Research Security

Research security is vital to protect sensitive data, intellectual property, and national interests from unauthorized access or theft. Information Assurance (IA) plays a key role in safeguarding research by reviewing data use agreements to ensure the University can comply with the lending organization’s terms. Their support includes implementing cybersecurity policies, assessing risks, and ensuring compliance with both federal regulations, state regulations, and institutional standards.

Security Framework Assessment, NIST CSF 2.0

The annual Security Framework Assessment (SFA) ensures that units self-assess their security practices using a questionnaire based on the latest version of the NIST Cybersecurity Framework (CSF 2.0). The goals of the SFA are to:

• Understand the University’s cybersecurity posture to report to University leadership and other stakeholders, including funding agencies, insurers, auditors, and vendors.

• Identify common information security gaps that should be addressed with centrally-provided policies, processes, or tools.

• Provide data to facilitate recurring conversations with leadership at all levels to inform prioritization of related work.

Additionally, data lending organizations frequently require the university to demonstrate compliance with specific NIST standards. SFA participation gives units an edge in meeting these expectations, as the CSF is often accepted as a substitute for NIST 800-171 and 800-53 assessments by many lending organizations. This participation helps ensure that units are better positioned to meet external compliance requirements and streamline the assessment process.

Regulatory and Framework Compliance Support

NIST SP 800-171

If you are a Principal Investigator working on a project that involves Controlled Unclassified Information (CUI) and must comply with National Institutes of Standards and Technology (NIST) SP 800-171 requirements, the Information Assurance (IA) team can assist by reviewing your self-assessment to ensure that your controls meet the necessary technical and administrative safeguards. Information Assurance works with you to identify compliance gaps, recommend risk-mitigation strategies, and confirm that your research environment is properly configured to protect CUI. Failure to demonstrate compliance with 800-171 can result in grant delays, loss of funding, disqualification from federal contracts, and long-term impacts on the University's ability to participate in federally funded research.

Health Insurance Portability and Accountability Act (HIPAA)

If you are a Principal Investigator working with data subject to HIPAA compliance, the IA team can help you navigate the requirements. IA offers support by reviewing your security assessments, ensuring your data handling practices align with the HIPAA Security and Privacy Rules, and identifying any gaps in compliance. Failing to demonstrate HIPAA compliance can lead to serious consequences, including grant delays, federal penalties, reputational harm, and restrictions on future research involving protected health information (PHI).

Other Research Security Attestations

Determining whether you can conduct your research at the University of Chicago involves coordinating with several key offices to ensure compliance with data use, security, and ethical standards.

• If your project requires a Data Use Agreement (DUA), you’ll work with University Research Administration (URA) to initiate and negotiate the terms.

• If your research involves human subjects, the Institutional Review Board (IRB) must review and approve your study.

• Procurement may be involved if you need to purchase tools or services that will interact with sensitive data. The Sensitive Research Data Stewardship (SRDS) process will help classify your data and define appropriate protections.

Throughout this process, Information Assurance plays a critical role in reviewing security requirements, helping you assess compliance with frameworks like HIPAA or NIST 800-171, NIST 800-53, NIST CSF (Cybersecurity Framework), and identifying any risks associated with storing or processing sensitive data. Engaging with these teams ensures the following:

• research security concerns are addressed

• preferred storage and compute environments are reviewed proactively

• your research can move forward without avoidable delays