The Advanced Research Computing, Security, and Information Management (ARCSIM) group has recently expanded to reflect the enhanced compliance requirements of research work being conducted with the Department of Defense (DoD) Controlled Unclassified Information (CUI). In Fall 2023, Sammy Murphy, an IT Vulnerability Specialist, joined ARCSIM to focus on critical vulnerability management tasks in support of the 91±¬ÁĎ’s Advanced Structures and Composites Center (ASCC), one of the largest research centers within the 91±¬ÁĎ System.

With an increasing number of large, defense related grants being awarded to ASCC, managing security requirements and expectations is becoming a focal point of ARCSIM’s operations. Murphy graduated from 91±¬ÁĎ with an interdisciplinary undergraduate degree focused on computer science and communication, and worked at ASCC as a student and then again after graduating. Murphy brings a familiarity and knowledge of ASCC to the ARCSIM team and has recently begun studying to complete a Systems Security Certified Practitioner (SSCP) certification as well.

A significant amount of federal funding awarded to ASCC is contingent on specific cybersecurity requirements. Working closely with Melissa Kimble, Senior Research Data Security Analyst, Murphy supports the IT Infrastructure required for these funding sources by monitoring device logs, threats, and security developments. Murphy explained, “Vulnerabilities can arise in many forms, including within software applications. If it is found that malicious actors are exploiting a certain vulnerability in an application, the application vendor will likely release an emergency security patch. We need to monitor logs, catch that, and patch it right away.” This effort ensures that ASCC meets cybersecurity requirements and that sensitive research data is safeguarded.

Beyond vulnerability management, Murphy’s familiarity and knowledge of ASCC has been instrumental in evaluating existing policies and procedures that affect the center’s cybersecurity posture. This work has resulted in input and oversight of over 35 policies, a multi-stakeholder effort that has been expedited through Murphy’s expertise. These policies and procedures have been adapted to reflect current and pending cybersecurity requirements for the center.   

For Murphy, the best part is collaborating with colleagues on collectively understanding what threats are out there and how those threats can be best addressed and communicated. “Part of what I do is make this information digestible,” remarked Murphy. “It is important that people understand the threat, why we are concerned about it, and how we are addressing it.”

Shane Moeykens, ARCSIM Director, states, “Roles like Murphy’s will only become more important as research across the 91±¬ÁĎ System continues to grow. This growth is contingent on maintaining secure computing environments for research activities and data, and thereby preserving external funding and executing nationally important research activities.” 

What is NSPM-33?

The National Security Presidential Memorandum 33 (NSPM-33), issued on January 14, 2021, initiated the development of research security standards for institutions that receive $50 million or more a year in federal science and engineering support. These standards are being designed to strengthen the research enterprise against foreign government interference and exploitation and they are expected to be released in their final form in fall 2023.

These standards include an institutional research security program, a new baseline for cybersecurity, periodic training on research security and export control, and mandatory protocols for foreign travel.

What does this mean for 91±¬ÁĎ?

As an institution that receives more than $50 million in federal science and engineering support, 91±¬ÁĎ will be required to implement these standards to maintain and receive federal science and engineering support, which could be as soon as fall 2024. 

How is 91±¬ÁĎ addressing NSPM-33?

The Office of Science and Technology Policy (OSTP) released on March 7, 2023. In response to these draft requirements, a core NSPM-33 committee was formed to enable the 91±¬ÁĎ research enterprise to achieve and maintain compliance with emerging NSPM-33 requirements. The NSPM-33 committee will advise University leadership of progress, status, and risks within the context of NSPM-33. 91±¬ÁĎ’s Advanced Research Computing, Security, and Information Management (ARCSIM) is also working closely with the UMS:IT Information Security Office to detail the implications of the draft cybersecurity requirements in NSPM-33.

The successful implementation of NSPM-33 is paramount to 91±¬ÁĎ’s success as a research institution. Failure to comply with these federal requirements could result in penalties or loss of grant funding. 

