OIT Project Portfolio Report

This is a multi-phase project focused on automating the provisioning and deprovisioning of Microsoft Office 365 licenses. Currently, some of the processes are automated while others are entirely manual. The manual processes are labor intensive and error prone that results in O365 licenses not being assigned properly based on the license entitlements. The MOLR project assisted with the development of Grouper license entitlements groups and identified uses cases for the provisioning and deprovisioning of O365 licenses. These include the following license types: • Faculty A5 • Faculty A1 • Student A5 • Alumni Exchange Plan 1 • Retire Exchange Plan 1 The work completed on the MOLR project was an important enabling step toward automating the processes. The scope of this project includes designing, developing, testing, and deploying the automation for the provisioning, deprovisioning, and reprovisioning of the O365 licenses. The project includes the following phases. • Phase 1 – Faculty A5 licenses on primary accounts. Focus will be on use cases for new/departing staff and changes to user license entitlements. • Phase 2 – Student A5 and Alumni licenses • Phase 3 – Faculty A5 licenses for secondary accounts and Faculty A5 licenses for retirees • Phase 4 – Faculty A1 licenses

Manages audit risk for lack of compliance with Microsoft O365 license contract. Reduces manual processes Manages cost of Microsoft O365 licenses

This is phase three of the Inventory, Equipment, and Asset Tracking Solution (“IEATS”) project and is intended to result in the full implementation of a tracking tool no later than July 1, 2025. During phase one of this project, it was identified that OIT lacks unified inventory, equipment, and capital asset procedures and tools. Because of this, OIT is not able to easily comply with financial reporting requirements related to the proper recording of inventory and reporting of capital assets. Many of the current processes for such work require heavy manual intervention and the use of disparate software tools and spreadsheets. Additionally, OIT does not have a clear understanding of inventory, equipment, or capital assets under its custodianship which may be contributing to unnecessary, untimely, or duplicative purchases, inaccurate depreciation calculations, the inability to leverage warranties, and questionable property disposal decisions. The conclusion of phase one resulted in a recommendation to launch phase two which focused on requirements gathering while identifying possible tools that would address the issues documented in phase one. Upon the completion of phase two, OIT’s Cabinet approved the selection of ServiceNow as a solution to OIT’s current inventory, equipment, and asset tracking and reporting problem. The third and final phase of this project will include the acquisition of the necessary ServiceNow modules and licenses, identification and selection of a consultant to assist with process mapping, implementation, and integrations, the ingestion and validation of OIT’s FY25 capital asset data, and will conclude with the full launch of a tool capable of tracking and reporting all of OIT’s inventory, equipment, and capital assets purchased on July 1, 2025 or later.

Manages audit risk for lack of compliance with accounting standards Reduces manual processes Yields better purchasing and disposal decisions Creates consistent processes for OIT and enables a pilot project that could be adopted by campus

In response to the CU-Boulder data center assessment, it was determined that SPSC N190 data center is to be vacated. To accomplish this declaration, there are two distinct activities that need to occur:

1. Move existing services from SPSC N190 to COMP data center or SPSC N180
2. Install infrastructure at Anschutz data center to support CU-Boulder servers
3. Begin populating initial 6 racks at Anschutz with systems still-to-be-identified (will be identified by March 2024).
4. Plan for network separation of SPSC N190A from SPSC N190.

Lowers risk of data center component failure Provides more geographical separation between data centers

To better ensure the integrity of the shared information technology environment as it relates to end-user devices, all university-owned end-user devices, and personally-owned end-user devices that access or store university data, must meet the following conditions: For university-owned devices: • Enrollment in an approved endpoint management tool that reports security posture, such as MECM or Jamf Pro • Hardware and software asset tracking using the campus standard asset tracking tool (Eracent) • Public safety emergency notification client software (Alertus) • Up-to-date antivirus and anti-malware software • Full disk encryption • University data stored on enterprise standard cloud storage (OneDrive) For personally-owned devices: • Up-to-date antivirus and anti-malware software • Full disk encryption • University data stored on enterprise standard cloud storage (OneDrive) There are three overarching objectives of this project to reach this goal:

1. Develop and obtain approval for the Certified End-user Device policy by having it run through the official policy proposal & adoption process. This policy will address both university owned and personal owned devices.
2. Create the infrastructure and processes needed for ensuring all new end-user devices procured through the university comply with the end-user device policy requirements. Create guidance, best practices, and certification process.
3. Create the infrastructure and processes needed for remediating existing university owned end-user devices to comply with the certified end-user device policy.

