Research Cybersecurity - Definition of Terms

FAR (Federal Acquisition Regulation)

The Federal Acquisition Regulation (FAR) is a set of rules and regulations governing the acquisition process for the U.S. federal government. It provides guidelines and procedures for federal agencies when acquiring goods and services, including contracts, supplies, and services. The FAR is designed to ensure transparency, efficiency, and fairness in the federal procurement process. 

For more detailed information and to access the complete Federal Acquisition Regulation (FAR), visit the official website of the General Services Administration (GSA).

DFARS (Defense Federal Acquisition Regulation Supplement)

DFARS stands for "Defense Federal Acquisition Regulation Supplement." It is a set of regulations issued as a supplement to the Federal Acquisition Regulation (FAR) that provides additional guidance and requirements for the acquisition and procurement of goods and services by the U.S. Department of Defense (DoD). 

In the context of the provided information, DFARS Clause 252.204-7012 titled "Safeguarding Covered Defense Information and Cyber Incident Reporting" outlines the security requirements that contractors and subcontractors must adhere to when handling covered defense information and reporting cyber incidents. Covered defense information refers to unclassified controlled technical information or other information that requires safeguarding or dissemination controls in accordance with laws, regulations, and government policies. The clause includes provisions related to adequate security measures, cyber incident reporting, malicious software handling, media preservation, access to information for forensic analysis, and more. 

For detailed information on the DFARS Clause 252.204-7012 and its requirements, you can refer to the official document on the Acquisition.gov website: DFARS Clause 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting.

CUI (Controlled Unclassified Information)

CUI, or Controlled Unclassified Information, refers to information held by or generated for the Federal Government that requires safeguarding or dissemination controls. In the context of research, CUI encompasses research data and other project information that a research team receives, possesses, or creates during the performance of federally funded research. The determination of whether an award involves CUI is the responsibility of the federal sponsor, and award documents should explicitly identify CUI and applicable security requirements. 

For more information, you can visit the Research Security page of the University of Colorado Boulder's Research & Innovation Office

CMMC (Cybersecurity Maturity Model Certification)

The Cybersecurity Maturity Model Certification is an assessment framework and assessor certification program developed by the Department of Defense (DoD) and designed to increase and verify the trust in defense contractors’ ability to protect DoD Controlled Unclassified Information (CUI).

EAR (Export Administration Regulations)

EAR stands for Export Administration Regulations. It is a set of regulations promulgated by the U.S. Department of Commerce, specifically by the Bureau of Industry and Security. EAR governs the export, re-export, and transfer of items and technology that may have uses or applications where there are national security concerns, but are predominantly civilian in character. 

For more detailed information about the Export Administration Regulations (EAR) and how they relate to export controls, visit the Export Controls Regulations page of the University of Colorado Boulder's Research & Innovation Office.

ITAR (International Traffic in Arms Regulations)

ITAR stands for International Traffic in Arms Regulations. It is a set of regulations promulgated by the U.S. Department of State, specifically by the Directorate of Defense Trade Controls (DDTC). ITAR governs the export, import, and transfer of defense articles and defense services, which are items and information specifically designed or adapted for military use. This includes various aspects of satellites, spacecraft, and other military technologies. 

ITAR regulations are designed to control the export of items and technology that have potential military applications and are considered sensitive from a national security perspective. 

For more detailed information about the International Traffic in Arms Regulations (ITAR) and how they relate to export controls, refer to the University of Colorado Boulder's Research & Innovation Office website.

GDPR(General Data Protection Regulation)

The General Data Protection Regulation (GDPR) is a privacy act in the European Union (EU) and European Economic Area (EEA) countries that regulates the collection, use, and security of personal data. It impacts research conducted in these regions or with individuals located there, and it governs activities involving the collection and use of personal data:

  1. Through activities within EEA countries. 
  2. Related to offering goods and services to EEA residents. 
  3. Involving monitoring the behavior of EEA residents. 

The GDPR covers identifiable personal data that can be linked to an identified or identifiable natural person, including information like names, identification numbers, location data, and more. The GDPR requires affirmative and specific consent, documented procedures, disclosure of data processes, and information about participants' rights, including access, correction, withdrawal, and data transfer.

Sensitive personal data, such as health, genetics, race/ethnicity, biometrics, etc., requires additional data security measures. In the event of a data breach, it must be reported to authorities and affected participants within 72 hours. 

For more detailed information about the GDPR and its impact on research, refer to GDPR and Research: What you need to know on the Research and Innovation website.

FERPA (Family Educational Rights and Privacy Act)

FERPA, the Family Educational Rights and Privacy Act of 1974, is a federal law safeguarding the privacy of student education records. It applies to schools receiving U.S. Department of Education funding. FERPA grants students rights to control and access their records, restricts disclosure of personal information without consent, and allows for exceptions under specific circumstances. Directory information may be shared unless students opt out. At the University of Colorado Boulder, FERPA protection begins at enrollment and covers record review, amendment, and complaint procedures. 

For more information, visit the Family Educational Rights and Privacy Act page on the Registrar's website. 

HIPAA (Health Insurance Portability and Accountability Act)

HIPAA, or the Health Insurance Portability and Accountability Act, is a U.S. law that establishes privacy standards safeguarding patients' medical records and health information shared with health plans, doctors, hospitals, and other healthcare providers (Covered Entities). The University of Colorado, as a "hybrid" covered entity, falls under HIPAA regulations when dealing with patient records, human subjects research data, and health-related marketing demographics. The two main objectives of HIPAA are to secure Protected Health Information (PHI) and enforce electronic transaction standards in healthcare. The Office of Regulatory Compliance, led by Dr. Alison D. Lakin, RN, LLB, LLM, PhD, oversees HIPAA compliance at the university. 

For more information, visit the University of Colorado Anschutz Medical Campus' HIPAA page.