Health, Education & Government Higher Education Research & Grants Management

Sponsored Research

Multi-stakeholder institutional decisions where academic mission, student outcomes, and financial sustainability converge.

Battelle RTI International Charles River Associates SAIC
Inside this journey
  1. Pre-Discovery

    Align the room on outcomes, decision process, and constraints before deeper discovery.

    1. Stakeholder Alignment

      Confirm decision roles, timeline, risk tolerance, and what ‘good’ looks like for PI, research admin, IT security, and sponsors.

      Alignment Questions

      Quick Intro — Who's in the Room?

      • Which of these best describes your role in the award or institution? Options: Principal Investigator (PI), Research Administration (Sponsored Programs), Department Chair / Center Director, VP Research or equivalent, Federal Program Manager or Contracting Officer, IT / Security Lead, Other
      • What type of award or program are we talking about? Options: Single-site R01/Research project, Multi-site cooperative agreement, Center or program grant, Defense/SBIR/DoD contract, DOE/DOE-lab funded program, Other
      • Briefly describe the one sentence purpose of this award (what you are trying to achieve scientifically or programmatically).
      • What triggered you to engage us now? (pick the primary reason) Options: New award with NSPM‑33/NIST requirements, Audit finding or compliance gap, PI overwhelmed by admin burden, Large multi-site coordination need, Preparing for subcontracting or foreign collaborators, Other
      • If you had to name the single most frustrating administrative task today, what would it be?

      If Compliance Is Sucking the Life Out of Research, How Bad Is It?

      • When you look at day‑to‑day work, how much of the PI’s time is currently absorbed by administrative and compliance tasks? Options: Less than 10%, 10–25%, 25–40%, 40–60%, More than 60%
      • Which specific compliance tasks take the longest or create the most friction for the team? (select all that apply) Options: Data handling and classification, FISMA/NIST documentation and controls, Subaward management and flow‑downs, IRB/IACUC coordination, Budget/effort reporting, Security training and attestations, Other
      • Tell us about a recent moment when administrative burden directly delayed or derailed research progress—what happened and what was the impact?
      • How does dealing with these requirements make the PI and research staff feel—frustrated, distracted, burned out, resigned, motivated to change, or something else? Options: Frustrated, Distracted, Burned out, Resigned, Motivated to change, Other
      • How long have these pain points been building (weeks, months, years)? Options: Less than 3 months, 3–12 months, 1–2 years, More than 2 years
      • Who on your team currently champions compliance work—and how overloaded are they? Options: PI, Research Administrator, Dedicated Security/Compliance Lead, Department Admin, Shared across multiple people, No clear owner

      What Would It Cost to Lose This Award—or Keep It?

      • If the project failed to meet NSPM‑33/NIST 800‑171 expectations, what is the most likely consequence? Options: Loss of funding, Increased oversight/constraints, Audit penalties or corrective action, Delayed milestones/delivery, Damage to institutional reputation, Unclear/Unsure
      • Have you experienced an audit finding, citation, or formal notice related to research security or grants management in the last 3 years? Options: Yes — federal audit, Yes — institutional/internal audit, No, Unsure
      • If you answered yes, briefly describe the finding and what was required to remediate it.
      • How much schedule slippage or milestone delay would be tolerable before your sponsor intervenes? Options: No delay tolerated, Up to 1 month, 1–3 months, 3–6 months, More than 6 months
      • What level of risk—regulatory, reputational, or operational—are your leadership and sponsors willing to accept? Options: Very low (zero tolerance), Low, Moderate, High, Unsure

      Who Decides ‘Yes’ — and What Makes Them Sleep at Night?

