In a letter addressed to all University of California campuses, the UC President has called on each campus to achieve key cybersecurity outcomes by May 28, 2025, to help protect sensitive data, maintain operational continuity, comply with regulations, and mitigate financial risks.

The UC Cybersecurity Mandate catalyzed immediate action and enhancements to UCR’s implementation of a comprehensive information security program, which was already in motion. As part of this program, and in response to the UC Cybersecurity Mandate, UCR must implement key information security measures that will help ensure our campus meets UC’s cybersecurity requirements and, more importantly, better protect our Highlander community.

High-Level Timeline of Key Milestones

Below is a high-level timeline and overview of security plan milestones that require active engagement from faculty, staff, and–in some cases–students.

●    November 2024 (ongoing) - Campus-wide rollout of UCR-mandated security toolset for those who are not on UCR Secured Device Services. Installation and use of this toolset is required on any device that is used to perform University work. Learn more about the security toolset and how you can download it to your device if you are not using an IT-managed device. 

●    December 2024 - Enforcement of multi-factor authentication (MFA) on all campus and health email systems (learn more).

●    January 2025 - Campus leadership to report out whether or not we are 100% current on mandatory cybersecurity training. As the campus must be 100% compliant by May 2025, planned enforcement measures will be communicated at this time (learn more).

●    February 2025 - Multi-factor authentication process will change to improve identity verification. Changes will include authentication via “verified push” and the sunsetting of SMS and phone call options. 

November 2024: Campus-wide rollout of UCR-mandated security applications (ongoing)

The UCOP letter calls for specific outcomes to be achieved, including “Identify, track, and manage vulnerabilities of all devices that connect to campus resources” and “Deploy UC-approved Endpoint Detection and Recovery (EDR) software on 100% of assets.”

To meet these outcomes by the May 2025 deadline, UCR has identified three industry-standard security tool applications known for their effectiveness in helping organizations identify and manage vulnerabilities, mitigate risks, monitor systems for signs of cyber threats, and keep track of vital data. 

As of November 2024, our campus policy requires that these security applications* be installed and run on all devices that connect to secure UCR networks and cloud resources. ITS and local IT departments are currently working to deliver these tools to IT-managed devices. However, faculty and staff who manage their own devices are required to download these tools from the UCR Security Toolset webpage and complete the installation.

If you have any questions or concerns about the UCR-mandated security applications or you would like to request assistance with installing the toolset on your device, please join the Information Technology Solutions office hours. You will find the schedule below:

●    December 6, 2024 at 1:00 PM (join meeting)

●    December 11, 2024 at 1:00 PM (join meeting)

●    December 17, 2024 at 11:00 AM (join meeting)

●    January 16, 2025 at 10:00 AM (join meeting)

●    January 24, 2025 at 11:00 AM (join meeting)

●    January 30, 2025 at 11:00 AM (join meeting)

*These tools are provided to employees at no cost. Employees who use devices that are not managed by ITS or their local IT department will need to install the tools themselves.

December 2024: Enforcement of multi-factor authentication (MFA) on all campus and heath email systems

To meet the outcome of “Deploy and configure multi-factor authentication (MFA) on 100% of campus and health email systems,” on December 2, 2024, UCR enforced MFA on all campus and health email accounts, including both individual and ORG email accounts. Identity verification via MFA means that every time a Highlander logs into email and other secure UCR resources, they are required to authenticate their login with a registered personal device. 

Details of the change and its impact, as well as additional instructions and action items, are included in ITS’ direct email communications to all affected Highlanders.

January 2025: Achieve 100% completion rate for mandatory cybersecurity training

It is already required that all employees of the university stay current on mandatory training courses in the UC Learning Center. Unfortunately, our campus is not currently at a 100% completion rate, as outlined in the UCOP letter. Beginning in January 2025, all faculty, staff, and student employees will need to complete and remain current on the UC Cyber Security Awareness Fundamentals training in order to maintain access to UCR applications and resources. More details about the planned enforcement measures will be announced to campus soon. 

February 2025: Launch of Duo verified push and sunsetting of SMS and phone call MFA options

To further bolster campus security and help ensure access is being granted appropriately, UCR will upgrade the Duo MFA process to offer a new suite of authentication options. In February 2025, Highlanders will be asked to use Duo verified push to authenticate, which requires entering a unique code in the Duo Mobile app when prompted upon login to a secure UCR resource. However, other configurable authentication options will include biometrics, which use the device’s touch or face ID functionality to verify identity.  

Currently, options to verify identity upon login include the ability to receive a phone call or an SMS text message with a one-time code. Both of these less secure and costly forms of authentication will be retired with the launching of Duo verified push. This change will require all Highlanders to have a personal device that is not only registered with their UCR account but also uses the official Duo Mobile app to receive push notifications.

UCR employees with accessibility concerns can request accommodation from the Workers' Compensation and Disability Program (WCDP), while students can request accommodation from the Student Disability Resource Center (SDRC). Once the request is approved, WCDP and SDRC will work with ITS BearHelp to obtain an alternate authentication option.  

Additional communication regarding these planned changes will be provided in the coming weeks. To learn more about the UC Cybersecurity Mandate, UCR’s security investment roadmap, and the role you play in helping us better protect our campus, please visit the ITS website.