Skip to main content

Secure Computing Project

Project overview

The CU Boulder campus is adopting baseline security standards for university-owned computers and servers that will be implemented over time. In order to better ensure the integrity of the shared information technology environment on our campus, these standards will help address the following challenges:

  • Increase the security of university computing assets including data.
  • Reduce risk to university intellectual property. ​
  • Drive enterprise effectiveness and reduce risk of software audits.
  • Provide support to a broad set of employees.
  • Maintain employee flexibility in their technology to conduct their teaching, research, and creative work.

Why does CU Boulder need computer and server standards?

  • The complexity, speed and number of cyber threats are increasing and colleges and universities are being targeted by aggressive cyber attacks.
  • We need to better support hybrid teaching, learning and work in a secure manner.
  • A security disparity exists between those whose devices are managed by campus IT professionals and those that are not.
  • We must advance campus technology in a manner that keeps a CU Boulder education affordable and attainable for a robust and diverse student body.

These changes are among a number of significant changes CU Boulder is making to create a hybrid-smart IT environment for CU Boulder. Learn more about these changes on the OIT Major Projects & Service Direction page. 

Computer standard

To ensure the integrity of the shared information technology environment, all university-owned computers will need to meet these computer standard requirements. Click the button below to review the full Computer standard policy. 

Server standard

A university server is considered any physical, virtual, or cloud-based device that manages network resources and is owned by the university or connected to a university-owned network. To ensure consistent application of protections and adherence to the CU baseline security requirements, campus servers will need to meet the requirements outlined on CU Boulder's policy page. 

How will this affect me?

Learn more about how this project will better protect computers and servers that you use or support:

Faculty and Staff
  • This software will better protect data stored on your computer and in the cloud by providing vulnerability scanning, protection against unauthorized access to files on your computer, automatically deployed software and operating system updates, and antivirus and malware protection.
  • Starting in 2023, departments will be provided with the capability to order new Dell and Apple computers through Marketplace that will be fully compliant with the security standards.
  • In 2023, departments will be provided with the capability to bring pre-existing computers up-to-date to meet the standards. 
Research Institutes' Faculty and Staff
  • Both computer and server standards will apply to Research Institutes. The timeframe for adoption and compliance will begin in 2023 using a phased approach.
  • All servers on a campus network that are used by a CU-governed campus organization must be aligned with the standards for servers.
IT Support Professionals
  • Starting in 2023, departments will be provided with the capability to order new Dell and Apple computers through Marketplace that will be fully compliant with the security standards.
  • In 2023, departments will be provided with the capability to bring pre-existing computers up to date to meet the standards.
  • Support teams (Department IT Practitioners, Buff Techs, etc.) will be provided with support documentation and tools to help bring their customer bases up to the defined standards. 
Server Administrators
  • All servers on a campus network that are used by a CU-governed campus organization must be aligned with the standard for servers.
  • By July 29, 2022, all Windows based servers must have Microsoft Defender configured to report status.
Marketplace purchasers
  • Starting in 2023, computers purchased through the CU Marketplace will include software that allows for the device to meet baseline security standards for university-owned computers.
Student Organizations
  • All Windows based servers on a campus network that are used by a CU-governed campus organization must be aligned with the standard for servers. This includes servers that are used by CU Boulder student organizations.
  • By July 29, 2022, all Windows based servers must have Microsoft Defender configured to report status.

Contact Us

If you have project-related questions, send an email to oitfeedback@colorado.edu with Secure Computing Project in the subject line.

General FAQ

Do the standards help address the inequity of IT support across campus?

The standards establish a base level of Universal Support available to all users of a Certified Endpoint. 

How were the Standards determined?

The Secure Computing Standards build on and simplify the implementation of security safeguards outlined in APS 6001 and APS 6005, as well as the NIST 800-53-based Systemwide Baseline Security Standards and Highly Confidential & Highly Critical System Information Security Standard

How are we determining what is supported software?