      • Who are the decision‑makers for selecting a managed research operations partner and approving budget for it? Options: PI, VP Research, Sponsored Programs Director, CIO/IT Security, Department Chair, Federal Program Manager, Other
      • Which stakeholder cares most about scientific autonomy vs. regulatory compliance—and how vocal are they? Options: PI strongly values autonomy, Research office prioritizes compliance, IT/security prioritizes controls, Sponsors prioritize compliance, Mixed views / no dominant voice
      • What are the top three criteria that will determine whether you select a vendor? (pick up to three) Options: Familiarity with agency regulations (NIH/NSF/DoD/DOE), FISMA‑authorized systems, Proven reduction of PI administrative time, Price/financial fit, Subcontract management expertise, References from similar institutions
      • What timeline do decision‑makers expect for vendor selection and contract signature? Options: Immediately / within 2 weeks, 1 month, 1–3 months, 3–6 months, Unsure
      • Which stakeholder would be hardest to convince, and what would they need to hear or see to change their mind?

      Where Does Your Data Live — and Who Can Touch It?

      • Which categories of data are produced or stored on this award? (pick all that apply) Options: Controlled Unclassified Information (CUI), Export‑controlled data, Human subjects / PHI, Proprietary/vendor data, General non‑sensitive research data, Other
      • Which systems currently store or process this data? Options: Institutional file shares (on‑prem), Cloud storage (institutional AWS/Azure/GCP), PI laptops/USBs, Lab equipment with local storage, Third‑party vendor platforms, Other
      • Are any of these systems currently FISMA‑authorized / do you have an ATO (Authority to Operate)? Options: Yes — full ATO, In process / partial authorization, No, Unsure
      • How are user access and privilege changes handled today (manual requests, ticketing, automated SSO, periodic review)? Options: Manual email/request, Helpdesk ticketing, SSO/automated provisioning, Periodic manual reviews, No formal process
      • Have you experienced any security incidents or near misses tied to research data in the last 24 months? If comfortable, briefly describe. Options: Yes — incident, Yes — near miss, No, Prefer not to say
      • Who would need to sign off on third‑party access to research data (IT security, PI, legal, sponsor)? Options: IT/security, PI, Legal/Contracts, Sponsored Programs, Sponsor does not require sign‑off, Other

      What Would ‘Less Burden, More Science’ Actually Look Like?

      • If we removed the majority of compliance work from the PI’s plate, what would they do with that time instead? Options: More experiments/data collection, Grant writing/submissions, Mentorship and student supervision, Collaboration/translation activities, Rest/reduce workload, Other
      • Which measurable signals would show us we’re succeeding after 6 months (pick up to three)? Options: % reduction in PI admin hours, Faster invoice/subaward processing time, Number of compliance findings reduced, On‑time milestone achievement, PI satisfaction score, Faster IRB/IACUC approvals
      • What aspects of research autonomy must remain untouched for you to consider outsourcing administration? Options: Scientific direction, Data analysis and publication decisions, Student supervision, Selection of collaborators, None — we are open to broad support
      • What minimum SLA or responsiveness expectations would make you comfortable escalating work to an external team? Options: Same business day, 24 hours, 48–72 hours, Weekly cadence, Depends on the issue
      • What would make your PI feel genuinely relieved rather than just less annoyed—what outcome would feel emotionally meaningful?

      What’s Standing Between Us and a Smooth Integration?

      • What institutional constraints or policies typically slow down onboarding external research services here? Options: Legal/contract review cycles, IT security authorization, Procurement/budget cycles, Union/staffing policies, Data sharing agreements, Other
      • What specific IT approvals or security packages would we need to complete before integration (e.g., ATO, SSP, POA&M, MOU)? Options: ATO/Authorization package, System Security Plan (SSP), Plan of Action & Milestones (POA&M), MOU/Data sharing agreement, None / not required, Unsure
      • What APIs, SSO providers, or enterprise systems would we need to integrate with (select all that apply)? Options: COE/Grants system (eRA Commons, Cayuse, Kuali), Institutional HR/payroll, Single Sign‑On (Okta/MS ADFS), LIMS/Lab systems, Custom local databases, Other
      • How many internal FTE hours per month could you realistically commit to an onboarding effort? Options: <10 hours, 10–25 hours, 25–50 hours, 50–100 hours, >100 hours
      • Tell us about a past vendor integration that went well—or badly. What specifically made it work or fail?

