• Download Final Report

Educause CPPC 2025 RRCoP Workshop Report:
Building Sustainable Research Compliance Documentation

May 19, 2025

Baltimore, Maryland

Report date: July 21, 2025

Workshop Organizers and Report Writers:

• Damon Armour, North Carolina State University

• Louis Daher, Michigan University

• Ryan Duitman, University of Arizona

• Carolyn Ellis, Arizona State University

• Erik Deumens, University of Florida

• Will Drake, Indiana University

• Wendy Epley, University of Arizona

• Irene Kolaliani, Princeton University

• Chris Kurtz, Arizona State University

• Laura Raderman, Carnegie Mellon University

• Owais Raza, Duke University

• Barbara Schnell, University of Colorado

• Amy Starzynski Coddens, University of Wisconsin

Introduction

The effort to safeguard federal government data in the U.S. started with 9/11 and resulted in NIST SP 800-53 and the Federal Information Security Management Act (FISMA) of 2003. At the time every compliance artifact was in the form of paper. That was the format in which the System Security Plan (SSP) was created, maintained and distributed. With complex information systems, there is a constant stream of changes that all must be properly documented. As a result, keeping compliance documentation up to date requires several FTEs to do. 

Now, in 2025, the old process of maintaining the SSP is no longer viable. Changes still occur frequently and may be documented by the staff responsible for the activity (e.g., creating a new user). However, these updates are often recorded in other systems, such as a case management system or internal wiki, not in the SSP of record. Then during the next audit, the auditors will report a finding when they see that the actual procedure observed does not agree with what is written in the SSP.

This workshop brought together individuals involved in operating and maintaining systems that must meet compliance requirements and are subject to audit. The goal was to identify challenges in maintaining the SSP in a way that is sustainable, affordable, timely, and accurate, and to gather community input on potential solutions.

[ Download Final Report ]