3 posts tagged with "Compliance"

How tiCrypt's client-side encryption, key isolation, and PKI enable a shared file system to host a CUI enclave.

Universities evaluating cloud platforms for regulated research typically start with a reasonable assumption: the cloud provider handles security, and the institution handles research. The shared responsibility model promises exactly this. The provider secures the infrastructure. The customer secures everything running on it.

In practice, "everything running on it" includes most of the controls that NIST SP 800-171 actually requires. Access management, audit logging, session isolation, media protection, incident response, and configuration management all remain the customer's responsibility. The provider secures the rack. The institution must still secure the research.

This is not a criticism of cloud platforms. It is a description of the model. The problem is that many institutions adopt cloud-based research environments believing they have purchased compliance, when what they have purchased is infrastructure.

Federal research funding at U.S. universities reached $64 billion in FY 2024. A growing share of that money now requires the receiving institution to handle data inside a compliant secure enclave. Institutions that do not have one cannot bid on the contracts, cannot access the datasets, and cannot participate in the collaborations. The funding does not go away. It goes to institutions that are ready.

This is not a future problem. CMMC Phase 1 is in effect. NIH's NIST 800-171 requirement for controlled-access data took effect in February 2026. The FAR proposed rule will extend the same requirements to every federal executive agency. Universities that have not invested in a secure research enclave are already losing ground.