General Performance Requirements: • The service must provide a secure, access-controlled cloud environment purpose-built for CUI and NIST 800-171, CMMC Level 2 compliance. • The provider must operate, maintain and assist the University with maintaining the environment in accordance with NIST 800-171 and CMMC Level 2 requirements, including all 110 security controls (80/20 model or comparable is acceptable with SRM). • The environment must be suitable for scalable, high-availability research and administrative workloads, with the ability to incrementally expand compute and storage resources. The vendor will have completed their own CMMC Level 2 certification or be going through the process of a CMMC Level 2 certification by a third-party assessor. Critical Features and Capabilities: A. Security & Compliance • Full compliance with NIST 800-171, CMMC Level 2, and applicable DFARS clauses. • Centralized audit log capture and review for all systems and activities. • Regular patching of operating systems and software, with timely flaw remediation. • Intrusion Detection Systems (IDS) and network firewall segmentation (defense-in-depth).
