CCR Project Charter

WORK TYPE

Project

PROJECT/SERVICE NAME

Cybersecurity Certification for Research (CCR)

Requestor: @Corn, Michael (Deactivated)

Date of Request: Jul 20, 2020

ITS-SMT: @Corn, Michael (Deactivated)

Service Owner: @Claire

Charter Status: approved

TIMELINE

Project Start Date: Jul 6, 2020

High-Priority Documents Completed: Jul 6, 2020

Project Implementation (SharePoint site completely ready and first High-Risk Review completed): Oct 24, 2020

Transition to Operational Mode (Reviews managed by Service Owner and Support Teams): Nov 27, 2020

PROJECT DESCRIPTION

The objectives of this project include tackling the diverse UCSD IT environments and implementing internal self-certification. Define and publish internally a baseline standard based around CMMC L1 aka “Cybersecurity Baseline” to ensure and encourage common security controls (e.g., anti-malware software, regular patching) and record-keeping are deployed. To provide visibility for early detection of attacks and compromises which is critical for response and remediation. To educate IT staff on simple security measures and that basic record keeping is important. 

BUSINESS CASE

UCSD will require labs to self-certify compliance with the UC San Diego Baseline Assessment for the following goals:

• Ensures Labs and distributed IT assets are identified with local accountability identified

• Ensures Local IT teams and Labs, working with central IT, can improve their cybersecurity position

• Begins shifting the culture around pro-active cybersecurity management, periodic assessment and continuous improvement and significantly prepares UCSD for Federal imposition of CMMC or similar standards

• Could contribute to a competitive advantage for UCSD researchers on some grant applications

CONSEQUENCES OF NOT GOING FORWARD

Ransomware is frightening and quite common. Research remains the primary target for state actors due to the competitive value of Intellectual Property. Federal agencies are increasingly, but also with struggles, ramping up meaningful cybersecurity requirements. Higher education stays in close contact with these agencies to help. DoD is shifting to an entirely new model for cybersecurity practices, Cybersecurity Maturity Model Certification.  DoD initiative requiring pre-certification (by 3rd party) meeting CMMC controls to compete for contracts and grants. (Contracts now, grants TBD). Our top CMMC priorities are SIO with Engineering, with Health Sciences a lesser and following one. NIH, Dept of Ed., and others are watching CMMC roll-out. We expect to see CMMC requirements being applied to the majority of most federal grants over the next five years.

BENEFIT TYPE

Transparent Effective Practices are approaches to solving a challenge that remain unobtrusive, are not disruptive to the user, but have a significant impact on security. For research they are approaches that protect reproducibility, repeatability, and availability.

• Stop Preventable Attacks 

• Prepare for future regulations

• Increase visibility

• Establish best practices with local control

• Improve UCSD position with funding agencies

• Lowers risk at critical sites and labs

• Utilizes investments in cybersecurity

What are the quantitative benefits or anticipated ROI of doing the project?

• Cost savings through the use of existing tools and technologies 

• Cost avoidance by reducing the frequency and likelihood of infrastructure compromises and ransomware attacks

• Compliance; When complete the Research Labs should roughly correspond to CMMC level 1, and as such may be usable for CMMC projects. 

URGENCY

Extremely urgent (this month, ASAP)

RISKS/DEPENDENCIES/ASSUMPTIONS/CONSTRAINTS

Covid 19 may limit access to Research facilities to obtain project data gathering efforts.

LEVEL OF IMPACT

Critical impact (enterprise wide)

RESOURCING

ITS is committing, project management, AD, End Point, Compliance and Authentication technical staff, Research IT Team.

Technical Leads:

• Phillip Lopo (HX and Qualys and Splunk integration)

• Rich Flees (Shibboleth, Duo and AD)

• Daniel Quatch (Kuali)

• Rick Wagner (Research SME)

Business Systems Analyst / Business Analyst: Daniel Quach (Certification spreadsheet and Metrics)

Enterprise Architect: David Hutches

Project Manager: Manjot Gill

ITS GROUP

IT Security Services

GOVERNANCE COMMITTEE(S)

Cybersecurity Governance Committee (CGC)

HAS THIS BEEN APPROVED BY GOVERNANCE COMMITTEE(S)

Yes

VC AREA

Vice Chancellor and Chief Financial Officer

FUNDING

This is NGN funded (see blink site for NGN funded description).

REQUIRES HEALTH COORDINATION

Yes - Point of Contacts: 

• Ken Wottge kwottege@health.ucsd.edu 

• Fred Poulsen (fpoulsen@ucsd.edu)

• Hansen, Monica mmhansen@health.ucsd.edu

• Torello, John jtorello@health.ucsd.edu

• Dutt, Derek ddutt@health.ucsd.edu

• Fedoseyev, George gfedoseyev@health.ucsd.edu

• Wells, Timothy <t1wells@health.ucsd.edu>

STRATEGIC ALIGNMENT

Cyber Infrastructure Certification strategically aligns with ensuring UCSD’s computing environment complies with cybersecurity and privacy regulations by providing lifecycle management of user objects and reducing the frequency and likelihood of infrastructure compromises. Enhances research services by providing infrastructure to meet CMMC contractual requirements.

COMPLEXITY

This project is easy and inexpensive. Backup solution will require  a funding source. Project length is estimated to be 6 weeks.

TECHNICAL REQUIREMENTS & INTERFACES

ITS will lead the technical requirements gathering and provide the detailed requirements. ITS staff will provide technical  deployment plans and auto-install applications. ITS will interface with DPM and Office of Contracts and Grants to prioritize contracts/lab facilities.

ENTERPRISE ARCHITECT REVIEW

The Enterprise Architect to review the project with the requestor and provide any additional input.

APPROXIMATE PROJECT SIZE & EFFORT

Medium - 250 to 2000 man-hours (months)

CONFIDENCE

Moderate - Have done parts of this type of project before but not the entire scope

PROJECT PRIORITY

High

NEW COLLAB SPACE REQUIREMENT

Yes, a new space is required

PROJECT MANAGER (PPMO) REQUESTED

No

SPECIAL CONSIDERATIONS

Cyber Infrastructure Certification will enable UCSD to meet existing cybersecurity regulatory obligations and policy with regard to lifecycle management for university resources and data. When complete the Research Labs should roughly correspond to CMMC level 1, and support UCSD Research projects with CMMC included as a contract requirement.