Increased security of university computing assets including personal and university owned data Reduce risk to university intellectual property Simplicity and consistency to procure and deploy Lays groundwork for consistency in support Visibility into enterprise procurement practices to drive efficiencies and cost savings

The current NAC solution, deployed in 2023, was a stop gap measure procured and deployed in under 3 months to address the immediate problem that the Secure Computing initiative had with the previous ImpulsePoint Opswat NAC. There are various problems with the current NAC solution, some of which have resulted in multiple major incident “outages” impacting student’s, faculty, and staff’s ability to access the Wi-Fi network. The objective of this project is to investigate, test, procure and deploy a new enterprise NAC solution for Wi-Fi that replaces the existing NAC solution with the following high-level features and requirements.

1. Robust, scalable, and zero-trust architecture for Higher Ed.
2. Optimized for end user experience and BYOD devices on UCB Wireless, which is especially vital to our students (includes passwordless and independent from device Wi-Fi MAC, a large source of frustration today).
3. Complete Integration with IAM for user and contractor authentication on UCB Wireless.
4. Enabling Wi-Fi enterprise grade encryption for authorized users on UCB Wireless.
5. Secure onboarding of business critical IOT devices deployed by university business units or research on UCB Wireless.
6. Aligned with the Secure Computing, reporting and compatible with SIEM tools used by OIT-SEC.
7. Better authentication and audit trail for users that register on UCB Guest.
8. Self-enrollment of student and faculty owned consumer headless Wi-Fi devices on UCB Guest.
9. Better integration to achieve zero-touch configuration and enrollment on UCB Wireless by End Point Management Services for DDS managed Wi-Fi compute devices.
10. Single interface for system administration, reporting and troubleshooting for ITSC, NEO and OIT-SEC.

Password less, no annual registration and BYOD friendly EAP-TLS authentication with Wi-Fi encryption Enterprise grade solution with proper technical support Integration with Azure/Entra ID Integration with JAMF and MS Intune

The Data and Analytics Website Phase 2 project will enhance the user experience and functionality of the D&A website. The scope includes a comprehensive redesign of the front page, improving accessibility for public reports, and refining intake forms and processes. Metadata improvements by the Data and Analytics (D&A) team are a key focus, including quality control, revision processes, uploads, and feeds. Enhancements to search functionality, such as taxonomy and relevance, are also planned. However, the accessible Tableau module is not within the scope of this phase. The project approach involves several steps: redesigning the D&A front page, gathering requirements through interviews with the D&A team and collaboration with the Information Design team, conducting initial usability studies with key and general users, and providing recommendations in a report. UI designs will be created and tested with users before implementation. Metadata will be cleaned up and refined by the D&A team, with updates to internal documentation and automation of feed uploads, supported by the Information Design team. Information Design will test and implement these changes to ensure seamless integration and improved user experience.

Improved User Experience – Redesigned and Accessible Improved Search – Metadata, taxonomy and filtering

Classroom Capture is an automated lecture capture service provided by OIT at CU Boulder. The service is currently available in 50 classrooms across campus and is used by approximately 45% of courses scheduled in classrooms equipped with the technology. Feedback from both instructors and students highlights the high value of Classroom Capture, with recent Academic Technology survey results showing strong satisfaction with the service. This project aims to identify opportunities to expand the availability and adoption of Classroom Capture, with a particular focus on increasing its use among first- and second-year courses. The goal is to assess the requirements and opportunities for extending Classroom Capture services to the majority of these courses, ensuring broader access and enhancing the learning experience for students across the university. By enhancing lecture capture in foundational courses, we aim to provide students with greater flexibility and access to course materials, particularly during the transition into higher education when they may face new academic challenges. Capturing lectures in these introductory courses ensures that students—many of whom may be adjusting to the rigors of university-level coursework—have the opportunity to review key concepts at their own pace, revisit complex material, and improve retention. This is particularly valuable for students who may need additional support to succeed in these critical early courses. Data analysis will be conducted to identify the classroom locations where most first- and second-year courses are scheduled. An analysis will also be conducted on first- and second-year courses that have previously utilized Classroom Capture, examining which classrooms they were scheduled in. One potential data point for analysis is the correlation between courses that utilize the Classroom Capture service and student outcomes. By examining this relationship, we aim to assess whether the availability of recorded lectures impacts overall success in the course. A central focus of this project will be working closely with the Office of the Registrar’s Academic Scheduling team. The project will review current classroom scheduling processes, specifically seeking to understand how classroom assignments are determined based on technology needs. As a result, this project will collaborate to provide recommendations on how the room scheduling process can accommodate enhanced course technology needs related specifically to Classroom Capture. Our data shows that one of the main barriers to adoption of Classroom Capture service is a lack of awareness about the service and the benefits it offers. This project will explore and identify opportunities to raise awareness on the benefits of the Classroom Capture service to encourage greater adoption.

