Information Security Control Requirements (ISCR)

The Information Security Control Requirements (ISCR) provides detailed implementation guidance for each security control specified in the Information Security Standard (ISS). These control requirements apply to all university information systems and assets under the university’s control and to the people who access these systems. Use of these control requirements enables Ohio State to protect its information assets; satisfy legal, regulatory and contractual requirements; and apply best practices for information security and risk management. To better guide implementation efforts, the detailed control requirements in the ISCR are specified according to the level of institutional data being protected, as defined by Ohio State’s Institutional Data Policy (IDP).

View the Information Security Control Requirements (ISCR)



Cybersecurity Maturity Model Certification (CMMC)

The Security and Privacy Governance team (SPG) is working with the Office of Secure Research to ensure the university is fully adhering to NIST SP 800-171 (where applicable) in addition to the newly released Cybersecurity Maturity Model Certification (CMMC).  In doing so, specific areas within the university must self-assess and report complete adherence against NIST SP 800-171 and achieve a level 3 certification performed by a CMMC Third Party Assessment Organization (C3APO).  A level 3 certification is the minimum level a specific area within an organization must achieve when dealing with Controlled Unclassified Information (CUI).  Once the university achieves a level 3 certification, the Department of Defense (DoD) may award Ohio State DoD contracts.  If you have any questions about the CMMC or its impact on Ohio State, please contact Anne Groves (, Office of Secure Research) or Rob Clifford (