OIT Project Portfolio Report

The Data and Analytics Website Phase 2 project will enhance the user experience and functionality of the D&A website. The scope includes a comprehensive redesign of the front page, improving accessibility for public reports, and refining intake forms and processes. Metadata improvements by the Data and Analytics (D&A) team are a key focus, including quality control, revision processes, uploads, and feeds. Enhancements to search functionality, such as taxonomy and relevance, are also planned. However, the accessible Tableau module is not within the scope of this phase. The project approach involves several steps: redesigning the D&A front page, gathering requirements through interviews with the D&A team and collaboration with the Information Design team, conducting initial usability studies with key and general users, and providing recommendations in a report. UI designs will be created and tested with users before implementation. Metadata will be cleaned up and refined by the D&A team, with updates to internal documentation and automation of feed uploads, supported by the Information Design team. Information Design will test and implement these changes to ensure seamless integration and improved user experience.

Improved User Experience – Redesigned and Accessible Improved Search – Metadata, taxonomy and filtering

The objective of this project is to coordinate and implement the onboarding of ChatGPT Edu, OpenAI’s education–specific version of ChatGPT, at the University of Colorado Boulder thanks to the CU system-wide agreement finalized late fall 2025. The project will establish the operational, governance, and support structures necessary for long-term sustainability and compliance, while enabling students, faculty, and staff to leverage AI responsibly in teaching & learning, research, and administration. The project aims to: • Identify and structure OIT support resources, including a service manager and support team. • Define roles and responsibilities across existing OIT units (Architecture, Security, Academic Technology, IAM, Software Engineering, Software Sales, etc.). • Develop and formalize a governance structure around data handling, model usage, and access control in partnership with CU System. • Coordinate with CU System to ensure alignment with systemwide licensing, deployment, and communication plans. • Create a support and training framework to ensure users understand responsible and effective use of ChatGPT Edu. • Develop a deployment roadmap, including optimal phases and milestones • Assess the opportunity to build specific CustomGPT or AI agents for our campus to showcase possible uses and benefits of the platform. • Initiate conversations with governance groups and high touch stakeholders

Establishes a unified, secure, and supported AI platform for campus use by the most used and well-known Large Language Model (LLM) vendor. Reduces shadow IT and unauthorized AI tool usage and thereby data leakage risk. Provides a foundation for deployment by preparing structure and support around a coming deployment across system. Strengthens coordination and ensures alignment between CU Boulder and CU System to ensure our needs and preferences are being represented.

In Fall 2025, CU Boulder identified fraudulent activity within Coursera enrollment workflows, resulting in compromised learner identity integrity and potential reputational risk. Immediate mitigation steps (Phase 0) were executed prior to January 5, 2026. This project charter defines the scope of OIT-led work from January through June 2026 to implement sustainable technical and operational controls, ensuring secure enrollment processes and compliance with institutional standards. Objectives

1. Implement Secure Enrollment Controls o Deploy technical safeguards to prevent fraudulent Coursera registrations. o Integrate identity verification workflows aligned with CU Boulder standards and supported by CU Boulder policy. o Updated Coursera enrollment workflow with stronger security controls.
2. Operationalize Monitoring & Reporting o Establish dashboards and alerts for anomalous enrollment patterns. o Define escalation protocols for suspected fraud cases. o Technical Documentation for new processes. o Fraud detection dashboard and/or escalation playbook.
3. Transition Ownership to Technical Enrollment Manager o Onboard and empower the new role to lead ongoing enrollment integrity efforts. o Document processes, ongoing funding requirements, and suggestions for continuity beyond June 2026.
4. Align with Long-Term Recommendations o Prepare roadmap for Phase 2 (July onward).
5. Possibly work towards integrating Coursera workflows with CRM. Technical documentation of the updated platform to contextualize new platform workflows with the LL CRM roadmap and Salesforce Education Cloud CRM.

