June 2025 Edition of Ask the Assessor: Security Protection Assets
Download Final Report
Educause CPPC 2025 RRCoP Workshop Report:
Building Sustainable Research Compliance Documentation
May 19, 2025
Baltimore, Maryland
Report date: July 21, 2025
Workshop Organizers and Report Writers:
Damon Armour, North Carolina State University
Louis Daher, Michigan University
Ryan Duitman, University of Arizona
Carolyn Ellis, Arizona State University
Erik Deumens, University of Florida
Will Drake, Indiana University
Wendy Epley, University of Arizona
Irene Kolaliani, Princeton University
Chris Kurtz, Arizona State University
Laura Raderman, Carnegie Mellon University
Owais Raza, Duke University
Barbara Schnell, University of Colorado
Amy Starzynski Coddens, University of Wisconsin
The effort to safeguard federal government data in the U.S. started with 9/11 and resulted in NIST SP 800-53 and the Federal Information Security Management Act (FISMA) of 2003. At the time every compliance artifact was in the form of paper. That was the format in which the System Security Plan (SSP) was created, maintained and distributed. With complex information systems, there is a constant stream of changes that all must be properly documented. As a result, keeping compliance documentation up to date requires several FTEs to do.
Now, in 2025, the old process of maintaining the SSP is no longer viable. Changes still occur frequently and may be documented by the staff responsible for the activity (e.g., creating a new user). However, these updates are often recorded in other systems, such as a case management system or internal wiki, not in the SSP of record. Then during the next audit, the auditors will report a finding when they see that the actual procedure observed does not agree with what is written in the SSP.
This workshop brought together individuals involved in operating and maintaining systems that must meet compliance requirements and are subject to audit. The goal was to identify challenges in maintaining the SSP in a way that is sustainable, affordable, timely, and accurate, and to gather community input on potential solutions.