      If We Started Tomorrow, How Would We Know We’re Winning?

      • What acceptance criteria would you require at pilot completion to move to full delivery? Options: Verified NIST 800‑171 controls implemented, PI admin time reduced by X%, Onboarding of key users completed, Successful data access and security testing, Sponsor sign‑off
      • Would you prefer a phased pilot (single lab or subaward) or a full‑program rollout to start? Options: Phased pilot, Full rollout, Hybrid (pilot + critical pieces)
      • Who will own governance and day‑to‑day decisions after we begin (title/role)? Options: PI, Research Administration Lead, IT/Security Lead, Program Manager (third‑party), Shared governance board
      • Are there contracting, budget, or legal hurdles that would prevent a start within your desired timeline? If so, what are they? Options: Procurement process, Budget approval, Legal/IP concerns, Sponsor approval required, No major hurdles, Other
      • How ready are you to begin a discovery pilot on a scale that will deliver measurable outcomes within 60–90 days? Options: Ready immediately, Ready in 1–3 months, Ready in 3–6 months, Not ready / need more internal alignment

      Final Priorities & Next Steps — What Should We Tackle First?

      • From everything above, pick the top three priorities we should address in the first 90 days. Options: Assign governance and roles, Lock down data access and FISMA requirements, Reduce PI administrative tasks, Onboard key systems/subaward workflows, Remediate audit findings, Establish SLAs and acceptance criteria
      • Who should be on our core working group for the pilot (list names/titles or roles)?
      • What would a successful first 30 days look like to you? Be specific (deliverables, meetings, approvals).
      • Is there any additional context, documents, or stakeholders we should see or speak with before proposing a scope?
      • Would you like us to propose a tailored 60–90 day discovery pilot with estimated effort and costs based on the answers you’ve provided? Options: Yes — please propose, Maybe — need internal alignment first, No — not at this time
    2. Current State Mapping

      Document existing grants workflows, data flows, IT controls, and compliance gaps relative to NSPM‑33 and NIST 800‑171.

      Current State

      Getting Oriented: A 90‑second Snapshot of Your Award

      • Which award or program is this discussion about (agency + program name + PI or owning office)?
      • How many institutional sites, core facilities, or partner organizations are active on this award? Options: Single site, 2–5 sites, 6–15 sites, 16+ sites, Unsure
      • What type of DOI/CUI or other controlled research information do you expect to create or handle under this award? Options: Controlled Unclassified Information (CUI), Subject/participant data (PII/PHI), Export‑controlled technical data (ITAR/EAR), None expected, Other
      • Who will be our primary contacts for day‑to‑day coordination (PI, Grants Admin, IT Security, Sponsored Programs)? List names and roles.
      • What is your target date for being audit‑ready / compliant for this award (milestone or go‑live)? Options: Already compliant, Within 30 days, 30–90 days, 3–6 months, 6+ months, No fixed date

      Are Your Data Flows Actually Where You Think They Are?

      • Walk me through the life of a single data element from collection to archival — where is it created, who touches it, and where does it get stored?
      • Which systems currently store or transmit award‑related CUI or protected research data? Options: Institutional GMS (grants mgmt), Local file shares (network drives), Personal devices (laptops/tablets), Commercial cloud (e.g., Box, Dropbox), Institutional cloud (Azure/AWS/GCP), Lab equipment / instruments, Other
      • Are there any known 'shadow' tools or workarounds (Slack, personal email, USB drives, ad‑hoc scripts) that teams use to move data? Options: Yes — frequently, Yes — occasionally, No, Unsure
      • How are data access permissions granted, reviewed, and revoked today (who approves, how often reviewed)? Options: Central IT approval, PI grants access, Dept admin manages, Automated role‑based system, No formal process, Other
      • Where do backups and archives live, and who verifies their integrity and retention schedules? Options: Central IT backups, Local lab backups, Third‑party archival, No consistent backups, Unsure

      Who’s Really Responsible When Something Breaks (or Is Audited)?