Enhanced Enrollment Security – Prevent fraudulent Coursera registrations through identity verification. Improved Institutional Reputation – Demonstrates proactive measures to protect learner data and uphold trust in CU Boulder’s online. Operational Efficiency – Streamlined monitoring and escalation processes reduce manual intervention and risk exposure. Data Integrity & Compliance – Ensures alignment with FERPA and institutional security standards for third-party platforms. Role Clarity & Sustainability – Transition ownership to Technical Enrollment Manager for long-term continuity and reduced dependency on CRM leadership. Foundation for Future Integration – Prepares Coursera workflows for Phase 2. Financial Impact – Reduces costs associated with fraudulent enrollments. Vendor Partnership Strengthening – Improves collaboration and trust with Coursera through enhanced security. Alignment with OIT Strategic Priorities – Supports OIT’s strategic priorities for security, compliance, and learner experience.

The University of Colorado (CU) system serves over 67,000 students and employs 28,000 faculty and staff across its campuses. As Colorado’s flagship public research institution, CU is committed to delivering high-quality, accessible, and innovative education that meets the evolving needs of learners and supports the state and nation with graduates who are prepared to fill critical workforce roles. Over time, CU Boulder’s CRM, web, data, and integrations ecosystem has grown organically across various units, resulting in a fragmented landscape of tools, platforms, and processes. This complexity has created challenges in delivering a unified, data-informed, and learner-centered experience, causing problems for students and their support staff who need to navigate across our silos to be successful. In August 2023, CU Boulder’s executive leadership approved a multi-year Constituent Relationship Management (CRM) Strategic Roadmap to address these challenges. A formal business case was developed and approved in December 2023, setting the stage for a phased transformation of the university’s CRM infrastructure.

Unified Learner Experience Across the Lifecycle Students will have access to a more cohesive, personalized, and accessible experience from recruitment through graduation and beyond. This includes improved visibility into their academic journey, support services, and communications. Consolidated and Actionable Data for Staff and Advisors Staff and advisors will gain a 360-degree view of each learner through integrated data from SIS, LMS, Degree Audit, and Slate. This enables more proactive, personalized, and efficient support. Retirement of Legacy Systems and Reduction of Technical Debt By decommissioning CRM01 and consolidating CRM functionality into Education Cloud, the university reduces redundancy, simplifies support, and improves long-term maintainability. Improved Communication and Engagement Capabilities Marketing Cloud will enable targeted, automated, and data-driven communications to prospective and current learners, improving recruitment, retention, and engagement.

In response to the CU-Boulder data center assessment, it was determined that SPSC N190 data center is to be vacated. To accomplish this declaration, there are two distinct activities that need to occur:

1. Move existing services from SPSC N190 to COMP data center or SPSC N180
2. Install infrastructure at Anschutz data center to support CU-Boulder servers
3. Begin populating initial 6 racks at Anschutz with systems still-to-be-identified (will be identified by March 2024).
4. Plan for network separation of SPSC N190A from SPSC N190.

Lowers risk of data center component failure Provides more geographical separation between data centers

The CMMC C3PAO Audit for The Preserve Project will prepare CU Boulder OIT to meet all requirements of the Cybersecurity Maturity Model Certification (CMMC) Level 2 standard in order to protect Controlled Unclassified Information (CUI) and maintain eligibility for U.S. Department of Defense (DoD) contracts. This project includes engaging with a C3PAO to undergo a mock assessment to assess current readiness for certification, remediate compliance gaps (which may include implementation to satisfy technical and/or administrative controls), prepare evidence for assessment, and support the organization through an external third‑party C3PAO audit to receive the Level 2 CMMC.

Achieve compliance required to hold or pursue DoD-funded contracts Ensuring the strongest protections for CUI Reduced risk of data breaches, incidents, and compliance penalties Standardized, documented cybersecurity practices aligned to NIST 800 171 Increased competitiveness and credibility with federal partners

