CERD Compliance

Researchvault system security plan (SSP)

View the front matter of the approved ResVault SSP with signature page

The systems that are part of the Computing Environment for Restricted Data (CERD) are managed using the process and procedures that closely follow what is mandated by the Federal Information Security Management Acts (FISMA) of 2002 and 2014 for systems owned by and operated for the federal government.

  • Data processed by projects set up in CERD is classified following FIPS-199.
  • CERD systems are classified according to FIPS-200 to meet data requirements classified at the “moderate” impact level for Confidentiality, Integrity, and/or Availability.
  • Controls are implemented and maintained for all systems in CERD as specified in 800-53 Moderate and 800-171.
  • A system security plan (SSP) with Plan of Actions and Milestones (POAM) is maintained for all systems in CERD according to NIST 800-18.
  • Approval to operate is obtained by the system owner and operator from the appropriate university official.
  • The implementation of the controls is assessed by an organization independent of the system owner, UF Information Technology, with annual assessments thereafter.
  • View a letter from the CIO certifying the readiness of ResVault as a computing environment for restricted research data


The NIST documentation can be applied as standard and best practice for operating any information system owned by and operated by any organization. Due to the possible narrow interpretation that FISMA compliance implies the system is owned by and operated for the federal government.

  • We do not claim that any cloud service that is used as a connected system to any system in CERD is FedRAMP certified.
  • We do not claim that CERD is a “cloud service provider” (CSP) that is FedRAMP certified.