The results of this assessment will help us identify optimal paths to expanding access to course recordings by providing Classroom Capture services to the majority of first and second-year courses. This increased availability ensures that a larger number of students have the ability to review lectures and course material at their own pace, improving retention. It also enhances flexibility for students, enabling them to catch up on missed content or reinforce their understanding of key concepts. Providing automated Classroom Capture technology in more classrooms will significantly reduce the amount of time and effort required from instructors to record each class session, allowing them to focus more on teaching and less on administrative tasks. By automating the process, instructors can easily provide high-quality course recordings without the need for manual intervention. By expanding the adoption of Classroom Capture across more courses, this project will lead to a more efficient use of the existing platform infrastructure. With greater utilization, the cost per course for delivering lecture capture services will be reduced, maximizing the value of current resources.

Design and build of the new south pod, readiness for new equipment in ~Q2FY26

Wider cabinets can accommodate expected compute needs for Alpine Upgrades at an appropriate time to cause minimal disruption Critical Equipment on support contracts

Qualtrics is an OIT common good service used by over 6,000 CU students, faculty, and researchers at the University of Colorado Boulder annually. Students account for 81 percent of all Qualtrics accounts. Qualtrics is currently not approved for the collection or storage of highly confidential data and there is no alternative approved solution on campus for collecting highly confidential data. Currently users must submit a secure computing exception request prior to collecting highly confidential data, a temporary process that has been developed by the Security and the Academic Technology teams to meet the needs of campus community. The process, however, is time-consuming for all the parties involved and is not sustainable. We regularly encounter surveys that collect highly confidential data in Qualtrics without going through the approval process. The goal of this project is to provide a comprehensive and sustainable solution to the campus community that will allow users to collect highly confidential data using Qualtrics for both surveys and forms, which are the most common applications of Qualtrics. This solution will benefit the University as it will reduce the security risks associated with data collection in Qualtrics. In the last couple of years, several significant use cases for collecting highly confidential data in Qualtrics have come up. Groups such as the Office of Institutional Equity and Compliance have a legal obligation to complete a Sexual Assault and Related Harms Survey. The Office of Data and Analytics receives approximately 10,000 responses annually for the New Student Survey which also has a business need to collect highly confidential data. Additionally, the Security Team and OIT have received numerous requests from researchers and other departments such as Student Affairs and Medical Services with business needs to collect highly confidential data via surveys. The Qualtrics Service Manager and the Security Team have done preliminary work to review the criteria necessary to allow collection of highly confidential data using Qualtrics, and to create a new Qualtrics instance called CUBoulderData designated for the collection and storage of highly confidential data. Configuration of the instance still requires the Security team’s review and approval before being offered to the campus community. The Qualtrics Service Manager completed the requested Systems Security Plan (SSP) security review including the evaluation of over 110 security controls and the next steps are for the Security Team to review this documentation, and to create an Action and Remediation Plan. Link to Qualtrics SSP Review. The issue is that Qualtrics doesn’t meet many of the necessary security requirements for collecting highly confidential data and risks need to be assessed and compensating controls need to be established to ensure Qualtrics can be approved for collecting highly confidential data.

This project will improve the security of the data being collected and stored in Qualtrics. This project will allow departments to collect and store highly confidential data such as gender, race, ethnicity, and sexual orientation properly without the risk of this information being shared inappropriately. This project will enable existing compliant processes to utilize Qualtrics in the collection and storage of HIPPA and FERPA data. Wardenburg, Student Affairs, Office of Institutional Equity and Compliance, and other departments have several initiatives waiting on this solution The solution will standardize a complex and time-consuming security exception process for collecting highly confidential data in Qualtrics.

The need for this project is from internal and external forces that are working together to change the landscape of data storage in higher education. CU Boulder’s storage vendors, Google and Microsoft, have each determined that unlimited storage for high education users is an unsustainable business model. Google implemented storage quotas, which kicked off the storage war, with Microsoft following suit in the summer of 2023. CU’s current Microsoft multi-campus contract runs through 9/31/2025, allowing a short runway to create and implement a storage strategic plan. In addition to the changes made by our vendors, our Federal and State research and grant partners have begun migrating towards stricter Data Lifecycle Management (DLM) and Data Loss Prevention (DLP) standards, meaning CU Boulder must adapt, or potentially lose research grants and researchers. To addresses these changes, OIT is proposing a broad ranging effort that hopes to establish a strategic plan and roadmap for the storage of data of all classifications, origination sources and retention periods on the CU Boulder campus. In addition to the strategic plan, known tactical and operational deliverables to communicate and enforce the strategic plan are also in scope. Currently unknown tactical and operations deliverables may spawn future projects as part of the roadmap deliverable.

