Georgia Tech Cybersecurity and distributed campus IT partners have initiated a phased rollout of the Institute’s Computer Security Standard (CSS). 

The CSS will apply consistent security controls across all desktops, laptops, and servers used to store, process, or transmit Georgia Tech data. The CSS requires that all new and existing systems used for project, research, and regulated data meet CSS requirements.

“This standard is foundational to a researcher's ability to safeguard the integrity of their research activities and data, as well as to the broader need to protect the integrity of the research enterprise," said Tanta Myles, associate vice president for Research Integrity Assurance. "The flexible approach aligns with industry best practices while supporting our wide-ranging research needs and methods."

The first phase for CSS compliance requirements began Feb. 20 for all newly provisioned or rebuilt computers. The second phase begins June 20 for high-risk and regulated systems compliance and will continue through a phased implementation.

Action Required

IT support teams will work with Faculty and researchers to identify impacted devices, determine appropriate classifications and plan for required security controls. Early engagement is encouraged to align with fiscal year-end purchasing, ensure new purchases meet CSS requirements at provisioning, and minimize disruption to research planning timelines.

Endpoint Management

The Computer Security Standard outlines the minimum-security requirements for all endpoints including: 

• Endpoint management (e.g. Intune, JAMF, Salt) for devices 
• Approved antivirus and endpoint detection tools 
• Encryption for laptops and endpoint systems 
• Controlled administrative privileges 
• Device categorization and lifecycle tracking for IT assets

IT support teams will assign a classification: Default, Alternate Control Plan (ACP) 1, 2, or 3, based on the system’s role. These classifications determine the phase and deadlines for each specific control. A formal exception process is in place for research and instructional devices requiring unique configurations.

Phased Deadlines

• Phase 1 - Feb. 20: Compliance for Newly Provisioned and Rebuilt Computers
• Phase 2 - June 20: High-Risk & Regulated Systems Compliance
• Phase 3 - Sept. 20: Default & Alternate Control Plan 1 Compliance
• Phase 4 - Dec. 31: Alternate Control Plan 2 and 3 Compliance/Mitigation

Resources and Support

To support this transition, Cybersecurity will maintain the CSS Companion Guide for IT staff and host training workshops. The Information Security Procedures, Standards, and Guidelines webpage will be routinely updated, outlining required steps and additional resources and tools. 

For additional questions or support, email support@oit.gatech.edu.