REED system available for faculty with contracts that mandate strict IT controls

June 12, 2017

A new system known as the Research Environment for Encumbered Data (REED) provides a solution for an increasing number of Purdue researchers with government contracts that require adherence to a set of IT security controls a researcher must follow under the National Institute of Standards and Technology Special Publication (NIST SP) 800-171.

Typical university cyberinfrastructure – which is based on a model of collaboration and openness – doesn’t work for these contracts. But REED, a collaboration between ITaP’s Research Computing and IT Security and Policy units, is a secure, agile and scalable environment that allows researchers to manage their data while complying with the NIST requirements.

REED is built on Amazon Web Services’ GovCloud, a cloud computing platform intended for secure government work. The team that developed REED chose a cloud-based system in large part because it didn’t require any physical space at Purdue and could be up and running quickly. REED is designed specifically to meet the requirements of NIST SP 800-171 and can be customized to the needs of any researcher, whether they need a single workstation or are doing high-performance computing similar to Purdue’s community clusters.

Sponsored Programs Services reviews requests for proposal and awarded contracts for the NIST requirements to help faculty anticipate costs and set up a plan for compliance. Some researchers with these contract requirements may use a sponsor-provided solution. For faculty members who want to use Purdue’s REED system, Sponsored Programs will work with ITaP Research Computing, IT Security and Policy and the Executive Vice President for Research and Partnerships to make sure REED is properly implemented.

Faculty who receive a contract with these requirements pay a base cost to begin using REED and then pay a monthly fee based on their usage within the Amazon cloud and for the Purdue effort necessary to do audit and security reviews required by NIST. REED can be used from any Purdue-owned and -managed computer and even off campus, with some limitations.

Although required compliance with NIST SP 800-171 is currently seen most frequently in Department of Defense contracts, experts in the field expect the scope of these regulations to widen and for them to appear in an increasing number of federal contracts.

The REED team has presented at industry conferences, including the Big 10 Alliance, EDUCAUSE, HTCondor Week and the Association of University Export Control Officers (AUECO). The reaction from other institutions has been gratitude, says Jason Stein, an IT security analyst who developed REED along with ITaP Research Computing’s Mike Shuey, Kevin Colby and Nick Smith and IT Security and Policy’s Justin Greer. Many other universities haven’t yet figured out their own solution for complying with these contract requirements and are looking to Purdue and REED as a model, Stein says.

To learn more about using REED, contact Preston Smith, director of research services and support for ITaP, or 49-49729.

Originally posted: June 12, 2017  3:08pm