Unified storage strategy, regardless of vendor, or affiliation type Enhanced and unified view into data loss prevention and data classification labeling Campus wide plan for data lifecycle management Campus education of data classification levels, DLP policies, data related policies and the enterprise storage options available to meet CU business requirements

This project intends to enable sensitivity labels for data, email and Teams chats on the O365 environment as a step towards closing security and compliance gaps within the commercial O365 tenant. Closing these gaps is a prerequisite for future projects on the O365 space, including storage futures, AI initiatives and email security. Sensitivity labels allow users to set boundaries on how their data, emails and chats are shared with others. They persist across the O365 environment and to many 3rd party applications and can prevent forwarding, sharing and can be used to set encryption requirements for the data. Enabling these labels would immediately help users of confidential and highly confidential data on campus, such as OIEC, HR, researchers, and the Registrar. The technical aspects of this project were largely completed a few years ago, although some testing is needed to ensure the policies created are compatible with O365 changes since the first effort closed. This is being chartered to cover the communication and training needs to roll out sensitivity labels to the campus and to cover the resources needed to conduct a pilot with OIEC or HR. Once the rollout of sensitivity labels is complete, many users who rely on the Large File Transfer service to share sensitive information can share this same data straight from OneDrive or Teams, reduce the number of copies of that file that are being created. Likewise, departments who rely on PGP to protect highly confidential data and must first decrypt the data prior to sharing it can now transition their storage of the data from UCB and the PGP solution to a Teams storage solution.

Prevent data leakage and move the commercial tenant to a higher security level, closing the gap with LASP and GCC. Educate users on the usage, importance and need for sensitivity labels. Prepare the O365 environment for AI integrations in the future. Meet the needs of HR and OIEC data storage in the O365 environment Take a step towards meeting higher compliance requirements in NIST 800-171

This project intends to enable Domain-based Message Authentication, Reporting, and Conformance (DMARC) for email on the Colorado.edu main and subtenants. DMARC is an email authentication protocol designed to help prevent email spoofing and phishing attacks by allowing email domain owners (@colorado.edu) to specify policies on how their emails should be handled when they are received by email servers. With DMARC, CU can publish a policy in our DNS records that specify how to manage emails that fail authentication methods (either Sender Policy Framework (SPF) and/or DomainKeys Identified Mail (DKIM)). CU Boulder currently has the DMARC policy in our DNS record set to “DMARC = None”. In this “monitoring mode”, we request emails servers to send reports about email authentication results but no specific action is taken for emails that fail authentication. This project will move DMARC policy to “DMARC = Quarantine”, which is the next level mode (the strictest is “DMARC = Reject” which rejects all email that fails authentication and will not deliver it to the recipient’s inbox). Moving to “DMARC = Quarantine” on our colorado.edu domain forces users of 3rd party senders, sending on behalf of @colorado.edu to adhere to global authentication standards. This ensures delivery of their sends to both internal and external partners. Government agencies, other R1 institutions, and the major public email providers have begun to enforce DMARC on mail they receive. OIT fully expects additional government agencies and schools to enforce DMARC in the coming months which will further create problems for @colorado.edu users trying to send e-mail to these entities using third-party senders such as InfoEd, MarketingCloud and our student facing systems. CU is behind other R1 institutions in enabling DMARC. The Universities of California, Berkley, South Florida, and Nebraska have set “DMARC to reject” while Iowa and Kentucky are set to “DMARC to quarantine”. Technically this is a simple change, but it carries a heavy change management effort due to the unregulated use of various schools and departments using third-party vendors to send email on behalf of @colorado.edu addresses. The recent eComm policy change and our move to add external email banners has forced most of the campus’s largest senders into compliance already. Smaller senders remain and will require outreach to move them into compliance.

Reduced phishing and spoofing attacks Meet email standards that will allow the campus to communicate with .mil and .gov. research sponsors Improved email security Increased trust in university communications Protection of sensitive data Enhanced reputation of the university Automated email security enforcement Cost savings from preventing data breaches Better alignment with industry standards Reduced risk of email-based cyber threats Improved compliance with data protection regulations Streamlined incident response due to fewer security breaches Support for a sustainable security model Improved user experience with fewer malicious emails

CU Boulder has expressed a need for a generative AI sandbox where members of the campus community can leverage generative AI technology in a safe and secure space. This project aims to build an environment with two goals: i. Build GenAI literacy ii. Provide a safe and secure space to use Generative AI with university data leveraging a choice in model providers (providers could include Anthropic Claude to OpenAI GPT-4o and others) This project will build upon work from Vanderbilt University which has developed their Amplify GenAI Gateway (https://www.suppamplifygenai.org/). Based on the initial evaluation, this provides CU Boulder a good starting point for this sandbox. This specific phase of the project will: i. Identify 20-30 initial pilot group users from a cross section of campus ii. Deploy Amplify GenAI Gateway in CU Boulder’s AWS environment iii. Obtain approval for use of the Amplify GenAI Gateway for confidential data iv. The 20-30 initial pilot group users will provide feedback to guide future phases

Sandbox environment to build AI Literacy Confidential data approved for use Feedback mechanism to determine demand and need for future service offering

Students, faculty and staff on the CU Boulder campus have a need for flexible and continuous access to software, either through remote access to physical computers or via virtual applications or desktops. While we have deployed Turbo.net and Splashtop solutions as immediate solutions to meet remote software needs, the Apporto pilot demonstrated that Apporto would be the best solution to meet the future needs of our labs and other campus groups. The purpose of this project is to create a service for Apporto that will allow for its expanded use across campus. The project will: • Determine the costs for offering Apporto to campus and an on-going sustainable funding model. • Establish a service for remote and virtual software delivery. • Communicate the capabilities and availability of the Apporto service to a broader range of campus customers.

