Inside UCR

UCR's plan to comply with the UC cybersecurity mandate

May 19, 2025
Dewight Kramer
Chief Information Security Officer
Information Technology Solutions
May 19, 2025

This announcement is an update to my March 24 message to campus about UCR’s compliance support plan for UC Cybersecurity Mandate 2025. 

As an important reminder, UCR has developed compliance support measures to ensure our campus meets the six UC-wide cybersecurity requirements. These measures are crucial for enhancing UCR’s security and aligning with UC expectations, and additional measures may be implemented as we work toward full compliance. 

Take the UC Training

●    Requirement: Timely annual completion of the UC Cyber Security Awareness Fundamentals training (this has long been a required training for all UC employees).

●    Compliance Support Plan Update

     ○    June 1, 2025: Employees who remain or become non-compliant will be restricted from accessing UCR systems (except        for the UC Learning Center to complete the training). The exact enforcement date will be communicated once determined.

●    Required Action: Complete and remain current on your required annual UC Cyber Security Awareness Fundamentals training via the UC Learning Center: ucrlearning.ucr.edu.

Use the Security Toolset

●    Requirement: Installation and use of the UCR-mandated security toolset on all devices connecting to UCR’s secure resources.

●    Compliance Support Plan Update 

     ○    May 2025: UCR has upgraded its Duo service, our identity security provider, to leverage Duo Desktop as a mechanism       for ensuring compliance with the UCOP cybersecurity training and device security requirements.

     ○    June 15, 2025: Secured access checks will commence, beginning with a select few UCR applications. These applications will be inaccessible to those users and/or devices that are not compliant with the UCOP cybersecurity training and secured device requirements.

             ■    As communicated previously in an update to campus, the compliance support plan for the UCR Security Toolset               is phased. This means that initial secured access checks will restrict non-compliant devices from accessing a select               number of UCR applications. Over time, more UCR applications will be subject to the secured access check. 

             ■    The initial list of UCR applications subject to the secured access check, and therefore inaccessible to non-                         compliant devices or persons who have not completed their required cybersecurity training, is currently being                       finalized and will be communicated by May 31, 2025. 

    ○    ITS is working with campus leadership to finalize the secured access check rollout, which includes determining which applications will be subject to the check and when. Details will be shared as available.

●    Required Action: Devices managed by IT are already compliant. If you manage your own devices, you must install and run the security toolset if you plan to connect these devices to secure UCR resources. Guidance can be found on the security toolset webpage: its.ucr.edu/uc-security-toolset.

Why is Action Necessary?

As the Provost, CIO, and I noted in our original joint letter to campus, cyber threats are a growing concern, posing significant risks to UCR’s research, teaching, financial data, and the personal information of our community. To safeguard our academic pursuits and university operations, it is imperative that we strengthen our security protocols across the UC system. Watch this video message from the Provost, which highlights why we must take action now. 

Resources and Support

A dedicated webpage is available with detailed information, resources, and FAQs. Please continue to refer to this page for ongoing updates: its.ucr.edu/cybersecurity-mandate-2025.