Dear Gayle and Tamera,
We write to ask about the “Procuring Cloud-Based Applications and Services” policy that seems to have recently appeared on the RF website: https://www.rfcuny.org/RFWebsite/principal-investigators/procuring-goods-services/procuring-cloud-based-applications-and-services/
The policy appears on the RF website, but not on CUNY's. Also, the text begins with “CUNY is changing….”. Is this an RF policy or a CUNY policy? As such, it is unclear to whom to direct our query, to the RF, to CUNY, and, so, we write to you both.
The policy has important implications for the manner in which faculty across the University conduct their work. However, institution of this policy appears to have taken place absent any faculty consultation whatsoever. (Please correct us if we are wrong.). Many of us have been involved with CUNY’s COACHE-based efforts to address faculty dis-satisfaction and dis-content. From where we sit, it appears as if one CUNY unit is busy putting out fires, while another, in effect if not in intent, works to start fires; this is very dis-spiriting to faculty.
In light of the below, we ask that the above policy be withdrawn, and that it be remanded for revision by the appropriate CUNY office in consultation with the University Faculty Senate and the Research Foundation Faculty Advisory Council.
Among other issues, revision of the policy should address the following questions:
What problem does this policy solve? We read: “...while addressing concerns pertaining to information security, data privacy, duplicative purchases, and the transmittal and storage of non-public University information.” This is a certainly worthy concern. However, CUNY’s Computing & Information Services Department already lists four policies that address all of the areas of concern, except for duplicative purchases (IT Security Procedures - General (2014), IT Security Procedures - Data Classification Standard (2019), IT-Security Procedures - Acceptable Use of University Data in the Cloud (2019), and Acceptable Use of Computer Resources).
Also, in what ways does this process overlap with and differ from other regulatory approvals that researchers have already gotten and what happens when they conflict? For example, CUNY’s office of research compliance oversees the IRBs, who also take a significant role in approving the use of software when it’s being used for human subjects data collection – many of the questions in the application seem to duplicate what we must already address with the IRB, what happens if we get approved to use and pay for software by this process but the IRB doesn’t want to recognize it as secure, or what if the IRB has already approved a software that is essential to research that we may be unable to continue using due to this new RF process?
Thus, it is unclear what, if anything, the new policy does, other than being, well, duplicative. We argue that this policy is unnecessary.
Finally, we address the one remaining issue: duplicative purchases below.
We are dismayed to read that the policy requires faculty to go through a 2-3 month CUNY approval procedure for approval; this is a breath-taking delay, and amounts to the raising of serious barriers on faculty research efforts. By example, some of our colleagues employ a dozen or more covered products or services; asking them to wait 2-3 months (times 12?) will decimate their research programs. Similarly, a 2-3 month delay will also cripple efforts of faculty with more modest research resources. CUNY already places a choking administrative burden on faculty efforts; CUNY should be reducing the administrative burden on faculty, not adding to it.
This is a new policy being rolled out with no announcement and no lead time – major policy changes like this should really be announced and given 6-12 months before implementation to allow faculty time to prepare. This is essential both for faculty already using software that may need to be renewed soon and were never told they would need to go through a 3 month process of approvals, as well as faculty who are writing grants, which routinely include the use of specialized software and are often on tight 2-3 year timelines for which a 3 month approval for a simple form of software is a high burden and building this into timelines is critical, which they explicitly acknowledge in the policy but have given no opportunity for faculty to actually do (e.g., It is important to budget the 2-3 month lead time into the timeline of the project)
The policy seems to be touted as both broadly applicable [e.g., Cloud-based applications and services include file storage, social media, and content hosting (e.g., Microsoft Office, 360, Dropbox, Twitter, and Facebook)] and difficult [e.g., There is approximately a 2-3 month lead time for both CUNY campus IT manager/CISO authorization and CUNY Office of General Counsel review and approval when initiating this type of request]. Both aspects need to be seriously re-considered.
Will software/services currently being used and having been successfully charged in prior years be grandfathered in or provided with expedited review? PIs had no time to build in this new process to their timelines and, especially given the other difficulties faced this year, this could significantly undermine research productivity. Not doing so is in-explicable.
Also, it is axiomatic that faculty using software / services, for which they are currently paying, will transition to CUNY-provided software/services, if and when practical. No faculty will pay for something that CUNY provides gratis, unless absolutely necessary. The policy, if indeed it is necessary, should provide for same.
Does this apply equally to all types of RF funding sources (4th, 5th, 7th, 9th ledger)?
Will the same software require this process every time a new charge is to be made or license is to be renewed (e.g., does an annual license for the same software have to go through this process every year?). Similarly, will RF or CUNY make any attempt to develop a list of pre-approved software that is already being used within the CUNY system for an expedited form of this review (e.g., CUNY already has licenses for Dropbox – if a researcher needs to use Dropbox to coordinate file sharing for a team funded by a federal grant, how much of this process is really relevant?). Both of these questions seem essential to reducing burden on both the faculty and RF side of things.
Will support be provided for faculty in understanding the security requirements while filling out the paperwork? This is not necessarily an area of specialization for many faculty
Can some more specific criteria be put in place to help both the faculty and the RF staff to determine when this policy applies? An initial checklist that is not as onerous as the 7-page security questionnaire would be helpful. For example, faculty routinely use software like social media for the purposes of posting advertisements – based on the description in the policy, social media sounds like it needs this level of review, but when social media is being used for advertising and not for any form of cloud-based service, does the policy still apply? Relatedly, if software is installed directly onto a machine and operates/saves locally, this would not meet the definition of cloud-based software—will this be made explicit and will there be a way for faculty to verify they can procure these normally (e.g., data analysis packages that simply run on a designated computer and access data locally without any cloud-based communication)
Will faculty receive guidance to help them pre-determine software that may be inappropriate for use and unlikely to pass through this process successfully? Given the purposes of this new process, some degree of education regarding appropriate use of software, minimum expectations for security standards, etc., would be both highly informative for faculty and also significantly reduce the use of this process for software that might be easily deemed inappropriate from the outset if people know what to look for
Can additional details be made about how to initiate and proceed through the process? Offices are named, but no centralized submission email accounts are noted nor are there specific contacts provided – will RF be submitting to each office or does the PI handle this separately and then apply to RF once approvals are given by CISO/GC, and either way will there be at least a centralized email(s) akin to RF’s procurement email if not an electronic system? As of now, we can imagine faculty emailing many different people in their quest to begin the process.
What is meant by the following: “PIs will be 100% liable for the cost and all applicable fines or penalties (federal, state, or city).”? What costs, fines, or penalties?
Thank you. Best,
David Jeruzalmi for the CUNY-RF Faculty Advisory Council