24/7 access to software by students, faculty, and staff. Delivery and support for solution can be scaled to support access from all campus customers. Seamless, consistent, and efficient experience for customers accessing software. Enhance student equity by providing learning resources and support, ensuring all students have equal opportunities to succeed.

The current Faculty Information System (FIS) at CU Boulder is no longer capable of meeting the university’s needs, necessitating its replacement. The following critical issues highlight the urgency: • In-House Oracle Support: The Oracle Database core of the FIS ecosystem was designed and implemented in the 1990s. OIT no longer supports these Oracle database technologies which impacts the maintenance and enhancement of the FIS core and key components. • Outdated Requirements: The current FIS ecosystem design reflects foundational business requirements and paper-based workflows in place from the 1990s through the mid-2010s. It will not be able to evolve to meet new requirements without a transition to a modern architecture. • Manual Data Entry: Lack of bi-directional integrations between DocuSign, OnBase and HCM requires manual data entry in FIS and other systems. This necessitates redundant manual data entry wasting valuable staff time, increasing the risk of errors, and negatively impacting productivity and employee morale. • Data Sharing Limitations: The system was not designed to share data with current campus and System data services and APIs. This compounds non-technical inefficiencies, duplication of effort, and barriers to collaboration. • Operational Risks: The above limitations compromise operational efficiency, data accuracy, and user satisfaction, rendering the current system unsustainable for future academic, research, and administrative operations. To address these challenges, CU Boulder must select and implement a modern approach that: • Aligns with contemporary and emerging business and technical requirements. • Enables seamless data sharing and integration across systems. • Minimizes or eliminates redundant manual data entry. • Considers “best practices” at peer institutions and favors commercially available software targeted at faculty processes.

Reducing the need for custom software maintenance and development by using vendor solutions. Minimal configuration and integration effort is the goal. Reducing manual data entry, data management, and data reconciliation with HCM and other data sources/systems. Improved integration with other System and Boulder campus systems, e.g., HCM, DocuSign, and OnBase. Reduced end user support effort. Improved reporting. Improved user experience and end user support/documentation/training. CU Experts Direct use case by CU Class Search web site managed by Registrar. CU Experts Direct use case by Web Express Faculty module(s). CU Experts public profiles or replacement solution.

M365 Apps for Faculty, formerly called ProPlus, is a license entitlement added to A1 licenses that allows users to download the desktop version of Office 365 apps. Formerly provided at no cost by Microsoft, the cost model is changing so that ProPlus is an extra expense. Traditionally, we provisioned M365 Apps to A1 licensed users because it was provided to us at no additional cost. Because of the increase in cost (from $0 to $20 per user), we must reduce the licensed users and change ongoing provisioning rules to maximize our license use and minimize the cost impact. This involves removing the license from existing users. Concrete objectives for this project include:

1. Check with MS licensing specialist to validate our plan
2. Change eligibility rules for O365 license groups a. OIT-A1-Faculty-License group: No longer receives M365 Apps b. OIT-A3-Faculty-License group: Receives M365 Apps by default; A3 license provided upon request c. OIT-A5-Faculty-License group: Receives M365 Apps by default; A5 license provided upon request
3. Clean up O365 license groups a. Remove M365 Apps license from those who do not use it or should not be entitled to it (within the OIT-A3-Faculty-License group: remove 1805 inactive/ineligible accounts) b. Move O365 accounts to more appropriate groups (move 3072 accounts in OIT-A1-Faculty-License group to OIT-A3-Faculty-License group) c. Remove M365 Apps license from OIT-A1-Faculty-License group (affects 19,222 accounts)
4. Change provisioning rules for O365 license groups a. Only provision A1, A3, or A5 Faculty license and not M365 Apps to new employees
5. Develop request process for A1 Faculty license group members to request M365 Apps a. If approved, there will be a process to apply the A3 license to the user’s account.
6. Implement buy-your-own option for those we don’t/won’t provision a. OIT’s cost per license is $20/year (cost recovery model may change the charge to the user; estimated at $40/year)
7. Communicate and manage change to impacted users

Make MS Office software available to eligible CU affiliates that need it Ensure licenses that are purchased are consumed and used to receive the benefit of that license

Broadcom completed the acquisition of VMware in November 2023, a deal valued at approximately $61 billion. This acquisition has brought significant changes, particularly in how VMware’s products are marketed and sold. Broadcom has shifted from perpetual licensing to subscription-based models, which has led to increased costs for many organizations. Universities are navigating the changes brought by Broadcom’s acquisition of VMware in several ways:

