Estimated reading time: 5 minutes
In early 2026, the Internet2 CLASS program launched the new Secure Research Environments series. The three-part series, comprising webinars and workshops, was built to help research and higher education (R&E) institutions navigate secure research and compliance in the cloud.
The informational webinars in the first phase of the Secure Research Environments series wrapped up on March 3. Phase 1 — which focused on institutional strategy — will conclude on March 31 with the “Stakeholder Identification & Governance Alignment Workshop”.
Catch Up on the Secure Research Environments Series
If you would like to review the recordings or slides from the Secure Research Environments series, please contact CLASS.
Over the course of the four webinars in Phase 1, our speakers and attendees have built a shared understanding of what it takes to stand up a secure research environment.
The picture that emerged from those webinars suggests that the solution to secure research is larger than any one team or technology.
This blog is the first of two posts that recap what we learned during the first phase of the Secure Research Environments series. In this blog, we will review lessons learned about institutional challenges and survey the compliance landscape.
The University Research Landscape Has Changed
The Secure Research Environments series got underway with guest speaker Mike Corn, an executive strategic consultant at Vantage Technology Consulting Group, who reviewed the secure research world we’re operating in right now.
Research cybersecurity isn’t a niche IT concern anymore; it is now geopolitical. Nation-state actors are targeting research institutions, and the regulatory landscape is catching up fast.
Between NSPM-33, the CHIPS and Science Act, and forthcoming NIST 8481 guidance, it is now clear that federal research agencies will require institutions to certify their cybersecurity programs. The ability to receive federal funding may be contingent on institutional acceptance of accountability for the cybersecurity practices of individual researchers.
Mike’s message during this session was direct: The “Not My Responsibility” era is over. Universities are now accountable operators of what is effectively regulated infrastructure. The operating model must change, and Mike encouraged everyone to get started as soon as possible.
Begin by identifying who owns research cybersecurity at your institution. If you don’t know the answer to that question, there is your starting point.
Research Cybersecurity is About People, Not Just Technology
In the second session of the series, we shifted our attention to the organizational and human side of secure research environments.
Dr. Bill Barnett, chief research computing officer at the University of Massachusetts Chan Medical School, led the webinar and provided a welcome reminder that this work is fundamentally about working with people.
According to Bill, most institutions know how to work between pairs of organizational functions:
- Research Administration bridges the “Accomplish the Mission” and “Manage the Work” sides of the house.
- Research Compliance connects “Accomplish the Mission” with “Protect the Organization.”
- Sponsored Programs links “Manage the Work” and “Protect the Organization.”
But who sits in the middle when all three need to come together to address research cybersecurity? That is the gap.
Filling that gap requires clear governance, cross-organizational commitment, and a defined project scope — not just a directive handed to IT.
Bill walked us through what it looks like to get started the right way. You have to articulate the “Why,” organize the right people across a governance stack (from executive sponsors to risk managers), and frame the work through a project charter with a clear vision, a defined mission, and measurable goals.
Purpose and commitment lay the groundwork. Critical roles live across the entire institution. Governance and clarity of scope are essential first steps for institutions.
Compliance Goes Well Beyond IT
On Feb. 17, 2026, Mary Duarte Millsaps, the director of Research Compliance at North Carolina State University, led a webinar session to help us see just how much of the compliance picture lives outside the boundaries of a technical implementation. She grounded attendees in regulatory specifics, walking everyone through Controlled Unclassified Information (CUI) rules, safeguarding requirements, and the full lifecycle from proposal identification through continuous monitoring to project closeout and data archiving.
Mary highlighted critical roles that many institutions have yet to define. An Affirming Official is a senior leader who certifies compliance under the False Claims Act, a significant source of personal and institutional exposure.
Meanwhile, an Empowered Official holds independent authority to stop research or export-controlled transactions, ensuring that security requirements aren’t subordinated to funding pressures or project timelines. These roles point directly back to the organizational challenges Bill raised in the second session of our series.
Mary also reminded us that many of the NIST SP 800-171 security control families have non-IT dimensions that require cross-functional coordination.
Who checks that users are authorized to be on a project? Who manages and tracks required training? Who reports an incident to the U.S. Department of Defense? These aren’t questions that IT can answer on its own. Getting the right people assigned to these responsibilities early is essential.
What is Next in the Secure Research Environments Series
The message from the first webinars in the Secure Research Environments series is that regulated research cybersecurity is real, urgent, and fundamentally organizational.
So, what does it actually look like to move a campus toward readiness?
We helped answer that question in the rest of Phase 1 of the Secure Research Environments series. Attendees learned what research computing teams should prioritize first and how one institution built a researcher-centered security program that accelerated (rather than impeded) research.
On March 31, we are running the “Stakeholder Identification & Governance Alignment Workshop” to help you put all of this information into practice at your own institution. Registration for the workshop is still open, though spaces are limited to the first 40 registrations.
Check back with Internet2 CLASS for more blogs about the Secure Research Environments series. If you haven’t already, join us for upcoming webinars and workshops so you don’t miss everything that is ahead.