      • When a compliance or security issue surfaces, who is expected to lead the response (role/title rather than person)? Options: PI, Dept/Research Admin, Institutional IT/Sec, Sponsored Programs Office, Compliance Office, Other
      • Are decision rights and handoffs for award administration documented anywhere (SOPs, roles matrix, org chart)? Options: Fully documented and current, Partially documented, Outdated documentation, No documentation, Unsure
      • How often do PIs, lab managers, and admin staff receive training on handling CUI/NIST 800‑171 related tasks? Options: Quarterly, Bi‑annually, Annually, On hire / ad hoc, Never
      • Describe the last time a role ambiguity caused a missed deliverable or audit finding — what happened and how did it feel for the team?
      • Would a clear RACI (who’s Responsible, Accountable, Consulted, Informed) for grant security reduce your current stress or risk? If so, which areas most? Options: Access provisioning, Incident response, Data sharing approvals, Subrecipient oversight, Audit evidence collection, All of the above, Not sure

      What Small Workarounds Have Become Big Risks?

      • What informal practices or 'just gets the job done' shortcuts are you most worried about right now?
      • How frequently do these workarounds occur and who most often uses them? Options: Daily, Weekly, Monthly, Rarely, Unsure
      • Have any of these practices led to incidents, near misses, or audit comments in the past 24 months? Tell us one concrete example.
      • Which of the following would reduce the urge to use workarounds (select all that apply)? Options: Simpler approved tools, Faster approvals, Clearer training, More delegated authority to PIs, Automated workflows, Other
      • If we fixed one common workaround this quarter, which fix would relieve the most administrative burden for your PI or lab staff?

      Do Your IT Controls Withstand Close Scrutiny?

      • If an assessor asked to see your NIST 800‑171 control set, which of these would be fully documented and evidence‑backed today? Options: Access control (AC), Audit & accountability (AU), Configuration mgmt (CM), Media protection (MP), Incident response (IR), System & communications protection (SC), All of the above, None
      • Where do you currently sit on basic technical hygiene: endpoint patching, multi‑factor authentication, and centralized logging? Options: All in place and monitored, Mostly in place, Partial / inconsistent, Not in place, Unsure
      • Do you have an SSP (System Security Plan), POA&M, and a current assessment for the systems handling award data? Options: SSP + POA&M + assessment present, SSP only, POA&M only, No formal artifacts, Unsure
      • How segregated are research systems that handle CUI from general institutional systems (network segmentation, separate enclaves, or logical isolation)? Options: Physically segregated, Logically segmented, Minimal segmentation, No segmentation, Unsure
      • What are the top 2 technical control gaps you fear an auditor would flag tomorrow?

      How Would You Demonstrate Compliance Under Pressure?

      • When auditors or sponsors request evidence, how quickly can you produce chain‑of‑custody, access logs, and approval records for award data? Options: Within hours, Within a day, Within a week, Longer than a week, Cannot reliably produce
      • Which reporting rhythms exist today (regular reports to PI/sponsor, audit readiness checks, control testing cadence)? Options: Weekly, Monthly, Quarterly, Annual, Ad hoc / none
      • Have you ever had to respond to a sponsor data request or FOIA related to research under this award? What was the process and outcome?
      • Which tools or records currently serve as your 'single source of truth' for award compliance evidence? Options: GMS system, SharePoint/Drive repository, Ticketing system, Email threads, No single source, Other
      • How would an inability to quickly produce evidence impact the program operationally and reputationally?

      Integration Warning Signs: What Breaks First?

      • What institutional systems must we integrate with to manage this award (HR/payroll, procurement, GMS, identity provider, lab inventory)? Options: GMS/grants mgmt, HR/payroll, Procurement/finance, Identity/SSO, LIMS/lab inventory, Other
      • Which integrations have caused the most delays historically — approvals, account provisioning, or data exchange? Describe one instance.
      • Do you have documented APIs, data dictionaries, or integration owners for those systems? Options: Yes — fully documented, Partially documented, No, Unsure
      • Which of the following connection constraints apply today (select all that apply)? Options: No external API access, Data residency restrictions, Strict firewall rules, Manual CSV exchange, SSO only, Other
      • Realistically, what internal resource bandwidth can you assign to integrations in the next 90 days (FTEs, hours/week, or teams)?