Per the standards, “supported” may refer to either software in use by an IT Service Provider that is actively receiving updates and security patches (not end of life) by a software publisher that delivers technical product help and advice to registered users or OIT-supported software

What is the timing of the implementation? Standards, New computers, existing computers, & servers.
  • Standards: Communication about the standards began in June 2022 after several rounds of technical and leadership reviews. Standards are currently posted and will be implemented over time.
  • New computers: New Dell and Mac computer purchases through Marketplace will be available beginning in 2023 and will arrive configured to meet the standards. 
  • Existing computers: OIT will be working to define the upgrade paths for existing computers to the standards in early 2023. Rollout will take place over several months to bring existing computers in compliance with the standard before end of 2023.  
  • Servers: All University-owned servers are to at a minimum have MS Defender with the CU-specific configuration; ensuring the server’s data be sent to CU Boulder’s Azure tenant and made available in Security Center.  Solutions for Linux servers is still being investigated. 
  • University-owned tablets and phones are an important piece of our technology infrastructure and frequently handle sensitive information. These devices will have standards defined, but not in this current scope and timeframe. 
What is OIT’s role in Secure Computing standards for computers and servers?  

As designated in APS 6005, the CIO is designated by the Chancellor with oversight authority for all campus IT operations and may enforce the requirements of University and campus policies for information security. For the Secure Computing project, OIT is providing and supporting solutions that will make it easier to comply with the new Standards in collaboration with the campus community. Finally, OIT may shut down IT operations that are out of compliance with this and other IT policy. 

I do not have an IT person; how do I get help to implement? 

Support for groups that do not have dedicated IT staffing will receive assistance with implementation via the project team, and thereafter from Buff Techs or the IT service Center (ITSC).

Is OIT watching what IT professionals or end users are doing?

No. Configuration information from endpoints is only visible to the information security team to respond to incident alerts and conduct threat analysis.

Will the departments need to pay for adhering to the standards?

For desktops and laptops, licensing is included in our campus A5 license. OIT will pay for server licenses (Defender for Endpoint Plan 2) through June 30, 2024) Departments will need to anticipate and plan for this cost in future years starting in FY25. 

Are there exceptions to the standards?  

Exceptions will be granted on an individual request basis and, if a compelling business reason exists, must be approved by the Provost and Executive COO in consultation with the Sr. AVC/CIO. 

What mechanism will there be for securing or excepting specialized research software or hardware items from the restriction of end of life/unsupported software? What if a system uses legacy software which cannot be updated in support of an expensive piece of hardware? 

As part of the exception process, OIT will work with the requestor to review the capability for compensating controls (e.g., network disablement/isolation) to minimize the risk of using legacy software. Exceptions from the standard can be requested via email sent to itso-exception-rvw@colorado.edu

Computer Standards FAQ

Do the standards apply to all brands of computers?

 Yes. Ordering a Dell or Mac computer through Marketplace will automatically meet the standards. Other brands of computers will need to be configured to meet the standards and will be the responsibility of the user.

Will the automatic deployment of software requirement for computers take away my ability to install software on my university owned devices?

No. This requirement will mean that a standard set of university approved security and productivity software must be on all computers and you will be able to add additional software from the university’s on-demand software catalog. If you find that you need software that isn’t included in the catalog, you can request that it be added. Please note that unapproved software must still go through an ICT review. 

If we have existing endpoints that do not comply with the standards, will we have to buy new endpoints?  

OIT will work with departments to bring qualified endpoints into compliance, rather than replacing them. If existing endpoints are unable to be upgraded, new machines will be required and as these endpoints are identified, we will collaborate with departments to ensure that funding is available. 

What are the benefits of purchasing new computers through Marketplace?  

Purchasing new computers through Marketplace is the ‘Easy Button’; the computer will be configured to support all elements of the standard.  The setup of the computer is simplified and quicker than individual installation of required softwaree and configurations.

What if the higher-end and specialty endpoints I need are not available through the CU Marketplace?

It is possible they are, but they may require training and process changes to access. Frequently the Procurement Service Center can add these vendors to the catalog. OIT would like to work with departments to make them available. 

What if the endpoints available on the CU Marketplace don't meet my business needs?  

Business needs will drive exceptions.  Then configuring the new computer to meet the defined standards will be the responsibility of the user. 

Server Standards FAQ

Do the standards apply to Linux servers and workstations?

Yes, the standards apply to Linux machines. The project team is still investigating the best solution for endpoint detection and response software.

Within the Server standard there is mention of other approved software equivalents, where is the list of software? 

Exceptions will be granted on a case-by-case basis for other approved software equivalents. At this time, we do not plan to publish the list of exceptions as one of the primary goals of this project is reducing complexity and redundancy across campus.