The Office of Information Technology (OIT) and the Office of Research and Innovation (ORI) recently assessed the Secure University Research Environment (SURE) system and reported it as 100% compliant with NIST 800-171 to the Department of Defense (DoD).
A couple of years ago, OIT and the ORI initiated a security gap assessment for SURE, a secure cloud enclave, to comply with the:
- National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171,
- Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012, and the
- Certified Maturity Model Certification (CMMC) Level-3 (L3).
NIST 800-171 compliance requires 110 controls to be fully met. CMMC L3 includes the 110 NIST 800-171 controls plus an additional 20 controls. OIT and ORI defined an approach to assess the SURE system and establish a Strategic Roadmap based on NIST and CMMC L3 requirements.
On July 30, 2021, the SURE system attested to be compliant with NIST 800-171. The next steps are to evaluate compliance with NIST 800-171 for DoD contracts in a hybrid approach, both cloud and on-premise, and identify necessary steps to achieve CMMC L3 over the next few years.
CMMC L3 compliance provides increased assurance to DoD that NC State can adequately protect federal contract information and controlled unclassified information at a level that is commensurate with the risk in case of a data breach or leak that could harm the university’s overall reputation and its ability to obtain DoD designated research contracts.
CMMC L3 compliance is achieved after an approved third-party certification is received. Certification is required before the execution of a contract with CMMC clauses. While a contract with this requirement could be received at any time, full DoD implementation is not expected until 2025. By 2025, all DoD contracts will have CMMC requirements. NC State SPARCS is reviewing all DoD contracts closely to ensure this requirement is flagged appropriately.
For questions about DoD NIST 800-171 and CMMC L3 requirements, contact: