A fundamental tenet of cybersecurity, as well as an obligation imposed by federal grants and contracts, is to have institutional processes and systems to ensure that access to the networking and computing resources of the university are limited to authorized users with appropriate and ongoing business need for their access. This standard is part of the process to ensure that the University of Maryland (UMD) meets these requirements.
This standard applies to computing and networking devices operated in support of official activities of UMD (e.g. teaching, research, administration, and service) regardless of the location (on UMD property or in leased spaces) or technical modality (physical computer, virtual machine, cloud computing service, Software as a Service product). This standard does not apply to residential networks used for telecommuting.
Authentication of access to accounts on computers at UMD will be done exclusively by use of the Division of Information Technology (DIT) operated identity system (e.g. directory ID, Active Directory, multi-factor authentication, and LDAP). No individual or unit may operate an account authentication system of their own (e.g. Active Directory or LDAP).
When technically necessary, individual systems may have a local or system provisioned user/password combination that is used for limited configuration purposes, but only with the written permission of the University’s Chief Information Security Officer (CISO).
All networking devices at UMD must be operated by the Division of Information Technology. Specifically, other individuals and units are not permitted to operate switches, routers, network firewalls, or VPN systems. With the written approval of the CISO, units may operate “top of rack” switches as part of computing clusters.
Waivers of this standard may be granted by the VP IT & Chief Information Officer (CIO) with the concurrence of the CISO. Should a waiver be granted, the CIO may impose additional requirements, compensating controls, or time limits on the waiver as they deem appropriate. In no event will a waiver last for more than 1 year without recurring review and approval by the CIO and CISO.
Waivers may be revoked at any time at the sole discretion of the CIO or CISO. Any request for a waiver of this standard must explain how it is either not technically feasible to comply or how compliance explicitly violates a legal requirement of the State of Maryland or the United States Government as determined by the Office of General Counsel (OGC). A request for a waiver must also explain the tradeoffs between the University not performing the activity that requires the waiver vs. the compliance and reputational risks of cyber security incidents that could result from granting the waiver. The CIO, with concurrence from the CISO and appropriate consultation with the President, Senior Vice President, and other Vice Presidents, will determine whether such tradeoffs warrant a waiver being issued.
Decisions of the CIO regarding this standard may be appealed to the UMD President.
Consistent with University Policy X-1.00(A), Policy on Acceptable Use of Information Technology Resources, devices not complying with the standard may be removed from the network and/or relocated to a secure location by authorized DIT staff.
Violations of this standard are violations of UMD policy and may result in appropriate disciplinary actions for faculty, staff, and students involved.
All units are required to be in compliance with the standard by June 30, 2025. Depending on urgency, some units may be required to comply sooner in the CIO’s sole discretion.
Version 1.0, this is an interim standard published by VP/CIO Jeffrey Hollingsworth February 6, 2025.
This standard must be reviewed within two years of its approval