSHIELD Control Family Policies

NIST SP 800-171 categorizes its security requirements for protecting CUI in nonfederal systems into families. The following LionSHIELD Control Family Policies and their supporting Standard Operating Procedures (“SOPs”) and guidelines, as applicable, support and supplement this Policy and are enforced in the same manner as this Policy.

• Access Control Policy
• Awareness and Training Policy
• Audit and Accountability Policy
• Configuration Management Policy
• Identification and Authentication Policy
• Incident Response Policy
• Maintenance Policy
• Media Protection Policy
• Personnel Security Policy
• Physical Protection Policy
• Risk Assessment Policy
• Security Assessment Policy
• System and Communications Protection Policy
• System and Information Integrity Policy 

LionSHIELD Plans

In addition to the LionSHIELD Control Family Policies, NIST SP 800-171 requires certain additional plans. The following LionSHIELD Plans and their supporting SOPs and guidelines, as applicable, support and supplement this Policy and are enforced in the same manner as this Policy.

• Configuration Management and Change Control Plan
• Contingency Plan 

Acceptable Use of LionSHIELD

As a condition of being granted access to LionSHIELD, LionSHIELD Users must:

• Comply with University Policies AD95 and AD96, the LionSHIELD Control Family Policies, the LionSHIELD Plans, and any other applicable regulations, polices, and/or contractual requirements.
• Take any assigned training as periodically assigned by Penn State IT, the Office of the Senior Vice President for Research, and/or sponsors.
• Work within the confines of LionSHIELD’s System Security Plan and any applicable University Data Security Plan, Technology Control Plan, or other instructions or individualized data security requirements provided in connection with their use of LionSHIELD. · Immediately report any security incident involving CUI to security@psu.edu.

Roles and Responsibilities

• System Owner
  • Oversees the development, modification, and operation of LionSHIELD.
  • Authorizes access to LionSHIELD.
• System Security Officer
  • Maintains the appropriate operational security for LionSHIELD.
• Information Owner
  • Oversees and maintains any data received or generated under an award throughout its lifecycle.
  • Responsible and accountable for any project personnel under their award(s) who are granted access to LionSHIELD.
  • Marking CUI as directed by the Contracting Officer.
• Managed Service Provider (“MSP”)
  • Day-to-day management of the cloud components of LionSHIELD.
  • Security control monitoring of the cloud components of LionSHIELD.
• Office of Sponsored Programs
  • Reviews grants, contracts, and proposals, negotiates acceptable terms.
  • Issues Data Security Plans, Technology Control Plans, and any other relevant compliance plan.
  • Coordinates with the PI, Unit IT, and Penn State IT when awards or requests for proposals contain clauses or language involving the receipt or generation of CUI.
• Penn State IT
  • Oversees the MSP.
  • Provides technical and compliance consultants to assist the MSP.
  • Provides technical and security consulting to LionSHIELD Users and the Office of the Senior Vice President for Research.
  • Assists in the billing of resources used in the cloud components of LionSHIELD.
• Research Cybersecurity Compliance
  • Oversees this program for the Safeguarding of CUI.

Roles and responsibilities may be delegated, but any such delegations must be in writing and auditable.

INCIDENT RESPONSE

Units are required to immediately report suspected security incidents to security@psu.edu for investigation. The University will follow LionSHIELD Incident Response Plan, University Policy AD95, and the University’s Information Security Incident Response Plan for all suspected security incidents involving CUI.

EXCEPTIONS

Exceptions to this Policy must follow LionSHIELD Exception to Policy Process.

POLICY VIOLATIONS

Any student, faculty member, staff member, or unit found to operate in violation of this Policy may be held accountable for remediation costs associated with a resulting information security incident or other regulatory non-compliance penalties, including, but not limited to, financial penalties, legal fees, and other costs

CROSS REFERENCES

Other policies, regulations, and frameworks should be referenced, especially the following:

AD35 – University Archives and Records Management

AD68 – University Access Policy

AD89 – University Export Compliance Policy

AD95 – Information Assurance and IT Security

AD96 – Acceptable Use of University Information Resources

HR99 – Background Verifications Requirements

RPG01 – The Responsible Conduct of Research

32 CFR Part 2002

Cybersecurity Maturity Model Certification (CMMC) Program

Executive Order 13556

The National Archives and Records Administration CUI Registry

NIST SP 800-171

NIST SP 800-171A

_________________________________________________________

Revision History (and effective dates):

• August 16, 2024