This is a multi-phase project focused on automating the provisioning and deprovisioning of Microsoft Office 365 licenses. Currently, some of the processes are automated while others are entirely manual. The manual processes are labor intensive and error prone that results in O365 licenses not being assigned properly based on the license entitlements. The MOLR project assisted with the development of Grouper license entitlements groups and identified uses cases for the provisioning and deprovisioning of O365 licenses. These include the following license types: • Faculty A5 • Faculty A1 • Student A5 • Alumni Exchange Plan 1 • Retire Exchange Plan 1 The work completed on the MOLR project was an important enabling step toward automating the processes. The scope of this project includes designing, developing, testing, and deploying the automation for the provisioning, deprovisioning, and reprovisioning of the O365 licenses. The project includes the following phases. • Phase 1 – P/r for Faculty, staff, and student licences. MS licenses were removed for unentitled users, but users' accounts were not fully deprovisioned. • Phase 2 – Automated p/r/d for System Office employees, litigation holds, Alumni, and Retirees. Full deprovisioning for unentitled users. Tech debt, communications for all changes in licensing, and more. Remaining scope: secondary accounts, transitioning to operations/service, and potentially testing the structure with another service (e.g., Google Provisioner).

Manages audit risk for lack of compliance with Microsoft O365 license contract. Reduces manual processes Manages cost of Microsoft O365 licenses

The University currently uses Microsoft Entra as one of its two Multi-Factor Authentication (MFA) solutions. Entra MFA is implemented for users of Microsoft Office 365 (O365), Teams, and Microsoft Exchange (e.g. Outlook Email and Calendar), as well as any applications integrated with Microsoft for its MFA solution for Federated Authentication (FedAuth). What users with appropriate licensing (A5, A3) have for MFA is risk-based conditional access (CA). When originally set up, the lowest frequency implementation of Entra MFA was put in place. All users are low risk (prompted only at set up), but can move to medium risk (prompted for a new device) or high risk (prompted frequently) automatically. Password resets can move a user back to a lower risk level. Unless you are high risk (either associated with a high risk application, of which there are few with typically audiences restricted to OIT administrators) or have engaged in an identified high risk behavior (failed login attempts + impossible travel + new device), a University constituent will effectively never receive an MFA challenge/prompt from Microsoft. MFA allows OIT’s Security Team to provide a timeout on compromised devices and accounts. By not prompting for MFA, we are not taking advantage of the benefits of strong MFA. Additionally, by not providing greater granularity to our audience – we could divide the audience into different buckets, or personas, to apply different rules to different user types – we are providing blanket protection across all risk, instead of providing greater protection to higher risk audiences. Additionally, in an effort to unify our MFA experience and offering to the campus, we will move the shibboleth service (fedauth) to authenticate using Entra ID and Microsoft MFA, moving away from on-prem AD authentication and DUO MFA. This project proposes: • performing a policy review and data driven analysis on a test-audience (OIT) before rolling out to campus to implement a stronger baseline security where prompts are more likely to occur, and security is strengthened • This will also deliver a repeatable process for the involved OIT teams to propose, test, review, seek approval for and introduce these changes going forward in a repeatable fashion for introducing further layers • Performing a similar review and data driven analysis to introduce “layers” of conditional security requirements depending on audience/persona and situation. • Migrate shibboleth to proxy authentication to Microsoft Entra and enable a baseline policy for all fedauth authentications.

Security benefit – MFA reduces the ability to compromise an account with just a password, and provides a forced timeout Privacy benefit – this has the ability to raise the barrier of entry to sensitive data for specific users Grant and research bonus – by having higher security controls, we can demonstrate more systems compliant with stricter security standards, which means more ability to meet system requirements more broadly for grants tied to sensitive or controlled data handling Compliance benefit – GLBA, SOC, ISO 27001K, PCI, and NIST 800-171 standards all expect MFA. It is easier and less expensive to meet requirements from these types of audits with a central authentication system protecting data and access with MFA.

Classroom Capture is an automated lecture capture service provided by OIT at CU Boulder. The service is currently available in 50 classrooms across campus and is used by approximately 45% of courses scheduled in classrooms equipped with the technology. Feedback from both instructors and students highlights the high value of Classroom Capture, with recent Academic Technology survey results showing strong satisfaction with the service. This project aims to identify opportunities to expand the availability and adoption of Classroom Capture, with a particular focus on increasing its use among first- and second-year courses. The goal is to assess the requirements and opportunities for extending Classroom Capture services to the majority of these courses, ensuring broader access and enhancing the learning experience for students across the university. By enhancing lecture capture in foundational courses, we aim to provide students with greater flexibility and access to course materials, particularly during the transition into higher education when they may face new academic challenges. Capturing lectures in these introductory courses ensures that students—many of whom may be adjusting to the rigors of university-level coursework—have the opportunity to review key concepts at their own pace, revisit complex material, and improve retention. This is particularly valuable for students who may need additional support to succeed in these critical early courses. Data analysis will be conducted to identify the classroom locations where most first- and second-year courses are scheduled. An analysis will also be conducted on first- and second-year courses that have previously utilized Classroom Capture, examining which classrooms they were scheduled in. One potential data point for analysis is the correlation between courses that utilize the Classroom Capture service and student outcomes. By examining this relationship, we aim to assess whether the availability of recorded lectures impacts overall success in the course. A central focus of this project will be working closely with the Office of the Registrar’s Academic Scheduling team. The project will review current classroom scheduling processes, specifically seeking to understand how classroom assignments are determined based on technology needs. As a result, this project will collaborate to provide recommendations on how the room scheduling process can accommodate enhanced course technology needs related specifically to Classroom Capture. Our data shows that one of the main barriers to adoption of Classroom Capture service is a lack of awareness about the service and the benefits it offers. This project will explore and identify opportunities to raise awareness on the benefits of the Classroom Capture service to encourage greater adoption.

The results of this assessment will help us identify optimal paths to expanding access to course recordings by providing Classroom Capture services to the majority of first and second-year courses. This increased availability ensures that a larger number of students have the ability to review lectures and course material at their own pace, improving retention. It also enhances flexibility for students, enabling them to catch up on missed content or reinforce their understanding of key concepts. Providing automated Classroom Capture technology in more classrooms will significantly reduce the amount of time and effort required from instructors to record each class session, allowing them to focus more on teaching and less on administrative tasks. By automating the process, instructors can easily provide high-quality course recordings without the need for manual intervention. By expanding the adoption of Classroom Capture across more courses, this project will lead to a more efficient use of the existing platform infrastructure. With greater utilization, the cost per course for delivering lecture capture services will be reduced, maximizing the value of current resources.

Design and build of the new south pod, readiness for new equipment in ~Q2FY26

Wider cabinets can accommodate expected compute needs for Alpine Upgrades at an appropriate time to cause minimal disruption Critical Equipment on support contracts

This project transitions oversight, administration, and operational support of campus-wide physical security systems from Infrastructure & Resiliency (I&R) to the Division of Public Safety (DPS). The transition establishes a centralized governance and support model for access control and video management systems, ensuring uninterrupted operations, compliance with manufacturer requirements, and long-term sustainability through certified DPS staffing and integrator support.

Centralized governance and accountability for physical security systems Improved system reliability and compliance Reduced operational redundancy and ambiguity Sustainable staffing, certification, and support model

The need for this project is from internal and external forces that are working together to change the landscape of data storage in higher education. CU Boulder’s storage vendors, Google and Microsoft, have each determined that unlimited storage for high education users is an unsustainable business model. Google implemented storage quotas, which kicked off the storage war, with Microsoft following suit in the summer of 2023. CU’s current Microsoft multi-campus contract runs through 9/31/2025, allowing a short runway to create and implement a storage strategic plan. In addition to the changes made by our vendors, our Federal and State research and grant partners have begun migrating towards stricter Data Lifecycle Management (DLM) and Data Loss Prevention (DLP) standards, meaning CU Boulder must adapt, or potentially lose research grants and researchers. To addresses these changes, OIT is proposing a broad ranging effort that hopes to establish a strategic plan and roadmap for the storage of data of all classifications, origination sources and retention periods on the CU Boulder campus. In addition to the strategic plan, known tactical and operational deliverables to communicate and enforce the strategic plan are also in scope. Currently unknown tactical and operations deliverables may spawn future projects as part of the roadmap deliverable.

Unified storage strategy, regardless of vendor, or affiliation type Enhanced and unified view into data loss prevention and data classification labeling Campus wide plan for data lifecycle management Campus education of data classification levels, DLP policies, data related policies and the enterprise storage options available to meet CU business requirements

In the second phase of the CU Boulder name change initiative, the project team will continue to strengthen cross-office partnerships and engage subject matter experts to guide strategic decisions and system improvements. The second phase of the project will focus on mapping downstream integrations from source systems to bring awareness to the complexities of this process and allow the development of a project plan to execute the roadmap and improve the experience of the users of those systems.