      What Would Secure, Low‑Burden Success Actually Feel Like?

      • If administrative burden on your PI dropped by half while meeting NSPM‑33 and NIST 800‑171, what immediate differences would you notice?
      • Which success signals matter most to you for this award (choose up to three)? Options: Clean audit with no findings, PI time reclaimed for research, Ontime deliverables to sponsor, Zero security incidents, Seamless subrecipient management, Rapid evidence production
      • What timeline would feel realistic and acceptable to reach that state (quick wins vs full baseline remediation)? Options: 30 days (quick wins only), 90 days, 3–6 months, 6–12 months, Depends on funding/approvals
      • Which constraints would make you say 'no' to an otherwise promising remediation plan (cost, PI disruption, data residency, vendor lock‑in)? Options: Cost, PI disruption, Regulatory restrictions, Institution policy, Other
      • What would make you feel confident handing day‑to‑day compliance to an external managed service while maintaining PI autonomy?

      Decision Signals: Are You Ready to Move From Mapping to Action?

      • Who needs to sign off to proceed with a remediation plan or onboarding to a managed service (titles and approval authorities)?
      • What are the non‑negotiable institutional approvals or reviews we must complete before starting technical work (IRB, CIO, InfoSec Committee, legal)? Options: IRB, CIO/IT governance, InfoSec Committee, Legal/Contracts, Sponsored Programs, Other
      • What internal barriers could slow a commitment for this award (procurement cycle, budget approvals, union/HR constraints)?
      • Realistically, how soon could your institution approve an initial scope of work to remediate high‑risk gaps? Options: Immediately, Within 30 days, 30–90 days, 3–6 months, Longer / unsure
      • What would you like our immediate next deliverable to be after this mapping session (risk heatmap, prioritized POA&M, integration plan, kickoff checklist)? Options: Risk heatmap + quick wins, Prioritized POA&M, Integration & data flow plan, Staffing and training plan, Full remediation proposal
  2. Customer Discovery

    Clarify desired outcomes, constraints, stakeholder priorities, and measurable success signals for the award.

    Discovery Questions

    Start: The Award That Brought You Here

    • Briefly describe the award, audit finding, or trigger that brought you to explore external support now.
    • Which of the following best describes the immediate reason you’re exploring a managed research compliance partner? Options: New award requiring NSPM-33 implementation, Audit finding on grants management, Large multi-site research program, Principal Investigator overwhelmed by compliance, Proactive modernization of controls, Other
    • Who on your team first raised the issue and what made them feel this needed urgent attention?
    • What timeline are you trying to meet for being operational under the award’s security and administrative requirements? Options: Immediately (weeks), 1–3 months, 3–6 months, 6–12 months, More than 12 months
    • Which institutional office will own the day-to-day relationship with an external partner if you move forward? Options: Principal Investigator (PI), Sponsored Programs / Grants Office, Research Administration, IT / Research IT, VP Research / Research Leadership, Other
    • How would you describe current sentiment toward external managed services at your institution? Options: Welcoming — seen as helpful, Curious — open but cautious, Skeptical — prefer internal solutions, Reluctant — worried about control, Neutral / undecided

    What If Compliance Wasn’t the Headache?

    • What common assumptions about compliance could be wrong here—and if they are, how would that change your approach?
    • Which frameworks and requirements are most relevant for this award? Options: NSPM-33, NIST SP 800-171, FISMA, Agency-specific regulations (NIH/NSF/DOE/DoD), Export controls (ITAR/EAR), Other
    • How confident are you that your current controls meet NIST 800-171 for this scope of work? Options: Fully confident, Mostly confident, Partially confident, Not confident, Unsure / need assessment
    • Tell us about a recent moment when compliance requirements slowed or changed the course of the research—what happened and what was the impact?
    • How do your PIs typically feel about additional security controls—are they protective, frustrated, neutral, or supportive? Options: Protective — see value, Frustrated — see as burden, Neutral — pragmatic, Supportive if it preserves autonomy, Mixed responses across PIs
    • If compliance burdens were meaningfully reduced, what would you expect to change about daily research operations?