Compliance with these new requirements will take cooperation from the entire University community, and it is recognized that the federal government has proposed an aggressive schedule for the implementation of NSPM-33. Seeking compliance with input from the research community will be essential..  Please look out for updates from ARCSIM in the fall of 2023 to be aware of the full impact of NSPM-33 on federally supported research.

Shortly after the release of the official guidance this fall, the NSPM-33 committee will host a public forum to discuss NSPM-33.

By Iris May-Fleming, Media Intern

In an age where cybersecurity threats are increasing at an alarming rate, the importance of securing sensitive data within research institutions has never been more critical. One individual dedicated to this cause is Melissa Kimble, a Research Data Security Analyst at the 91±¬ÁĎ (91±¬ÁĎ).

As the data security analyst for 91±¬ÁĎ’s Advanced Research Computing, Security, and Information Management (ARCSIM) group, “My position is really to help translate cybersecurity needs to researchers, faculty, and staff.” Kimble said. “A lot of researchers need an extra level of protection for their data, whether that’s Department of Defense research, Department of Energy, Department of Health and Human Services, or really any personal data that doesn’t have specific regulatory requirements but we consider sensitive.”  

The journey to her current role has been a winding one. With a background in anthropology and geospatial information science, Kimble found her passion for computer science through her coursework. This led her to pursue a second bachelor’s degree and a subsequent master’s degree. She worked at a tech company briefly as well, which further cemented her interest in computing. “I’ve had a pretty broad interest in computer science,” Kimble explained. “I started out mainly with data science, over time I started emphasizing more data engineering, and the missing piece was cybersecurity. Security sits in the background of all that, but I didn’t focus explicitly on it. I’d always wanted to know more, and now it’s my main focus.” With five years at 91±¬ÁĎ pursuing a Ph.D. in spatial information science and engineering,  Kimble has a deep understanding of research at 91±¬ÁĎ. She contributed to the NSF EPSCoR RII Track-1 SEANET and Maine-eDNA projects before joining ARCSIM in her current role. 

A typical day for a Research Data Security Analyst involves a wide range of tasks, from contract reviews and consulting to project management and standards development. Recently, Kimble worked with the Information Security Office, the Office of Research Compliance, and the ARCSIM team to develop a foreign travel policy to protect the university’s data while traveling overseas. “A big part of my time is consulting,” Kimble explained. “We don’t charge for security services. Researchers will come in wanting to improve their current security posture, and we develop a plan together to help them get to where they want to go.” This isn’t easy due to the ever-changing landscape of cybersecurity and specificity of different bodies of regulations. Subsequently, Kimble’s work often involves extensive reading and summarizing federal and state regulations to stay informed and prepared for the growing list of cybersecurity requirements. 

“The federal requirements for conducting research have been increasing, especially since the onset of the COVID-19 pandemic,” Kimble explained. With the recent surge in remote work, compliance with federal regulations became increasingly complex. Researchers now have to navigate new requirements related to data security, privacy, and confidentiality. Additionally, some research projects that require on-site access to specialized equipment and facilities face unique challenges. Kimble described the importance of universities prioritizing compliance with federal regulations, ensuring the integrity of their research. She recommends that researchers stay informed about the latest regulatory changes, and to contact ARCSIM if they have any questions. ARCSIM will be conducting at least one security focused seminar per semester going forward to help researchers stay abreast of the evolving cybersecurity environment.

By Iris May-Fleming, Media Intern

Researchers put a substantial amount of time, money, and effort into the data that they produce, so keeping that data safe and secure is important for maintaining research integrity, and making sure that valuable resources are not lost. ARCSIM’s data security analyst Melissa Kimble urges researchers to take simple and easy steps to increase data security while working with sensitive data.

The first recommendation is to use a UMS IT managed device if you’re able. All UMS Managed devices include tested and enforced patching, tested and standardized hardware, and incident response. Incident response means that any potential viruses will trigger a feedback loop involving the Information Security Office, ultimately serving to help prevent future incidents. “When you have a managed device you not only have anti-virus protection, but a team of technical security experts.” Kimble explained. 

