The Research Ecosystem for Encumbered Data (REED+) at Purdue University (https://www.rcac.purdue.edu/compute/reed), funded under the Office of Advanced Cyberinfrastructure (OAC #1840043), is a vision to implement a cost-effective ecosystem to manage regulated data. Researchers at Purdue, led by Preston Smith, Director of Research Services and Support, developed a strategic framework to address the compliance requirements for Controlled Unclassified Information (CUI) which is appearing in research sectors, e.g., defense and aerospace.
The foundation of the REED+ framework integrates NIST SP 800-171 and other related publications, including NIST’s Cybersecurity Framework (CSF) and the Big Ten Academic Alliance guidelines. It is intended to serve as a standard for campus IT to align with security regulations and best practices. Leveraging the framework, a single process for intake and contracting can be followed by the university’s Sponsored Programs Office (SPS), Human Research Protection Program (which oversees the IRB), Export Controls and Research Information Assurance (EC/IAO), and Information Technology at Purdue (ITaP) Research Computing division (formally the Rosen Center for Advanced Computing, or RCAC). Moreover, the framework also facilitates a tractable mapping of controlled research to cyberinfrastructure (CI) resources. The overarching goal of the REED+ framework is to enable researchers, administrators, and campus IT to better understand complicated data security regulations affecting research projects.
To assist in developing the framework, Trusted CI engaged with the REED+ team at Purdue from January through June of 2019. The initial step in the engagement was a review of existing documents and processes, followed by exploring proposed policies. Trusted CI found the flow of REED+ framework sound, and soon switched to working with Preston’s team in focusing on specific aspects of the process, e.g., providing controlled research ‘use cases’. The engagement proved especially rewarding, as both the REED+ researchers and Trusted CI came away from the engagement with a greater understanding in the nascent and vanguard processes involved in handling CUI compliance in the domain of research and education.