1. Cost Management: Many institutions are facing increased costs due to the shift to subscription-based licensing. To manage this, some universities are negotiating better terms or seeking alternative solutions to balance their budgets.
2. Strategic Planning: Universities are re-evaluating their IT strategies, considering cloud migrations, and exploring other hypervisors to reduce dependency on VMware. This involves careful planning to ensure minimal disruption to their operations.
3. Training and Development: There is a significant focus on upskilling IT staff to handle new systems and licensing models. This helps ensure that the transition is smooth and that the staff is well-prepared for the changes.
4. Vendor Relationships: Institutions are also working closely with vendors to understand the full impact of the changes and to find the best solutions for their specific needs.
5. Community Collaboration: Universities are collaborating, sharing insights and strategies to cope with the new landscape. This collective approach helps in finding effective solutions and mitigating challenges.

Potential Cost Savings: Alternatives to VCF can potentially offer more cost-effective solutions, helping OIT manage their budgets more efficiently. Flexibility and Scalability: Virtual Infrastructure solutions provide flexible and scalable options that can better adapt to the changing needs of higher education institutions. This ensures that IT infrastructure can grow alongside the UCB requirements. Avoiding Vendor Lock-In and risk associated with it: By exploring different Virtual Infrastructure options, universities can avoid becoming overly dependent on a single vendor. This increases bargaining power and reduces risks associated with vendor-specific issues. Specific to Broadcom, they do not have a great track record of supporting and continuing innovation around products they have purchased. Enhanced Security: Some alternatives may offer advanced security features or better compliance with specific regulatory requirements, which is crucial for protecting sensitive academic and personal data. Improved Performance: Evaluating different solutions can lead to the adoption of technologies that offer better performance and reliability, enhancing the overall user experience for students, faculty, and staff. Innovation and Modernization: Exploring alternatives encourages the adoption of the latest technologies and innovations, which can improve operational efficiency and support modern educational practices. Community and Support: Some alternative solutions have strong community support and extensive resources, which can be beneficial for troubleshooting and optimizing the IT environment.

The University currently uses Microsoft Entra as one of its two Multi-Factor Authentication (MFA) solutions. Entra MFA is implemented for users of Microsoft Office 365 (O365), Teams, and Microsoft Exchange (e.g. Outlook Email and Calendar), as well as any applications integrated with Microsoft for its MFA solution for Federated Authentication (FedAuth). What users with appropriate licensing (A5, A3) have for MFA is risk-based conditional access (CA). When originally set up, the lowest frequency implementation of Entra MFA was put in place. All users are low risk (prompted only at set up), but can move to medium risk (prompted for a new device) or high risk (prompted frequently) automatically. Password resets can move a user back to a lower risk level. Unless you are high risk (either associated with a high risk application, of which there are few with typically audiences restricted to OIT administrators) or have engaged in an identified high risk behavior (failed login attempts + impossible travel + new device), a University constituent will effectively never receive an MFA challenge/prompt from Microsoft. MFA allows OIT’s Security Team to provide a timeout on compromised devices and accounts. By not prompting for MFA, we are not taking advantage of the benefits of strong MFA. Additionally, by not providing greater granularity to our audience – we could divide the audience into different buckets, or personas, to apply different rules to different user types – we are providing blanket protection across all risk, instead of providing greater protection to higher risk audiences. Additionally, in an effort to unify our MFA experience and offering to the campus, we will move the shibboleth service (fedauth) to authenticate using Entra ID and Microsoft MFA, moving away from on-prem AD authentication and DUO MFA. This project proposes: • performing a policy review and data driven analysis on a test-audience (OIT) before rolling out to campus to implement a stronger baseline security where prompts are more likely to occur, and security is strengthened • This will also deliver a repeatable process for the involved OIT teams to propose, test, review, seek approval for and introduce these changes going forward in a repeatable fashion for introducing further layers • Performing a similar review and data driven analysis to introduce “layers” of conditional security requirements depending on audience/persona and situation. • Migrate shibboleth to proxy authentication to Microsoft Entra and enable a baseline policy for all fedauth authentications.

Security benefit – MFA reduces the ability to compromise an account with just a password, and provides a forced timeout Privacy benefit – this has the ability to raise the barrier of entry to sensitive data for specific users Grant and research bonus – by having higher security controls, we can demonstrate more systems compliant with stricter security standards, which means more ability to meet system requirements more broadly for grants tied to sensitive or controlled data handling Compliance benefit – GLBA, SOC, ISO 27001K, PCI, and NIST 800-171 standards all expect MFA. It is easier and less expensive to meet requirements from these types of audits with a central authentication system protecting data and access with MFA.

