UC Cybersecurity Mandate 2025

Take the UC Cyber Security Awareness Fundamentals Training

All UCR employees must complete the UC Cyber Security Awareness Fundamentals training to access UCR applications and resources

Download the Security Toolsets

To meet compliance, UCR employees must install and use of the three UCR-mandated security tool applications in order to connect a device to UCR's secure networks and cloud resources. These applications are not optional.

Verify Your Identity with Duo Mobile

UCR employees must use multi-factor authentication (MFA) when accessing campus resources and heath email systems. UCR is set to upgrade its current Duo push notification to verified push. Employees are encouraged to prepare for upcoming changes by downloading and using the Duo Mobile app today.

Please note: Additional campus enforcement measures may be needed to meet compliance. Guidance will be provided as soon as details are available.

Top 5 Things to Know

All UC locations must comply with new information security requirements by May 2025, as mandated by the UC President at the direction of the UC Regents.
These requirements apply to all UC employees, including faculty. UCOP has outlined enforcement measures. UCR-specific enforcement measures will be shared with campus once finalized.
UCR is currently implementing its plan to meet these new requirements, which includes mandatory cybersecurity training and the use of industry-standard security toolsets.
As part of this plan, applications for three specific toolsets must be installed on all devices that connect to secure UCR networks and cloud resources. These applications are not optional.
UCR is actively working to inform all employees about the new security requirements and how to meet them (please continue to check this page for the most up-to-date information).

UC President and Regents
Call UCR to Action

The development of a comprehensive information security program was already in motion at UCR, demonstrating the University's proactive commitment to safeguarding its valuable data and systems. However, the UC President's letter has introduced a renewed sense of urgency into the implementation of this program.

The letter's firm deadlines and potential consequences for non-compliance underscore the critical importance of cybersecurity in today's digital landscape. As such, the successful execution of UCR's security program now necessitates the active cooperation and participation of all faculty, staff, and students. As highlighted by the Provost, everyone plays a crucial role in maintaining a secure digital environment, and collective efforts are essential to protect our research and personal data, prevent cyberattacks, and ensure the continued success of the University's mission.

Select a tab below to view key takeaways from the letter and UCR's planned response:

Call to Action
Scope
Campus Consequences
Outcomes to Be Achieved
Your Role

The UC President's letter calls for all UC campuses to achieve key cybersecurity outcomes by May 28, 2025, to help protect sensitive data, maintain operational continuity, comply with regulations, and mitigate financial risks.

The UC President's letter explicitly states that all UCR units and employees, including faculty, must comply.

Note: Students are exempt unless they are administrative (non-academic) employees of the university

As stated in the UC President's letter, campus consequences for non-compliance include:

15% increase in cyber insurance premiums
Up to $500,000 in costs for security incidents
Merit increases for unit heads require Chancellor's approval

According to the the UC President's letter, all UC campuses are expected the achieve the following outcomes by May 28, 2025:

Ensure 100% of faculty and staff complete cybersecurity awareness training.
Ensure timely escalation of security incidents by adhering to UC incident response and cybersecurity escalation standards.
Identify, track, and manage vulnerabilities of all devices that connect to campus resources.
Deploy UC-approved Endpoint Detection and Recovery (EDR) software on 100% of assets.
Deploy and configure multi-factor authentication (MFA) on 100% of campus and health email systems.
Deploy and configure a robust Data Loss Prevention (DLP) solution for health email systems

UCR’s Information Security Office is responding to these requirements accordingly, with six projects that will achieve each of these outcomes.

UCR is currently implementing its plan to meet these new requirements, which includes the use of industry-standard security toolsets and best practices. The following campus enforcement measures apply to all UCR employees:

Completion of UC Cyber Security Awareness Fundamentals training to access UCR applications and resources
Installation and use of the three UCR-mandated security tool applications* in order to connect a device to UCR's secure networks and cloud resources
Although already required to access most secure UCR resources, multi-factor authentication (MFA) will now be required of anyone using campus and health email systems
Additional enforcement measures (guidance will be provided as soon as details are available)

*These tools will be provided to employees at no cost. Employees who use devices that are not managed by ITS or their local IT department will need to install the tools themselves. Resources will be provided in the coming months.

Complete the UC Cyber Security Awareness Fundamentals training

To maintain access to UCR applications and resources, all employees need to complete the UC Cyber Security Awareness Fundamentals training every year when prompted by the UC Learning Center (LMS).

Completion of the mandatory Cybersecurity Training is crucial to your annual performance appraisal (employee evaluation), and noncompliance will impact your merit award.
Supervisors will ensure that all employees comply with their training requirements.

View the completion status of your training

Secure Your Devices

As part of UCR's plan to meet the new UCOP mandate, our campus policy now requires that three industry-standard security toolsets be installed and run on all devices that connect to secure UCR networks and cloud resources. All devices must be in compliance by May 28, 2025.

Download the Toolset

LEARN MORE ABOUT THE TOOLSET

Verify Your Identity with the UCR Authentication Application

Use Duo Mobile, UCR's official MFA tool, to further secure your account when accessing UCR applications and resources.

Get Started with DUO Mobile

Learn about Duo Mobile

Security Investment Roadmap

Campus completion of UC Cyber Security Awareness Fundamentals training and use of the three UCR-mandated security tool applications is an important first step in meeting the required cybersecurity outcomes. The campus can expect that additional measures will be implemented as UCR works to come into full compliance.

