Dealing with Controlled Unclassified Information (CUI) – Notre Dame

Bob Winding and Kolin Hodgson from Notre Dame

How do you know you have CUI in contract? Look for DFARS 252.204-7012 – requires all DoD contractors and subs to copy with NIST 800-171 and incident reporting within an organization 72 hours.

NIST 800-171 has 14 families of controls, with 109 controls.

C3 project scope – compliance with national research compliance standards. Decided to do in AWS GovCloud with NIST templates.

No easy way to isolate sensitive data on campus.

Have a new domain not connected with campus, but federated with ADFS. AWS has a document that defines ITAR boundary. Use cloud protection manager to do backups in GovCloud. Have a Shared Services hub and each research project or team gets a separate account. CloudWatch and CloudTrail events sent to a separate security account. Started with lambda functions, but now use event bus to send cloud watch events to security.

Have the ability to burst to on-campus HPC. Many jobs (e.g. multiple Matlab simulations) work fine in AWS. But infiniband MPC kinds of low-latency jobs don’t work in AWS. They’re building a secure enclave on campus that can be tunneled to from AWS. “reverse hybrid model”. The research computing folks will manage the on-prem enclave from GovCloud. They’re using Ericom Connect to do the virtual app streaming – outperformed local machines in almost every case. Defining audit boundary as the RDP client on the university-owned device.

Printing is not allowed.

A GovCloud account is actually a child of a commercial account and the root account is in the commercial account. If you delete the commercial account the GovCloud account goes away. It can take a few days to get a GovCloud account.

Issues – need to partner with Research group. Pushback from researchers on what’s really needed; software licensing; breaking out costs.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s