User testing to be certain changes are clear, meaningful, accessible, and sustainable Improvement in time spent correcting names in university systems described by staff council resolution Mitigate daily harm caused by incorrectly displayed information described by staff council resolution.

This project aims to modernize and secure the University’s identity self‑service capabilities by redesigning the user experience, rebuilding the backend architecture, and remediating critical security vulnerabilities within the current account management platform. The effort will deliver a modern, intuitive, secure, and scalable framework that supports the full lifecycle of identities and secondary accounts

1. Redesign the User Experience for All Account‑Related Self‑Service
2. Rebuild the Backend Framework Using Modern modular monolithArchitecture
3. Re‑Architect the Account Claiming and Password Reset Processes
4. Address Current Security Vulnerabilities

Modernize the account claim process and create a better user experience for self service Design allows for future expansion for self-service attribute management I.e. name changes Secure processes around privileged account management (PAM)

We have identified a strong need for uniform, easily accessible, and accurate usage data across more than a dozen technology tools within the OIT Academic Technology (AT) team umbrella, such as Canvas and Zoom. Improved access to this data will ultimately enhance our ability to support student success and will help us better connect the campus’ needs for technology with the most relevant solutions. In the current state, we have limited and extremely variable reporting (e.g. non-standard personnel identifiers, different ways to access and present data, etc.), and don’t have a way to combine the data across tools in an easy and useful way. Each tool’s usage data comes from a different place making it difficult to determine important metrics like comparative usage (e.g., number of instructors using each tool) and cross-usage (if student A uses Canvas, does student A also use Zoom, etc.). Without regular data importing, the time to refresh data for current week, month, or even semester and year is time-consuming. Current data reporting sources across AT Tools: • Canvas: Canvas Data 2 Database, API • Zoom: Looker Dashboard updated through D&A git script, API • Lecture and Classroom Capture: self-reporting, internal logs • Canvas Studio: API • iClicker: vendor sends report • Enrollment Statistics: CU Data • Course/Faculty Statistics: CU Data • Employment Tables: HCM Personnel Roster • Affiliation Tables: D&A request In this project, AT and D&A will develop the initial data connection and maintenance of service and tool data belonging to the Academic Technology (AT) Team into the Snowflake data mart, managed by the Data and Analytics (DA) Data Engineering Team. This will include usage data and other available tool data for applications supported by AT including but not limited to Canvas (Canvas data ETL integration), Zoom, MediaSite Lecture and Classroom Capture, iClickers, Canvas Studio, PlayPosit, Digication, and Qualtrics, etc. To keep the scope of the initial phase manageable, we will define a limited set of high-priority data points and tools to integrate first. This will include only the most essential metrics needed to demonstrate value and support decision-making. Once the foundational connections are in place and validated, we will iterate and expand the dataset incrementally—guided by team capacity, evolving needs, and feedback—by incorporating additional tools and metrics over time.

Data consolidation and regular refreshes. One stop reporting and dashboard tool Efficiencies in data management. Greater understanding of data available to us from different tools AT supports and other datasets and metrics available to us from Campus via the Data Mart.

The goal of this project is to establish ServiceNow, with the new Hardware Asset Management updates, as the single, consistent platform for tracking all University-owned property types in OIT, including capital assets, operating equipment, inventory, and consumables across OIT teams, personnel, consultants, and any other situation where hardware is purchased by OIT. This initiative will standardize asset management processes across the organization and will focus on ensuring that the newly integrated HAM tool is embedded in all hardware tracking processes. It will improve data integrity and enhance lifecycle tracking visibility, from when it is purchased through surplus. The IT Asset management team must be informed of any OIT hardware purchase and acquisition, and enable tracking in ServiceNow to ensure lifecycle tracking across OIT assets, equipment, and inventory. This would require collaboration between the IT Asset Management team and other teams within OIT. The project team will ensure this outcome by reviewing all other teams in OIT to determine hardware purchasing and will review and/or establish processes to enable HAM tracking in ServiceNow.