Keeping your computer updated is an essential way to protect your system from vulnerabilities that could allow malware to infect your device. “The number one fixable source of vulnerabilities in your system is updates.” Kimble said, explaining how updates patch potential software issues that would allow malware to get into a computer system. 

While Microsoft Defender is sufficient on UMS IT Managed devices, Kimble encourages researchers to install antivirus software on their personal computers as well, such as ESET Internet Security. Some antivirus softwares simply detect malware, some can also contain and eradicate malware and potentially recover lost data. 

Another important cybersecurity measure is awareness and training. “If you don’t know something is there, then you don’t know how to avoid it.” Kimble explained. A large part of the new National Security Presidential Memorandum (NSPM) 33 provides stricter training requirements for research universities. This heightens data protection for federally-funded projects by mandating data security training, and while the UMS Academy currently has some training on basic cybersecurity, these will expand over time to meet federal requirements. 

Creating a data backup plan is another essential step to protect against a single point of failure. Even if data is backed up on the cloud, having an additional disconnected backup can help mitigate risk. For example, ransomware has become so sophisticated that it can affect cloud data if the backup is continuously syncing when ransomware strikes.

While multi-factor authentication (MFA) may seem tedious, it is a simple way to verify your identity. Enabling MFA makes it more difficult for malicious actors to gain access to your accounts, even if your login credentials have been stolen. Along with MFA, having strong passwords may seem obvious, but it’s still important, and being careful to use unique credentials for each website mitigates the impact of a data breach. 

Device encryption, otherwise known as “encryption at rest”, is another important cybersecurity measure to consider. “Device encryption mitigates data compromise in the event of a lost or stolen device,” Kimble explained. She encourages researchers to use Bitlocker or FileVault 2 as easy ways to make sure that data on portable devices are protected if they are ever lost or stolen. 

Working in a coffee shop may be convenient, but accessing data in public places has security risks. When you’re working on a computer in public, people are able to physically see the screen, and potentially observe private information, so it is important to have situational awareness, and only access private data in a physically secure workplace. 

Flash drives can spread infections, even unintentionally. When someone uses a flash drive on a computer with malware, the flash drive can then spread malware to other computers when it is inserted, so avoiding unknown flash drives is a simple way to avoid malware. 

Another key tip is to avoid public Wi-Fi networks whenever possible. If a malicious actor has positioned themselves to intercept your traffic, they can monitor unencrypted transmitted data. If public Wi-Fi must be used, a VPN, which provides encryption in transit, and only accessing HTTPS websites are ways to mitigate risks associated with public Wi-Fi.

Kimble encourages researchers to contact her at melissa.kimble@maine.edu with questions about data security, attend ARCSIM seminars for general information, or contact ARCSIM at um.arcsim@maine.edu.

Tuesday, February 21, 1:00 p.m. to 2:30 p.m. â—‹ Stodder Hall, Room 48, and via Zoom.

Join 91±¬ÁĎ ARCSIM (Advanced Research Computing, Security & Information Management) and partners in a seminar from 1:00 p.m. – 2:30 p.m. as speakers share their experience with sensitive data. We will also provide an overview of security resources and services that are available to faculty, staff, and students.

• ARCSIM updates — Shane Moeykens, ARCSIM Director
• Research Data Security — Melissa Kimble, ARCSIM Security Analyst
• CompuMAINE and Data Security — Andre Khalil, Director, CompuMAINE Lab, Department of Chemical and Biomedical Engineering
• Family Futures Downeast and Data Security — Lois-Ann Kuntz and Ph.D. Candidate Emily Scarpulla, Department of Psychology
• The Advanced Structures and Composites Center and Data Security — Peter Drown, MBA, Chief Operating Officer, Advanced Structures and Composites Center
• Q & A — Kevin Wentworth, ARCSIM Assistant Director

To attend virtually register for the event via and you will be sent the Zoom Link.

Recording can be accessed at .