Background Image Alternative Text: bully

Data Security

Mississippi State University participates in a wide-range of private and federally-funded research programs. With the growing threats to cyber infrastructure, as well as to sensitive information, many of these external sponsor entities have implemented specific cybersecurity requirements to ensure that this information is protected. These requirements are manifested through security agreements, non-disclosure agreements, and contractual requirements such as the Department of Defense's DFARS 252.204-7012. Researchers need to be aware that projects with these security requirements must be conducted in specifically designated environments or on specifically configured technical solutions to comply with these preconditions.

Contact Becky Shannon for assistance.

Restricted Research Data

Restricted Research Data can be any research data—or specifically designated administrative support data—that has restrictions, specific protection requirements, or distribution limitations as prescribed by law, regulation, government-wide policy, or contractual obligation. Some examples of restricted research data includes, but is not limited to: Covered Defense Information (CDI), Federal Contract Information (FCI), Controlled Unclassified Information (CUI), Sensitive Personally Identifiable Information (PII), Proprietary Information, and Personal Health Information (PHI). These different information classification categories often have very specific cybersecurity protection requirements associated with them. Restricted research data can have a wide range of legally or organizationally mandated security controls that aim to protect the data from inadvertent disclosure to or manipulation by unauthorized personnel or entities. These security control types can be grouped into three broad categories: administrative, technical, and physical security controls. That is to say, protecting restricted research data necessitates a holistic approach that requires the cooperation of administrators, information technology professionals, security professionals, and researchers alike.

Cybersecurity Maturity Model Certification (CMMC)

The Cybersecurity Maturity Model Certification (CMMC) is a U.S. Department of Defense (DoD) cybersecurity framework designed to ensure that contractors in the Defense Industrial Base protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). It establishes a set of required cybersecurity practices and processes that organizations must implement to handle sensitive DoD information. The latest version, CMMC 2.0, streamlines the model into three maturity levels, aligning security requirements with well‑known NIST standards (such as NIST SP 800-171) and aiming to strengthen supply‑chain security across defense contractors.

CMMC 2.0 Levels Overview

CMMC 2.0 Levels Overview
Level Purpose Requirements Assessment Type
Level 1 – Foundational Protect Federal Contract Information (FCI). 17 basic cybersecurity practices focused on basic cyber hygiene. Annual self-assessment.
Level 2 – Advanced Protect FCI and Controlled Unclassified Information (CUI). 110 practices aligned with NIST SP 800-171 and parts of 800-172. Triennial third-party (C3PAO) OR annual self-assessment for select orgs.
Level 3 – Expert Protect high-value CUI against advanced threats. 110+ practices based on NIST SP 800-171 and 800-172A. Government-led assessment every 3 years.

References:

 

Resources

Data Security - Frequently Asked Questions