All OIT asset types tracked in ServiceNow allows for centralized audit support that is complete and accurate. Financial transparency based on accurate asset management Successful integration with PCR360 will support accurate and complete asset data in ServiceNow. Teams trained and actively using ServiceNow HAM tool for asset updates. They will better know where the equipment is, amounts of hardware, and increased visibility into assets.

The current Faculty Information System (FIS) at CU Boulder is no longer capable of meeting the university’s needs, necessitating its replacement. The following critical issues highlight the urgency: • In-House Oracle Support: The Oracle Database core of the FIS ecosystem was designed and implemented in the 1990s. OIT no longer supports these Oracle database technologies which impacts the maintenance and enhancement of the FIS core and key components. • Outdated Requirements: The current FIS ecosystem design reflects foundational business requirements and paper-based workflows in place from the 1990s through the mid-2010s. It will not be able to evolve to meet new requirements without a transition to a modern architecture. • Manual Data Entry: Lack of bi-directional integrations between DocuSign, OnBase and HCM requires manual data entry in FIS and other systems. This necessitates redundant manual data entry wasting valuable staff time, increasing the risk of errors, and negatively impacting productivity and employee morale. • Data Sharing Limitations: The system was not designed to share data with current campus and System data services and APIs. This compounds non-technical inefficiencies, duplication of effort, and barriers to collaboration. • Operational Risks: The above limitations compromise operational efficiency, data accuracy, and user satisfaction, rendering the current system unsustainable for future academic, research, and administrative operations. To address these challenges, CU Boulder must select and implement a modern approach that: • Aligns with contemporary and emerging business and technical requirements. • Enables seamless data sharing and integration across systems. • Minimizes or eliminates redundant manual data entry. • Considers “best practices” at peer institutions and favors commercially available software targeted at faculty processes.

Reducing the need for custom software maintenance and development by using vendor solutions. Minimal configuration and integration effort is the goal. Reducing manual data entry, data management, and data reconciliation with HCM and other data sources/systems. Improved integration with other System and Boulder campus systems, e.g., HCM, DocuSign, and OnBase. Reduced end user support effort. Improved reporting. Improved user experience and end user support/documentation/training. CU Experts Direct use case by CU Class Search web site managed by Registrar. CU Experts Direct use case by Web Express Faculty module(s). CU Experts public profiles or replacement solution.

To better ensure the integrity of the shared information technology environment as it relates to end-user devices, all university-owned end-user devices, and personally-owned end-user devices that access or store university data, must meet the following conditions: For university-owned devices: • Enrollment in an approved endpoint management tool that reports security posture, such as MECM or Jamf Pro • Hardware and software asset tracking using the campus standard asset tracking tool (Eracent) • Public safety emergency notification client software (Alertus) • Up-to-date antivirus and anti-malware software • Full disk encryption • University data stored on enterprise standard cloud storage (OneDrive) For personally-owned devices: • Up-to-date antivirus and anti-malware software • Full disk encryption • University data stored on enterprise standard cloud storage (OneDrive) There are three overarching objectives of this project to reach this goal:

1. Develop and obtain approval for the Certified End-user Device policy by having it run through the official policy proposal & adoption process. This policy will address both university owned and personal owned devices.
2. Create the infrastructure and processes needed for ensuring all new end-user devices procured through the university comply with the end-user device policy requirements. Create guidance, best practices, and certification process.
3. Create the infrastructure and processes needed for remediating existing university owned end-user devices to comply with the certified end-user device policy.

Increased security of university computing assets including personal and university owned data Reduce risk to university intellectual property Simplicity and consistency to procure and deploy Lays groundwork for consistency in support Visibility into enterprise procurement practices to drive efficiencies and cost savings

The Google Provisioner project will modernize CU Boulder’s Google Workspace account provisioning by replacing Oracle Identity Manager (OIM) with Grouper, Azure, or a hybrid approach to manage entitlements. This change will allow for more granular provisioning beyond the current “Active” or “Suspended” statuses, supporting stepped licensing, timed transitions, and retention policies based on user affiliation. By automating manual processes and aligning with the approach developed in the MOLR project, this effort will improve accuracy, reduce administrative overhead, and resolve issues for returning students whose accounts are not automatically reactivated. The project will also evaluate authentication practices for Colorado.edu logins to the Google tenant, with the potential to enable multi-factor authentication (MFA) to strengthen account security.

