Project Name:

Secure Compute Environment Testbed for a National Secure Data Service

Contractor: NORC at the University of Chicago

Lessons Learned

  • The delayed contract execution and aggressive ATO timeline compressed the production schedule and as a result, the priority and available time to perform other tasks were decreased and implementation and operational decisions were accelerated.
  • The aggressive schedule for the ATO requires perfect engineering across all tasks; any delays in execution have an immediate and direct impact on the project schedule and likelihood of success.
  • Frequent communication among and within all project entities (government and contractors) is critical.
  • Early identification of and engagement with the authorizing official (AO) and receipt of the authorization letter are critical pre-requisites for software procurement and overall preparation for FedRAMP assessment.
  • A parallel development approach was implemented to concurrently launch the testbed environment while continuing FedRAMP assessment activities to ensure ATO and FedRAMP authorization milestones remain on schedule.
  • A brief survey administered to all SCET users can capture another valuable layer of feedback, but time should be allotted in the schedule to obtain OMB clearance in advance of collecting survey data.
  • Because the SCE will support multiple researcher bases, it will require a suite of complementary tools for privacy-preserving record linkage (PPRL) to suit a variety of data types and researcher objectives, rather than a single PPRL solution.
  • NORC has received approval to ingest and store restricted data within the SCET. As such, the NORC team has begun copying project documents, code, and restricted data from one secure enclave into the SCET. This process raised data governance questions and required coordination and a clear approval-tracking process across project teams housing the restricted data to ensure traceability and compliance. NORC developed a process which requires project teams to clearly specify the folders and restricted data they are requesting to move into the SCET and multiple client-level approval before any data is transferred.
  • The month prior to the launch of the third-party assessment is a crucial time for organizing and validating all required documentation, and for completing final preparations to ensure a smooth and successful start to the assessment process.
  • While conducting a pre-assessment with the 3PAO may induce some risk of timeline delays due to the need for additional evaluation and adjustment, this proactive measure provides a valuable opportunity to identify and address gaps early, ultimately improving the team’s readiness for the full 3PAO assessment.
  • Collecting user feedback is a valuable strategy for improving system usability and overall experience. NORC initiated this process during the operational testing phase. Based on the feedback received, we implemented concrete improvements to system development.

To gain deeper insights, we chose to conduct semi-structured user interviews to delve deeper into specific areas noted through initial feedback. This approach allowed our team to explore the user experience in greater depth and identify specific areas for improvement that would likely have been missed through a self-administered survey alone.

  • Open and transparent communication between the NORC project team and the client is critical for project success:
    • Sharing consistent budget updates, including early notification of any new risks is essential so that issues, when they arise, are easier to resolve.
    • We kept the NSF security team updated on FedRAMP findings each time that we received new information to reduce surprises and create opportunities for ongoing dialogue and collaboration

Click here to learn more about this project

Disclaimer: America’s DataHub Consortium (ADC), a public-private partnership, implements research opportunities that support the strategic objectives of the National Center for Science and Engineering Statistics (NCSES) within the U.S. National Science Foundation (NSF). These results document research funded through ADC and is being shared to inform interested parties of ongoing activities and to encourage further discussion. Any opinions, findings, conclusions, or recommendations expressed above do not necessarily reflect the views of NCSES or NSF. Please send questions to ncsesweb@nsf.gov.