The Service Catalog Phase I project aims to set the stage for the development of a complete Service Catalog that will be published to the CU Boulder community in a future phase. This initiative will involve identifying and categorizing all IT services, defining roles and terms, and creating a Service Catalog template with attributes. During Phase I of the project, we will focus on the following key activities: • Defining service catalog terms (including the examples used below: “user”, “service”, “service offering”, “supporting services”, etc) • Identifying all user facing Services provided by OIT. • Identifying all Service Offerings available for each IT service. • Identifying all Supporting Services provided by OIT. Supporting services are internal services that enable the delivery of user-facing services but are not directly visible to end users. • Classifying services into relevant Service Categories for better organization and accessibility. • Service Owners and Service Managers: o Defining Service Owner role and Service Manager role. o Identifying both Service Owners and Service Managers for each Service and Service Offering to ensure accountability, effective management, and adherence to ITIL 4 principles. o Drafting Service Owner and Service Manager expectations. • Service catalog template creation with service catalog attributes identified. • Drafting the Service Catalog Phase II project charter. In Phase II of the project, we will collect information about service offerings, assign roles, and communicate expectations. In Phase III, we will publish the service catalog through the OIT website framework.

Improved service management. IT staff will benefit from having a structured, defined, and accessible Service Catalog that can help them manage their services and take on improvement initiatives more effectively by having a centralized collection of service information. Enhanced transparency. The CU Boulder community will benefit from a clear overview of all IT services, promoting transparency and better communication Support for decision-making. OIT will benefit from having detailed service information readily available, supporting informed decision-making and strategic planning. Accessible information. Clear and accessible information about available services and service offerings will enhance the user experience for university stakeholders, including faculty, staff, and students. This will lead to higher satisfaction and trust in OIT. Clear expectations. Assigning service owners and service managers ensures that there is a clear point of contact for each service, enhancing accountability and effective management. Both roles will benefit from having a well-defined scope of responsibilities and better visibility into their services.

This project will address the ~113 Red Hat Enterprise Linux (RHEL) 7 servers within OIT that will reach end-of-life support on June 30, 2024. RHEL 7 will no longer receive stability patches and security updates after June 30, 2024. As such, the services on these servers must either be migrated to new servers, migrated to other platforms (cloud native or containers), or retired/decommissioned. The breakdown of these systems and the service teams responsible for them are as follows: Group RHEL 7 Systems Description DATA 15 Data driven services (Data + Analytics, including EDB) AS 31 Academics and Student Services (FIS, ATAP, Buff Portal) SEC 36 Security, IAM, M&C NEO 15 NEO, Data Center, VOIP, Paging PE 5 Platform Engineering LNX 11 Linux Platform Engineering As part of the project, we will document the systems that have campus border firewall exceptions and how many do not. We will also determine which systems will require Red Hat Enterprise Linux Extended Lifecycle Support. Failing to

Reduce our security risk as an organization. Services migrated to supportable platforms allowing for continued development/improvement of the service if desired by service managers.

Brand Indicators for Message Identification (BIMI) is an emerging email standard that allows organizations to display their official logo next to authenticated emails in supported inboxes, such as Gmail and Yahoo. To enable this functionality, the sending domain must have strong email authentication in place—specifically, a DMARC policy of quarantine or reject. BIMI enhances brand recognition, builds recipient trust, and helps users visually identify legitimate communications. For CU, BIMI is particularly valuable in strengthening the institution’s digital presence and safeguarding against phishing and spoofing attacks on external sends. By prominently displaying the university’s logo in inboxes, it reinforces credibility with prospective students, alumni, donors, and other key audiences. BIMI also aligns with cybersecurity best practices by requiring full adoption of DMARC across all email-sending subdomains. To implement BIMI, the university must ensure that all relevant domains and subdomains are properly configured with SPF, DKIM, and DMARC. The flagship domain already meets this requirement, but several sub domains will require updated DNS and DMARC records. All subdomains that send mail will be required to be at least p=quarantine unless the owner provides a reason to remain at p=none. In addition, a BIMI-compliant logo must be created in the correct format, and a DNS record must be published pointing to it. A Verified Mark Certificate (VMC) is also required to authenticate the logo. BIMI is targeted at external marketing and advancement messages. It is supported by Apple, Google and Yahoo, but not Outlook at this time.

The university logo is displayed next to emails, increasing brand recognition and trust. Reinforces the university’s brand with every email interaction. Requires DMARC enforcement, helping prevent email spoofing and phishing. Provides a visual trust cue to distinguish legitimate emails from phishing attempts. Recognizable branding can increase open and response rates. Proper authentication improves email deliverability and reduces spam filtering. Demonstrates professionalism and modern cybersecurity practices. Protects the university community from malicious impersonation attacks. Positions the university as a leader in digital communication and security.