More granular provisioning (beyond just “Active/Suspended”) enabling stepped licensing and retention Automated account reactivation for returning students Reduced manual provisioning and error-prone processes Improved license alignment and cost efficiency Enhanced account security through possible MFA adoption Scalable and sustainable provisioning process aligned with MOLR and Grouper

The current NAC solution, deployed in 2023, was a stop gap measure procured and deployed in under 3 months to address the immediate problem that the Secure Computing initiative had with the previous ImpulsePoint Opswat NAC. There are various problems with the current NAC solution, some of which have resulted in multiple major incident “outages” impacting student’s, faculty, and staff’s ability to access the Wi-Fi network. The objective of this project is to investigate, test, procure and deploy a new enterprise NAC solution for Wi-Fi that replaces the existing NAC solution with the following high-level features and requirements.

1. Robust, scalable, and zero-trust architecture for Higher Ed.
2. Optimized for end user experience and BYOD devices on UCB Wireless, which is especially vital to our students (includes passwordless and independent from device Wi-Fi MAC, a large source of frustration today).
3. Complete Integration with IAM for user and contractor authentication on UCB Wireless.
4. Enabling Wi-Fi enterprise grade encryption for authorized users on UCB Wireless.
5. Secure onboarding of business critical IOT devices deployed by university business units or research on UCB Wireless.
6. Aligned with the Secure Computing, reporting and compatible with SIEM tools used by OIT-SEC.
7. Better authentication and audit trail for users that register on UCB Guest.
8. Self-enrollment of student and faculty owned consumer headless Wi-Fi devices on UCB Guest.
9. Better integration to achieve zero-touch configuration and enrollment on UCB Wireless by End Point Management Services for DDS managed Wi-Fi compute devices.
10. Single interface for system administration, reporting and troubleshooting for ITSC, NEO and OIT-SEC.

Password less, no annual registration and BYOD friendly EAP-TLS authentication with Wi-Fi encryption Enterprise grade solution with proper technical support Integration with Azure/Entra ID Integration with JAMF and MS Intune

The Automated Direct Billing Discovery project will evaluate solutions for implementing an automated billing and provisioning system for enterprise storage services at CU Boulder. Rising pressures from Microsoft’s proposed costly storage quotas, as well as the need for a sustainable model for on-prem storage (UCB-Files), have highlighted the need for a transparent, consistent, sustainable, and scalable chargeback system. At the same time, recent proposals to modify Research Facilities & Administrative (F&A) rates have increased the importance of ensuring that certain allowable IT costs can be accurately allocated and recovered through grant/sponsored project funding. Currently, CU Boulder relies on manual, personnel-heavy processes for departmental chargebacks, requiring effort from service owners as well as campus-wide financial analysts. The proposed system would automate and improve accuracy in these processes by: • Providing a user-friendly portal for requesting additional storage across platforms including, but not limited to, Google, UCB-Files, Office 365, and PetaLibrary. • Automating approval workflows, provisioning, and billing through direct integration with CU Boulder’s PeopleSoft financial and HCM systems. • Provision the requested service or feature for the requestor via automated integrations where feasible (provide also for manual provisioning) • Supporting clear auditability and compliance through standardized reporting, dashboards, and notifications. While the initial focus is on enterprise storage platforms, the long-term vision is to create an automated internal billing framework adaptable to other OIT services that require expense pass-throughs, chargebacks, or rate-based recoveries. By addressing both immediate storage management needs and broader cost-recovery challenges, this project will enable CU Boulder to advance financial sustainability, support compliance with current and future research grant requirements, and improve the overall user experience for faculty, staff, and researchers.

Clear documentation of business and technical requirements for automated storage usage, billing and provisioning Identification of feasible technical solutions and integration approaches (PeopleSoft, storage APIs, approval workflows) Alignment of needs across storage platforms (Google, O365, UCB-Files, PetaLibrary) into a unified framework Early assessment of financial models and grant cost-recovery implications (F&A) Improved understanding of user expectations for self-service, transparency, and notifications Risk identification before committing resources to implementation Roadmap and recommendations to guide potential future expansion.