    Who's Holding the Map?

    • If we listed every decision‑maker on this award, whose voice would we often miss—and why would that matter for getting this done?
    • Please list the key stakeholders for this award and their roles (e.g., PI name, grants office lead, IT security lead, sponsor PM).
    • Which stakeholders must approve technical integrations or data access? Options: IT Security / CISO, Research IT, Sponsored Programs / Grants Office, Office of General Counsel, PI / Lab Lead, VP Research / Executive Sponsor, Other
    • Who controls budget authority to hire an external partner for this work? Options: PI discretionary funds, Sponsored Programs Office, Department Chair, VP Research, Sponsor-funded budget line, Other
    • How do the sponsor or agency program managers prefer to receive security and compliance assurances? Options: Certification packages (deliverables), Regular audit reports, Shared dashboard access, Scheduled briefings / meetings, Ad hoc documentation on request, Other
    • How aligned are these stakeholders on acceptable residual risk and on who will be accountable if something goes wrong? Options: Well aligned, Some disagreement on details, Highly fragmented / unclear, Unknown

    Signals That Tell Us It's Working

    • If you could only track three signals to prove our solution is working, which would you pick and why?
    • Select the success metrics that matter most for this award. Options: On-time deliverables to sponsor, Audit findings resolved / audit pass, NIST 800-171 control pass rate, Reduction in PI administrative time, Time-to-onboard subawardees, Data access latency / uptime, Sponsor satisfaction score, Cost per award under management
    • For the top metric you selected, what numeric target or threshold would indicate success (e.g., audit score, % reduction, days saved)?
    • How will the sponsor or your leadership verify those signals—formal audit, monthly reports, a dashboard, or another method? Options: Formal external audit, Scheduled monthly reports, Shared live dashboard, Quarterly briefing, On-site validation, Ad hoc documentation
    • Who has final authority to declare the award’s implementation successful? Options: Sponsor / Agency PM, PI, VP Research / Executive Sponsor, Grants Office, Compliance Officer
    • How tolerant would you be of occasional false-positive security alerts if overall risk was reduced? Options: Low tolerance — false positives unacceptable, Moderate tolerance — manageable, High tolerance — prefer caution, Unsure

    Where the Risk Really Lives

    • Which single failure—technical, process, or human—would most likely cause the sponsor to pause or terminate funding?
    • Which risk categories worry you most for this award? Options: Data exfiltration / loss, Unauthorized access to CUI, Subrecipient non-compliance, IT system downtime, Regulatory audit findings, Reputational damage, Budget or schedule overruns
    • How mature are your current IT security controls (identity management, encryption, patching, logging)? Options: Mature — industry standard, Developing — gaps exist, Ad-hoc — inconsistent, Absent — major gaps, Unknown
    • Have you experienced a security incident related to research or grants management in the past 24 months? If yes, what was the outcome? Options: Yes — major incident (reportable), Yes — minor incident, No incidents, Prefer not to say
    • What immediate mitigation actions would you expect from an external partner if a compliance finding or incident occurred?
    • How does leadership balance research momentum vs. conservative security controls in practice? Options: Prioritize momentum with controls tailored, Balance both equally, Favor conservative controls, No clear policy / varies by leader

    The Integration Test: What Must Connect?

