SURE provides safe haven for research
SURE gives us an approach we can replicate for how we can efficiently develop similar environments for other purposes.
Director of OIT Information Security, Risk and Assurance
When NC State campus researchers seek OIT’s help to store their data in a secure environment, the answer is SURE!
Developed in 2018 by OIT and the Office of Research and Innovation (ORI), the Secure University Research Environment (SURE) provides university researchers with a fully secured enclave in the cloud that complies with numerous stringent security controls required to protect their research data from increasing cyber threats by cybercriminal organizations and nation-states.
In July 2021, NC State achieved 100% compliance with the Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012 and the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 to use the Department of Defense (DOD) Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) in the SURE.
Throughout this fiscal year, OIT worked collaboratively with ORI to continue to meet the many challenges to maintain full compliance.
DOD Cybersecurity Maturity Model Certification Program
One of NC State’s biggest research endeavors is funded by the DOD, which considers cybersecurity a top priority. The DOD served as the main source of updated security requirements — primarily per its Cybersecurity Maturity Model Certification (CMMC) program which is being finalized.
OIT engaged Deloitte in January 2021 to conduct a compliance assessment for SURE against NIST 800-171. When OIT Security and Compliance lost its primary SURE-dedicated resource to attrition in June 2021, OIT extended its engagement with Deloitte to fill this gap and to identify and address gaps to provide effective and continuous monitoring of SURE as well as to plan enhancements to meet upcoming compliance requirements. Following Deloitte’s recommendations, OIT and ORI have created new positions to ensure continued compliance.
Continuous Monitoring Process
Over the last year, the OIT Information Security Risk and Assurance (ISRA) team developed a continuous monitoring process for SURE to undergo frequent and automated reevaluations for updated security compliance requirements and ongoing improvements.
The continuous monitoring process divides the requirements into four evaluation segments, which help OIT and ORI comply with government regulations and provide the highest quality services and security for the campus research community.
“It has been important to emphasize the continuing programmatic aspect of security with our senior leaders to foster support for ongoing resources, which are critical for securing the foundation for future growth in research opportunities broadly, not just in government research,” said Mary Millsaps, director of research compliance at NC State, in a Wall Street Journal article. “We have had extended, detailed conversations with senior leaders to describe the resources and IT skills necessary to support this environment. This is an investment in our future both in research and as an institution of higher education.”
OIT’s highly collaborative effort succeeded in creating and maintaining a truly secure enclave for secure research at NC State, even as the requirements kept changing. The next steps are to evaluate compliance with NIST 800-171 for DOD contracts in a hybrid approach, both cloud and on-premise, and identify necessary steps to achieve upcoming CMMC 2.0 Level 2 compliance requirements over the next few years.
The university will be evaluating the expansion of the current enclave to include other campus resources such as high-performance computing (HPC).
In addition to planning for HPC, OIT formed a partnership with both ORI and the NC State University Libraries to form the Research Facilitation Service (RFS), which provides a single point of contact for research computing and data questions, strengthens communication among decentralized research service providers across campus, supports the continuous assessment of researcher needs, and offers advice on tools. The idea is not to add another service provider to campus, but to help each individual researcher connect with the specific providers they need.
“Modern data architectures involving cloud, storage, networking, and IT security require experts and compliance controls beyond the scope of a department or college,” says Marc Hoit, NC State chief information officer and vice chancellor for information technology. “The university-level RFS supports those needs,”
“There’s a growing expectation that CMMC requirements will expand across governmental bodies and higher education, which is prompting consideration of how NIST 800-171 can be applied in other areas in addition to research capabilities,” said Damon Armour, director of OIT ISRA. “Enterprise resource planning is an area that may be subject to these standards. For example, NC State is leveraging NIST 800-171 as the security framework for our student information system. SURE gives us an approach we can replicate for how we can efficiently develop similar environments for other purposes.”