This project will evaluate and recommend a centralized notification and alerting solution to support timely, automated communication across OIT services. This initiative responds to several recent service interruptions where OIT struggled to quickly and effectively identify and notify the appropriate service teams and support groups. The current notification system is aging, difficult to maintain, and lacks the flexibility needed to meet modern operational demands. The project will involve gathering technical and functional requirements from OIT service teams, identifying and piloting potential solutions, estimating costs (including training and implementation), and determining long-term ownership and governance. The effort will also produce a migration and documentation plan to support eventual implementation. For clarity, the following definitions apply within the scope of this project: • Alert: A system-generated message produced by an existing monitoring tool in response to a detected issue or condition. • Notification: A communication (such as an email, page, or similar message) sent to users or support teams to inform them of an issue identified by a monitoring system. This project does not include any changes to, or development of, monitoring systems. It is focused solely on evaluating and recommending solutions for distributing alerts and notifications generated by those existing systems. Important Note: This project will not include the procurement or implementation of the selected solution. Those activities will be handled through a separate project charter once a recommendation is finalized.

Improved incident response and reduced downtime. Increased visibility and accountability in service operations. Potential cost savings through tool consolidation and license management. Better support for hybrid work and learning environments. Standardization of alert processes and governance.

This project will address the ~113 Red Hat Enterprise Linux (RHEL) 7 servers within OIT that will reach end-of-life support on June 30, 2024. RHEL 7 will no longer receive stability patches and security updates after June 30, 2024. As such, the services on these servers must either be migrated to new servers, migrated to other platforms (cloud native or containers), or retired/decommissioned. The breakdown of these systems and the service teams responsible for them are as follows: Group RHEL 7 Systems Description DATA 15 Data driven services (Data + Analytics, including EDB) AS 31 Academics and Student Services (FIS, ATAP, Buff Portal) SEC 36 Security, IAM, M&C NEO 15 NEO, Data Center, VOIP, Paging PE 5 Platform Engineering LNX 11 Linux Platform Engineering As part of the project, we will document the systems that have campus border firewall exceptions and how many do not. We will also determine which systems will require Red Hat Enterprise Linux Extended Lifecycle Support. Failing to

Reduce our security risk as an organization. Services migrated to supportable platforms allowing for continued development/improvement of the service if desired by service managers.

This project will assess the University of Colorado Boulder’s Microsoft O365 environment against CMMC Level 1 (Foundational) requirements to determine readiness to support systems handling CMMC Level 1 data. The assessment will identify which of the 17 required controls are currently met, unmet, or partially met; document existing control implementations; verify service provider responsibilities; and identify and remediate gaps to the extent feasible. The outcome of this effort will be a documented control posture and supporting evidence sufficient to support system authorization decisions for CMMC Level 1 data use, provider responsibilities; and identify and remediate gaps to the extent feasible. Background: When the CMMC Final Rule (32 CFR Part 170) became effective on November 10, 2025, among other requirements, it established the requirement to formally attest to compliance via the Department of Defense (DOD) Supplier Performance Risk System (SPRS) when CMMC Level 1 is included in a DOD solicitation stipulating that Federal Contract Information (FCI) be safeguarded per FAR 52.204-21. At this time (2/10/26), CU Boulder has identified 10 contracts requiring FCI safeguards under FAR 52.204-21 safeguarding requirements with an additional proposal request that, if awarded, will require FCI be handled under CMMC Level 1 safeguards. OCG identified the following services, in priority order, that currently support existing FCI contract information workflows within OCG: O365 (specifically Email/Outlook, SharePoint, Teams, and OneDrive), DocuSign, infoEd and OnBase. These services are in scope to assess their ability to meet all 17 CMMC Level 1 requirements, but this project ONLY focuses on O365. Per OCG, the O365 environment is the most critical IT system to remediate for OCG’s work, and the other three (DocuSign, infoEd, and OnBase) can be addressed afterwards.

Documented understanding of O365 alignment with CMMC Level 1 controls Ability to authorize O365 systems to handle CMMC Level 1 data Reduced compliance and audit risk through documented controls and evidence Clear identification of gaps and ownership (OIT vs. Microsoft)