    • If integrations don’t work, which exact task will stop immediately and who will be affected?
    • Which systems must this solution integrate with for the award to function? Options: University ERP / Grants system (e.g., PeopleSoft, COEUS), Identity provider / SSO, Research data repository / LIMS, Sponsor portals, Subaward management system, Finance / payroll systems, Other
    • What access levels (view, write, admin) will be required for those systems and who must approve them?
    • Are APIs available for the required integrations, or will we rely on manual exports? Options: APIs fully available, APIs partially available, Manual exports only, Unknown — need to investigate
    • What authentication and network requirements must we meet for an external partner (SSO/SAML, VPN+MFA, service accounts, certificates)? Options: SAML / SSO, VPN + MFA, Scoped service accounts, Client certificates, Other
    • When could you provide non-production test access to validate integrations? Options: Immediately, 1–2 weeks, 3–4 weeks, 1–2 months, Unknown / depends on approvals

    Commitment and Change: Who Will Carry This?

    • Even with executive buy-in, what human habit or organizational behavior is most likely to block successful adoption here?
    • Which internal teams or roles will actively support onboarding and ongoing operations? Options: Research Administration / Grants Office, IT Security / CISO, Research IT, PIs and Lab Staff, Finance, Office of General Counsel, Other
    • Estimate the FTE effort your institution can commit to onboarding during month one. Options: 0 (no internal support), 0.1–0.5 FTE, 0.5–1 FTE, 1–2 FTE, 2+ FTE
    • What training cadence would be realistic and acceptable for PIs and research staff during rollout? Options: One-time intensive training, Weekly short sessions, Monthly check-ins, On-demand self-paced modules, Blended approach (mix)
    • Who will be the executive sponsor we can escalate to if decisions are blocked?
    • What are the most common reservations PIs raise when asked to adopt new compliance or management processes?

    A Pilot That Proves It

    • What is the smallest, least risky pilot that would make stakeholders stop and say, 'that solves our problem'?
    • Which pilot scope would be most convincing to your leadership? Options: Single PI, single project, Department-level (several PIs), Multi-site subaward test, Security control validation for one data type, End-to-end award lifecycle test
    • What success criteria must the pilot meet to approve a broader rollout (specific metrics, timelines, and stakeholder sign-offs)?
    • How long should a pilot run before you would evaluate it for expansion? Options: 2 weeks, 1 month, 3 months, 6 months, Other
    • Who will be the pilot point-of-contact and the daily user we can rely on for rapid feedback?
    • What institutional approvals or paperwork are required to start a pilot (data agreements, IT exceptions, IRB, subcontract approvals)?
    • How likely are you to greenlight a pilot within 30 days if we present a clear plan? Options: Very likely, Somewhat likely, Unlikely, Impossible, Unsure
  3. Solution Experience

    Walk through how our managed services deliver research security, FISMA controls, and reduced PI burden using the customer’s scenarios.

    Experience Meetings

    • Pre-Experience Alignment (Prework Review)
    • Scenario Walkthrough — PI & Grants Workflow
    • Security Controls & FISMA Mapping (NIST 800-171 / NSPM-33)
    • Operational Simulation — Incident, Reporting & PI Burden Reduction
    • Acceptance & Next Steps — Criteria, Pilot Scope, and Timeline

