The Office of Information Technology Cybersecurity department and distributed campus IT partners have initiated Phase II of the Computer Security Standard (CSS). The CSS establishes mandatory cybersecurity requirements to protect research, data, and operational systems at Georgia Tech. 

The first phase of the CSS compliance project launched in February, applicable to all newly provisioned or rebuilt Institute-owned computers. Phase II includes pre-existing high-risk and regulated systems compliance (e.g., Controlled Unclassified Information (CUI), export-controlled data, HIPAA-protected health data, federal financial aid data protected under the Gramm-Leach-Bliley Act (GLBA)).   

During Phase II, IT support teams will work with Institute faculty, researchers, and research administrators to identify impacted devices, determine appropriate classifications, and plan for required security controls. Early engagement is encouraged to align with fiscal year-end purchasing, ensure new purchases meet CSS requirements at provisioning, and minimize disruption to research timelines. 

IT support teams will assign a classification to systems: default, or Alternate Control Plan (ACP) 1, 2, or 3, based on the system’s role. These classifications determine the applicable phase and deadlines for each required control. A formal exception process is available for research and instructional devices that require unique configurations. 

Resources and Support  

 To support this transition, Cybersecurity will maintain the CSS Companion Guide for IT staff and provide training sessions. The Information Security Procedures, Standards, and Guidelines webpage will be routinely updated, outlining required steps and additional resources and tools.  

For additional questions or support, email support@oit.gatech.edu.