We have identified a strong need for uniform, easily accessible, and accurate usage data across more than a dozen technology tools within the OIT Academic Technology (AT) team umbrella, such as Canvas and Zoom. Improved access to this data will ultimately enhance our ability to support student success and will help us better connect the campus’ needs for technology with the most relevant solutions. In the current state, we have limited and extremely variable reporting (e.g. non-standard personnel identifiers, different ways to access and present data, etc.), and don’t have a way to combine the data across tools in an easy and useful way. Each tool’s usage data comes from a different place making it difficult to determine important metrics like comparative usage (e.g., number of instructors using each tool) and cross-usage (if student A uses Canvas, does student A also use Zoom, etc.). Without regular data importing, the time to refresh data for current week, month, or even semester and year is time-consuming. Current data reporting sources across AT Tools: • Canvas: Canvas Data 2 Database, API • Zoom: Looker Dashboard updated through D&A git script, API • Lecture and Classroom Capture: self-reporting, internal logs • Canvas Studio: API • iClicker: vendor sends report • Enrollment Statistics: CU Data • Course/Faculty Statistics: CU Data • Employment Tables: HCM Personnel Roster • Affiliation Tables: D&A request In this project, AT and D&A will develop the initial data connection and maintenance of service and tool data belonging to the Academic Technology (AT) Team into the Snowflake data mart, managed by the Data and Analytics (DA) Data Engineering Team. This will include usage data and other available tool data for applications supported by AT including but not limited to Canvas (Canvas data ETL integration), Zoom, MediaSite Lecture and Classroom Capture, iClickers, Canvas Studio, PlayPosit, Digication, and Qualtrics, etc. To keep the scope of the initial phase manageable, we will define a limited set of high-priority data points and tools to integrate first. This will include only the most essential metrics needed to demonstrate value and support decision-making. Once the foundational connections are in place and validated, we will iterate and expand the dataset incrementally—guided by team capacity, evolving needs, and feedback—by incorporating additional tools and metrics over time.

Data consolidation and regular refreshes. One stop reporting and dashboard tool Efficiencies in data management. Greater understanding of data available to us from different tools AT supports and other datasets and metrics available to us from Campus via the Data Mart.

The objective of this project is to pilot a deployment of Cloudforce’s nebulaONE AI platform to test three separate chatbot use cases and to evaluate the tool for potential wider campus use in the future. This project will help OIT in determining whether Cloudforce’s nebulaONE has the potential to be a future foundational service bringing the power of AI, especially in the administrative efficiencies space, to students, faculty, and staff without requiring a technical background through specifically defined pilots. The three test use cases all entail the creation of AI-powered chatbots that rely on internal or external campus sources of truth and can all be successful while utilizing only public data. Although this pilot is testing use cases that require only public data, nebulaONE will be evaluated for the increased capability that would come with the ability to utilize confidential data in the future. Selecting these use cases based on their low security risk will speed up implementation and evaluation as well as avoid significant cloud infrastructure development and configuration before evaluation can take place. NebulaONE has the capability to utilize protected data within our Azure ecosystem which is where this tool may provide a greater value proposition in the future, compared to other available options. Background information on the nebulaONE platform: NebulaONE is an AI tool created by Cloudforce, a Microsoft partner. NebulaONE offers the functionality to tie Large Language Models (LLM) to enterprise sources of truth to provide an institutional RAG tool that we anticipate would be in high demand primarily in the form of internal or external chatbots. Representatives from CU Boulder have been in touch with a current nebulaONE customer, University of Washington, and learned that the tool has a wide variety of potential uses within higher education (including a class tutor, accessibility assistant, resume critiquing tool, a medical training interview tool, student worker scheduling assistant, etc.). nebulaONE shows considerable potential to fit our campus’ needs and is situated in a beneficial place along the “build vs. buy” continuum where decisions need to be made on the best path to offer AI functionality to campus. nebulaONE is one of the most user-friendly and intuitive tools for customers to create their own solutions while offering administrative controls to centrally support access to the whole campus. There is a low cost of entry since there is no licensing fee and the only expected cost is for token usage through our existing Azure subscription.

Decrease the time and effort that administrative staff spend answering common and repetitive questions/support requests. Software Development Team and OIT staff gain experience w/ LLM technologies and chatbot use cases. Helps inform OIT if a future possible foundational service should be offered by OIT, one that is not dissimilar to our cloud foundations service, but for AI making it accessible with guardrails.

Safety is our top priority and providing safety information in an easily-accessible format is paramount. As such, CU Boulder plans to launch a “one stop shop” for accessing public safety information conveniently and easily, in the form of a mobile app. The app, a format preferred by students, will house safety communications in the form of “tiles” including links to alerts, safety resources and safety tips. Currently, safety resources reside in various places and need to be accessed separately (on the Alerts website, DPS, CUPD and EM sites, Clery site, Safe2Tell site, Don’t Ignore It site, CAPS/OVA, OIEC site, etc.) and this app will provide users a more convenient, inclusive access point to access information, both during emergencies and non-emergent situations (to report crimes, access victim rights information, read safety-related articles, etc.)

Provide safety information in one place through a mobile app Provide an additional channel for receiving alerts