Cybersecurity

NSPM-33 and subsequent guidance (found here and here) requires research organizations, including Vanderbilt, to implement basic cybersecurity standards. VUIT and Vanderbilt Cybersecurity are actively working on meeting these requirements. Please direct any questions to the Office of Cybersecurity by emailing cybersecurity@vanderbilt.edu.

Research contracts may also have additional cybersecurity requirements outside of the requirements found in NSPM-33. For example, NIST 800-171 contains requirements related to protecting Controlled Unclassified Information (CUI). DFARS 252.204-7020 allows the federal government to access contractor systems to make sure they are meeting required standards in NIST 800-171. More recently, an interim Federal Acquisition Regulation (FAR) prohibits the use of TikTok or other ByteDance applications on information technology used in the performance of a federal contract (see Vanderbilt guidance on this regulation). If you have any questions about how these requirements apply to your current or pending research contracts, please contact your SPA Contracts Officer.

Best Practices:

• Complete cybersecurity training (currently required annually for all staff)
• Work with the Office of Cybersecurity to:
  – Report a security incident
  – Report any phishing attempts
  – Follow tips and advice