September 12, 2024
Regulated Research Enclave (RRE) Authority to Operate
Reflecting our commitment to research security compliance, Information Technology Services, the MSU Research Security Committee and the University Research Organization have worked together to establish a secure computing environment required for work with Controlled Unclassified Information (CUI) and other controlled information to MSU. The requirements for this capability extend beyond federal funding agencies to state agencies that have concerns about data protection.
We are pleased to announce that the Michigan State University Regulated Research Enclave (RRE) has achieved a level of compliance with NIST Special Publication 800-171 sufficient to grant an Authority to Operate (ATO). Although the RRE will continue to evolve to implement certain controls that are still being addressed through active Plan of Action and Milestones (POAMs), the RRE meets federal standards for safeguarding Controlled Unclassified Information (CUI) within nonfederal systems.
Next Steps: Preparing for CMMC 2.0 Compliance
Looking ahead, the University will prepare for the upcoming Cybersecurity Maturity Model Certification (CMMC) 2.0, which will require third-party certification to demonstrate compliance with security controls for handling CUI. In the future, we will undertake the following steps:
- While the RRE has implemented the majority of NIST 800-171 security controls, a few specific requirements remain under remediation through Plan of Action and Milestones (POAMs). We are actively managing these tasks to ensure the RRE achieves full compliance.
- Once remediation is complete, we will engage a Certified Third-Party Assessment Organization (C3APO) to conduct a formal evaluation of the RRE to meet CMMC 2.0 Level 2 certification requirements.
Authorization to Operate (ATO), Access Control, and Technical Facilitation
Effective immediately, the RRE is granted conditional Authority to Operate (ATO) based on its current NIST 800-171 compliance status and the active management of POAMs. This ATO allows the system to securely process, store, and transmit CUI in accordance with federal standards.
Authorization to use the RRE for individual research projects will be managed through the University Research Organization (URO) and the Office of Export Control and Trade Sanctions (ECTS) to document compliance with contractual and federal requirements for sponsored research. All research teams must coordinate with these offices to secure access to the Enclave based on the contractual requirements identified at the time of award and regulatory obligations of their specific projects.
Technical facilitation and onboarding for the RRE will be handled by MSU’s IT Research Cyberinfrastructure team in partnership with our Managed Service Provider. This partnership will ensure that all technical requirements are properly addressed to meet compliance and operational needs.
Key Action Items for Research Teams
- Follow existing research security policies to maintain secure operations.
- Coordinate with URO and ECTS to ensure proper authorization and access to the RRE, based on project-specific contract and export control requirements.
- Coordinate with the MSU IT Research Cyberinfrastructure team to align software, compute, and storage resources specific to the project within the RRE. This will include all required on-boarding to comply with any participation restrictions and RRE training.
As we move toward achieving CMMC 2.0 certification, we will provide ongoing updates and support to ensure a smooth transition. For any questions or guidance, please contact the URO.
John D. Albrecht, Ph.D
Executive Director University Research Organization
Douglas A. Gage, Ph.D.
Vice President for Research and Innovation