We are committed to transparency throughout this process. Information about these next steps will be communicated to campus on this webpage and, where possible, through other campus communication channels and forums, including town halls. Regular progress reports on our collective compliance will be provided to campus leadership, including deans, vice chancellors, the Vice Provost, the Provost, and other unit leaders and stakeholders. These reports will highlight our achievements and identify areas that require improvement.

UCR Secure Trust Program

While the UC Cybersecurity Mandate 2025 catalyzes immediate action, it's important to understand that UCR has already embarked on a journey to enhance its information security through the UCR Secure Trust program. This program is based on the Zero Trust security model, which prioritizes security at every layer of the technology stack, from network and device to user and application. The UCR Secure Trust program is built on five key pillars: Identity and Access Management (IAM), Managed Endpoints, Application Security, Network Segmentation, and Data Security.

The UC mandate aligns with and reinforces the goals of the UCR Secure Trust program. While the mandate requires specific actions to be taken by a certain deadline, the UCR Secure Trust program provides a broader framework for continuous improvement and long-term cybersecurity resilience.

By combining the immediate actions required by the UC mandate with the comprehensive approach of the UCR Secure Trust program, we are confident in UCR’s ability to create a safer and more secure digital environment for our entire Highlander community.

UCR’s Information Security Office

The UC Riverside Information Security Office is here to inform and support UCR and its associated communities to improve UC Riverside’s information security posture. This will help the community securely generate, advance, disseminate, and apply data and knowledge as it pursues the UC mission of teaching, research, and public service.

Frequently Asked Questions

Will these tools monitor my personal activity, emails, or browsing history?

These tools are designed to protect against cybersecurity threats. They focus on detecting unusual, malicious, or potentially harmful activity and not on monitoring personal information.
Will these tools slow down my device or interfere with my work?

We've carefully selected tools that are lightweight and have minimal impact on device performance. It is worth noting that these tools are not new. UCR currently utilizes these tools but now must expand coverage across campus to strengthen security. If you experience any issues, please submit an IT ticket.
Will I be able to control the settings or disable these tools if needed?

Settings on IT-managed devices will be managed centrally to ensure optimal security. For personal devices, you will have some control over settings, but default configurations should be preserved for maximum protection and program compliance. Please note that noncompliance will result in the inability to access secure UCR resources and applications.
Why are these tools necessary?

Universities are among the most targeted entities by Nation States and other bad actors, and their attempts to attack us are becoming more sophisticated and frequent. Each tool in the UCR security toolset serves a unique and important purpose. Together, these tools provide an additional layer of protection for our University data and systems and, importantly, your sensitive personal and financial information.
What happens if a threat is detected?

The tools will alert the ITS Information Security Office. UCR’s security professionals will then take appropriate action to investigate and mitigate the threat while adhering to strict UC and campus privacy policies and industry-standard operating procedures.
Do I need all three tools?

Yes, each tool is crucial in fulfilling UC's security requirements. To learn about the role of each tool, please refer to the “Tools to Protect Your Work and Preserve Your Legacy” section.
Will ITS or any of the tools be able to read my email?

The security tools are not designed to read your email content. Their purpose is to protect your device and university data, not to monitor personal communications. In the event that a potential threat is detected, the ITS Information Security Office is required to investigate while adhering to strict UC and campus privacy policies, including the UC Electronic Communications Policy.
What happens if I don't follow the mandate?

The UC President's letter outlines the campus consequences of non-compliance. In an effort to mitigate these consequences, UCR’s security plan employs additional consequences, which include but are not limited to restricted access to campus resources (such as networks, WiFi, and online service applications). These measures are necessary to help ensure the safety and security of both the UCR community and our larger UC community.
How do these requirements impact students?

These requirements do not directly impact students, however, student employees are required to complete the UC Cyber Security Awareness Fundamentals training. Moreover, non-academic student employees must use a compliant device when conducting university business.
Are personal devices, such as BYOD, included in the mandate?

Yes, the security tools must be installed on personal devices if the user wishes to connect to secure UCR resources and applications that hold sensitive institutional data. Mobile devices (phones and some tablets) are not currently subject to the same requirements.
Are mobile devices included in the mandate?

No, mobile devices such as phones and tablets* are not subject to the same requirements as computers and laptops under the mandate.
That said, it is still crucial to secure your mobile devices to protect your data. To safeguard your data, utilize complex passwords or biometric authentication, maintain up-to-date software, and exercise caution when using public Wi-Fi for sensitive activities. Be sure to remain vigilant against phishing attempts and establish regular data backup routines. For more information about best practices, refer to Mobile Security Guidance.
*Note: Microsoft Surface Tablets require installation and use of the security tools.
Will the mandate still go into effect now that President Drake is stepping down?

Yes, the mandate remains in effect. While President Drake has communicated the mandate, it is a directive endorsed and supported by the UC Regents, the governing board of the University of California. This ensures the mandate's continuity and prioritization as a critical component of UC's cybersecurity strategy, regardless of leadership changes.

More Resources

Learn from the experiences of other institutions that have faced cyber threats and understand the potential impact of cyberattacks on universities by visiting "It Happened to Us." For those using university-managed devices, Secure Device Services (SDS) ensures that your devices meet UCR's security standards, safeguarding your information and the university's network. If you suspect any security breaches or have concerns, report them promptly to help protect yourself and the UCR community by contacting abuse@ucr.edu.