Colorado State University told the Legislative Audit Committee on July 1 that it has centralized IT security authority, posted a system-wide IT security policy, and created implementation standards and cross-campus confirmation processes as the university works to meet the Department of Defense'9s CMMC (Cybersecurity Maturity Model Certification) requirements.

What auditors reported: The Office of the State Auditor'9s IT evaluation (May 2024) made 16 recommendations to improve CSU'9s readiness for CMMC-level contracting. The public status update the auditors provided to the committee notes the auditors substantiated CSU'9s assertions that several recommendations were implemented or partially implemented; the confidential status report and remaining details were discussed in executive session per statute.

CSU response and actions: CSU'9s vice president for information technology, Brandon Bernier, said the campus undertook a comprehensive alignment effort that included more than 100 IT staff across 34 projects, procurement of external expertise, and new executive oversight. Bernier said CSU established a central authority for IT security and modernized endpoint and infrastructure management.

CSU said it formed strategic partnerships to support compliance: a collaboration with Microsoft for technical and advisory services and an operational arrangement with the University of California San Diego to use its "Sherlock" secure enclave for controlled unclassified information (CUI) used in DoD grants and contracts. Vice President for Research Cas Mosley described reorganizing research-support processes so proposals, data handling and closeout steps are documented and accountable; CSU also hired a research data security analyst and created a CUI oversight committee that includes general counsel.

Policy and implementation steps: CSU Chief Security Officer Steve Lobos told the committee the final recommendations remaining on the auditors'9 April 1 list hinged on posting a new IT security policy; that policy was approved by the chancellor and posted April 22, 2025. Supporting technical standards were posted July 1, 2025. CSU said it is now collecting confirmations of compliance from distributed IT units and expects to meet DoD CMMC level 1 and level 2 requirements for the research environment before the October 1 compliance date.

Executive session: The committee voted to discuss confidential parts of the status report in executive session under statute, then returned to open session after the confidential briefing.

Ending: CSU told the committee it is treating CMMC readiness as an enterprise project with executive oversight and external partnerships, and that formal documentation and system-wide standards are in place to support next steps toward DoD contracting compliance.