Skip to main content

System Status: 

  1. Home
  2. Technology
  3. Security
  4. Regulated Research Cybersecurity Program

Regulated Research Cybersecurity Program

Last Updated: December 5, 2025 10:27:50 AM PST
Give feedback

The UC San Diego Regulated Research Cybersecurity Program (RRCP) unifies our previous Cybersecurity Model Maturity Certification (CMMC) efforts with support for NIH controlled-access data and other current and emerging research security obligations.

What’s new?

The Regulated Research Cybersecurity Program has achieved CMMC Level 2 Status following an assessment conducted by a DoD C3PAO. This certification confirms that we meet all required security practices for the protection of Controlled Unclassified Information (CUI).

Research security landscapes evolve. The UC San Diego Regulated Research Cybersecurity Program expands beyond CMMC to include federal sponsor and data-use requirements relevant to campus research. Our goal is a single front door for regulated research, reducing cybersecurity compliance burden and providing a secure and compliant environment for use. We support PIs, research staff, and partners working with regulated data or sponsor-imposed security requirements.

  • NIH controlled-access data: Support for projects accessing controlled datasets (e.g., dbGaP and similar) and aligning campus controls with sponsor expectations.
  • Future-facing scope: Other regulated research contexts (e.g., CUI, agency-specific requirements, NSPM-33) as they arise.

How to engage - Start here

  1. Identify: Determine which type of support best fits your project’s needs. Our service offers three engagement models depending on your lab’s technical capabilities and desired level of IT support:
    1. Fully Managed: We handle most of the technical and compliance requirements. Ideal for researchers who prefer a turnkey environment with minimal setup or maintenance effort.
    2. Secure In Place: Your lab retains the responsibility to meet the compliance requirements and manages the existing environment. We assist with compliance documentation, reviews, and guidance to help you meet requirements within your own systems.
    3. Third-Party Solution: For projects leveraging external vendors or specialized services, we work with you to ensure the necessary compliance documentation and controls are in place. Effort varies depending on the level of service provided by the third party.
  2. Request: Send an email to OIA Research Support at OIA-Research-Support@ucsd.edu and share relevant documentation (e.g., RFP, data-use terms, or award language) along with your project timeline. A member from our team will follow up.
  3. Assess: We map your obligations (e.g., 800-171, NIH controlled-access expectations) to available compliant solutions through our partners.
  4. Enable: We provision the appropriate enclave and/or validate controls and onboard your team.

Not sure if your project is in scope?

If a sponsor, agreement, contract, data source, or regulation specifically mentions information security controls, we can help.

Examples of what RRCP Supports

  • CMMC Level 2/ NIST SP 800-171
  • NIH Controlled Access Data
  • Controlled Unclassified Information
  • Data Use Agreements
  • Export Controls (in partnership with Export Control)
  • Agency/Sponsor Cybersecurity Clauses

Services Offered

  • COMPLIANCE ADVISORY - Intake and Triage
    • Rapid review of sponsor language, data-use terms, and timelines. We assess the requirements and recommend the most appropriate pathway (e.g., existing service, enclave, or mitigating controls).
  • PLATFORMS - Compliant Research Enclaves
    • Hosted environments aligned to applicable control sets (e.g., NIST SP 800-171). See below for current options
  • COMPLIANCE - Documentation and Authorized Use
    • Support for control documentation, system security plans (SSPs), periodic assessments against appropriate security frameworks, plan of action & milestone (POA&M) documentation, and IT attestations required by sponsors or data custodians.
  • OPERATIONS - Onboarding, Lifecycle, and Transitions
    • Researcher onboarding, access approvals, change requests, and project close-out (archival, data destruction, or transfer) to meet sponsor expectations.
  • GOVERNANCE - Policies and Alignment
    • Ensures alignment with UC and UC San Diego information security policy, federal research security requirements, and sponsor terms.
    • We coordinate closely with the Sponsored Projects Office, Export Control Office, and Research Compliance and Integrity Office.

Compliant Research Enclaves

  • UC San Diego Controlled Unclassified Information (CUI) Cloud Enclave (UCCE)
  • Sherlock at the San Diego Supercomputer Center (SDSC) (for NIST 800-53)
  • Triton Shared Computing Cluster (TSCC) - Coming December 2025! (for High performance computing needs)
  • Please let us know if you need something that’s not listed here!

Frequently Asked Questions

  • Do we still support DOD CMMC and NIST SP 800-171?
    • Yes. Our former CMMC program is fully incorporated into RRCP. We continue to operate 800-171-aligned services for CUI and applicable sponsor requirements.
    • CMMC L2 Certification issued to RRCP in Fall 2025.
  • Will this program cover future research regulations?
    • Yes. RRCP is designed to adapt. As sponsor language evolves or new requirements appear, we will extend services and controls accordingly and communicate changes to the campus.
  • What is the cost?
    • Costs are being finalized as part of a new cost model and will be available following official campus approval.
    • Rates will be discounted based on approved campus subsidy to make this program as cost effective as possible to our researchers.
  • Who can use RRCP?
    • UC San Diego principal investigators, research staff, collaborators with UC San Diego-sponsored or affiliated research requiring regulated data handling or sponsor-mandated controls.
  • How do I check the status of my request?
  • How long does this process take?
    • The compliance attestation and verification can take several weeks. Please do not wait to get started if you intend to renew access to one or more NIH‑controlled data repositories; beginning the review early will help avoid delays.
  • What compliant environments are available?
    • The list of compliant research enclaves are above the FAQ on this page. We’re currently reviewing additional providers and will be adding them on this list as they complete our validation. If there are any environments you’d like us to review, please engage with us by following the steps on this page.

Acronyms, Definitions, and References

  • Controlled Unclassified Information (CUI) - Information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or Atomic Energy Act, as amended. Link from National Archives: https://www.archives.gov/cui/about
  • Cybersecurity Maturity Model Certification (CMMC) Program - Department of Defense implementation of the NIST SP 800-171 framework for CUI - 32 CFR 170: https://www.ecfr.gov/current/title-32/subtitle-A/chapter-I/subchapter-G/part-170
  • Department of Defense (DoD) CUI program: https://www.dodcui.mil/
  • Regulated Research Cybersecurity Program (RRCP)

For More Information

Please contact the Office of Information Assurance, Risk & Compliance at OIA-Research-Support@ucsd.edu.