Secure University Research Environment (SURE)
The Secure University Research Environment (SURE) was developed as NC State’s solution to safeguard Controlled Unclassified Information (CUI) and similarly controlled data, applications and research to standards required by the Federal Government, specifically the NIST SP 800-171 standard. These requirements are typically listed in the applicable research contract.
When would I use SURE?
Projects requiring the use of SURE are identified by the Office of Research and Innovation (ORI) – Office of Sponsored Programs and Regulatory Compliance Services (SPARCS) during the contract review stage for sponsored programs (most commonly identified by the inclusion of DFARS 252.204-7012). Once identified as a project contractual obligation, NC State researchers must use SURE to protect data developed for the project that is subject to a federally imposed dissemination restriction or security control. SPARCS will attempt to negotiate the removal of a dissemination control that appears overly restrictive to the project. Project data considerations include:
- SURE is required to handle/store data that may be considered CUI or otherwise implicated by federal security controls; specified DoD, CUI (as CUI is not always DoD-specified, but can come from other funding requirements)
- Project information already in the public domain does not require the use of SURE.
How does SURE Facilitate Secure Research?
- The virtual SURE workspace can be managed and accessed on your university-owned and -managed computer
- A shared project workspace within SURE allows collaboration and data-sharing with approved NC State team collaborators
- Provides compute, storage and networking services for contracts, grants and other collaborative awards that require enhanced security regulations and governance
- Project participants can be proposed and removed through submission of an online SURE Personnel Request
- Technical assistance available through ServiceNow Service Tickets (oit_sure@help.ncsu.edu )
- Advance notice of scheduled outages to ensure continuity of project simulations/tests
Current Capabilities within SURE
Before software and tools can be deployed within SURE, they must be evaluated for security compliance. The SURE team maintains the list of current capabilities in the documents below.
If you don’t see a computational tool or software that you will need for your research, please complete the SURE Capabilities Request Form as soon as possible to initiate that process.
What are the potential limitations of SURE on my research?
- SURE supports Windows and Ubuntu
- Software and applications that are not currently supported must be reviewed for compliance and compatibility with SURE and approved by OIT Security & Compliance
- High-Performance Computing (HPC) is not currently available in SURE
- SURE is not accessible outside the United States
- Printing capabilities require additional review and approval*
- Standard external storage (e.g., USB drives) is prohibited for CUI (see CUI-compliant Solutions)*
- Devices/hardware external to the SURE enclave can not receive transmission of CUI data without prior approval from ECO and OIT*
- Gmail and Google Shared Drive do not meet the security standards required for file-sharing or other collaboration involving CUI (see CUI-compliant Solutions)*
- NC State-hosted VoIP/Zoom conference cannot be used when sharing CUI
- SURE must be accessed from an NC State-owned/managed information system
- Once data is transmitted to a third party (sponsor, subcontractor, vendor, etc.), the data is out of SURE’s scope
- Project team is responsible for identifying recipient’s eligibility
*Must be coordinated with the Export Control Office and OIT and reflected in the project’s Technology Control Plan.
CUI-compliant Solutions
To address some of the limitations listed above, the following solutions — which must be closely coordinated with the Export Control Office (ECO) and OIT and documented in the project-specific Technology Control Plan (TCP) or TCP Amendment — have been approved:
- IronKey Encrypted External Drive is available for temporary use in coordination with ECO and OIT.
- CUI can be securely transferred to external partners/collaborators using Virtru — NC State’s compliant solution — or a Sponsor-approved solution.
If you believe you have a project that will require SURE but don’t see your computational needs addressed in the current configuration, please submit a SURE Capabilities Request.