“We were trying to anticipate the needs of our researchers and have an environment that was compliant.”

Mary Millsaps

Director of Research Compliance, Office of Research and Innovation

When new Department of Defense (DOD) requirements start showing up in research contracts at the end of the year, NC State will be ahead of the curve.

This spring, the university became one of the first across the country to complete a Cybersecurity Maturity Model Certification (CMMC) Level-2 (L2) third-party assessment.

DOD contracts will start requiring these stringent assessments in November. The CMMC program was officially established in a Dec. 2024 DOD final rule to verify contractors have implemented required security measures needed to safeguard sensitive federal information, including Controlled Unclassified Information (CUI).

“NC State was not reactive in this space but proactive,” said Mary Millsaps, director of research compliance with the Office of Research and Innovation (ORI). “We were trying to anticipate the needs of our researchers and have an environment that was compliant.”

The certification verifies that NC State’s Secure University Research Environment (SURE) meets the 110 security controls in the National Institute of Standards and Technology Special Publication 800-171.

SURE is a cloud enclave developed in 2018 by the Office of Information Technology (OIT) and ORI. The SURE team has worked since its inception to meet evolving federal cybersecurity requirements — completing a peer assessment, gap analysis and self-assessments leading up to this new third-party certification assessment.

Being one of the first schools to complete the process meant there were a lot of unknowns, said Adria Snead, a cybersecurity research analyst with OIT Security and Compliance.

“There was no blueprint for what this new third-party assessment would look like,” said Snead.

The level of detail the SURE team had to provide to the assessors was an impressive test of the environment’s effectiveness at securing CUI and the years of preparation leading up to it.

And it resulted in a culture change that will only strengthen SURE going forward.

“Going through the process was important for all of us as a team so that we could be at a level where we could get into the more challenging questions and be comfortable with that,” said Doug Lewis, a cybersecurity risk and compliance specialist with OIT Security and Compliance. “We learned to discuss controls from an auditor’s perspective.”

It’s also a testament to SURE’s cross-functional nature, as the assessment called on subject matter experts from across OIT and ORI. But it took time and dedication for the team to grow into what it is today.

“I think this is an indication of how the collaboration between ORI and OIT has really matured and became very integrated in the last five years,” said Millsaps. “We had a compliant environment, but lack of clarity around roles and responsibilities created inefficiencies and confusion.”

The team has worked hard to meet those challenges and ensure everyone is using a common language — making something like this CMMC L2 third-party assessment possible, she said.

“The SURE environment could not exist without both units working effectively and remaining in communication on and around the service,” said Aaron Peeler, an IT manager for OIT Shared Services and the SURE service owner.