Michigan State University has earned Cybersecurity Maturity Model Certification (CMMC) Level 2 for its Regulated Research Enclave (RRE), marking a major step forward in protecting regulated research data and expanding opportunities for federally funded projects.
Validated through a Certified Third-Party Assessment Organization, the certification confirms that MSU’s RRE meets U.S. Department of Defense (DoD) requirements for handling Controlled Unclassified Information (CUI), enabling researchers to compete for projects that require advanced cybersecurity safeguards.
The RRE was developed in support of MSU’s 2030 Strategic Plan, which calls for reaching $1 billion in annual research expenditures and expanding the university’s capacity for high-impact research.
In Fall 2021, MSU’s Office of Research and Innovation partnered with MSU IT’s Information Security and Research Cyberinfrastructure teams to assess how the university supports research involving regulated research. That collaboration led to the creation of the RRE, which was built with a third-party partner, Planet Technologies, as a secure, cloud-based environment designed specifically to meet federal cybersecurity requirements for CUI.
Today, the RRE provides researchers with a compliant space to collaborate, analyze data and conduct research involving CUI, while remaining fully isolated from the campus network to meet strict regulatory standards. It also offers flexible capabilities, through the use of a virtual desktop, to more advanced, scalable research environments that support a wide range of research needs.
With CMMC Level 2 certification in place, MSU is now positioned to compete for and accept Department of Defense research awards that include federal cybersecurity requirements.
The certification also strengthens MSU’s overall compliance posture by validating the governance, documentation and controls required to securely manage sensitive research data. This reduces institutional risk while establishing a scalable model to support future needs, including export-controlled and other sponsor-restricted research.
“CMMC Level 2 certification reduces enterprise risk while easing the compliance burden on faculty,” said John Furcean, director of Research Technology within the Office of Research and Innovation. “This milestone reflects the strong partnership between OR&I and MSU IT to provide a secure, centrally managed environment where researchers can focus on their work while MSU maintains the safeguards required for sensitive and regulated research”
The certification reflects the expertise and dedication of MSU IT staff who helped design, implement and secure the RRE. Key contributors include Shawn Fulton and Mark Szymczak from MSU IT Security, and Justin Booth, Brad Fears, and Ryan Mosley from MSU IT Research Cyberinfrastructure.
“To meet the federal regulations, MSU was required to have the certifications in place by November, 2026,” Booth said. “The team was able to complete the certification six months ahead of schedule. We did a mock assessment in January and went through all of the required 110 security controls for certification. No errors where found, which allowed the team to complete the full certification in April without issues.”
Completing both assessments without errors on the first attempt reflects the strong preparation and thoroughness of the teams. In collaboration with campus partners, they ensured the RRE met all 320 assessment objectives with no deficiencies identified.
“This was a very successful collaboration and a great example of what we can accomplish together as a team,” Fulton said. “Earning CMMC Level 2 certification is an important first step in building a strong foundation for regulated research at MSU. But the work doesn’t stop here. We’ll continue to assess and strengthen our environment through ongoing reviews to ensure we meet evolving requirements and support our researchers well into the future.”
The successful certification of the RRE positions MSU ahead of evolving federal cybersecurity requirements while reinforcing its leadership among peer institutions.
The CMMC Level 2 certification safeguards MSU’s research enterprise, expands opportunities for faculty and students, and ensures the university is ready to meet the growing demands of secure, high-impact research.