    Meetings

    • Agree any customizations needed to runbooks or report templates for institutional policies.
    • Identify ownership for producing missing artifacts and any timelines for remediation.
    • Provide a controls mapping spreadsheet tying current gaps to specific NIST 800-171 controls and evidence artifacts.
    • Share sample compliance artifacts (config snapshots, audit logs, POAM entries) from our FISMA environment.
    • Customer security lead to confirm any additional agency-specific control expectations.
    • Schedule a follow-up to review POAM and residual risk mitigations.
    • Customer to provide feedback on report templates and sign-off criteria.
    • Set Simulation Scenario & Expected Consequence
    • Prove that the managed service executes the event with defined timelines and produces required evidence.
    • Demonstrate measurable reduction in PI time and manual steps during the event.
    • Confirm that produced reports meet sponsor and institutional acceptance standards.
    • Introductions & Objectives
    • Deliver the incident runbook and example artifacts used during the simulation.
    • Finalize SLA commitments (response times, owner roles) in writing.
    • Schedule Solution Scope meeting to convert validated items into contractual modules.
    • Review Validated Future-State Statements
    • Obtain mutual agreement on concrete acceptance criteria and KPIs for the pilot.
    • Finalize pilot scope, timeline, and named owners required to start delivery.
    • Secure an explicit go/no-go decision to move forward to contractual scoping.
    • Document any remaining risks and mitigation items to carry into the Solution Scope stage.
    • Host to produce a Pilot SOW draft showing modules, acceptance criteria, timeline, and owners.
    • Customer to approve access and integration tasks required before pilot start.
    • Both parties to sign off on KPIs and reporting cadence for pilot evaluation.
    • Schedule Solution Scope meeting and assign preparatory work for contractual details.
    • Establish a single, crystal-clear current-state sentence everyone agrees on.
    • Surface explicit consequence metrics (time, cost, risk) tied to the current state.
    • Agree one precise future-state outcome to be proven in the Solution Experience.
    • Confirm availability of required artifacts and demo access for scenario validation.
    • Owner to deliver final one-sentence current-state and supporting artifact list.
    • Customer to provide quantified consequence data (hours, fines risk, audit dates).
    • Host to provision demo tenant and grant temporary access to named participants.
    • Schedule the Scenario Walkthrough meeting within 5 business days.
    • Recap Agreed Current-State Sentence & Scenario Context
    • Validate that the mapped current workflow accurately reflects day-to-day operations and where it breaks.
    • Demonstrate, with the customer's scenario, how our service produces the agreed future-state outcomes.
    • Obtain explicit customer confirmation on which pain points are resolved and acceptable success metrics.
    • Identify any remaining unknowns or integrations required to prove the future state.
    • Deliver a workflow mapping artifact showing current vs managed-service steps with owners.
    • Calculate and share projected hours saved per reporting cycle for the scenario.
    • List required integrations and data feeds with preliminary technical owners.
    • Customer to confirm any scenario edits or alternate paths to test in the operational simulation.
    • Baseline: Regulatory Triggers & Required Controls
    • Agree a mapped list of gaps → controls → implemented evidence for the customer's award.
    • Quantify how implemented controls reduce audit and sponsor risk in operational terms.
    • Obtain customer sign-off on what evidence constitutes acceptance for each mapped control.
    • Current Gap Mapping
    • Define Measurable Acceptance Criteria & KPIs
    • Detection & Intake: How the Event Enters Our Process
    • Step-by-Step Current Workflow Mapping
    • One-Sentence Current State
    • Control Implementation Proof
    • Consequence Quantification
    • Agree Pilot Scope, Deliverables & Timeline
    • Surface Pain Points & Consequences in Workflow
    • Response & Execution: Live Walkthrough of Runbook Steps
    • Confirm Governance & Decision Points
    • Consequence Reduction & Residual Risk
    • Reporting, Sponsor Notification & Closeout
    • Managed-Service Flow: Proof of Replacement
    • One-Sentence Future State
  4. Solution Scope

    Define modules (grants administration, research security, subcontract management, technical reporting), responsibilities, SLAs, and acceptance criteria.

    Scope Configuration

    • Manage award financials and invoicing
    • Prepare and submit federal financial reports (FFR)
    • Perform award modifications and prior approvals processing
    • Provision FISMA-compliant research IT workspace
    • Implement NIST 800-171 controls for project
    • Manage subcontracts and vendor compliance
    • Draft and submit technical progress reports
    • Coordinate IRB/IACUC filings and compliance actions
    • Administer export control compliance and licensing
    • Maintain property and equipment inventory records
    • Provide dedicated grants administration helpdesk
    • Compile and deliver audit response packages
    • Deliver research security and compliance training

    Scope

    Manage award financials and invoicing

    • Do you require our team to fully manage award financials and invoicing for this award? Options: Yes, No, Partial (shared responsibilities)
    • How many awards or cost centers should financial management cover? Options: Single award, Multiple awards (2-5), Portfolio (6-20), Large portfolio (20+)
    • Which institutional financial systems need integration for invoicing and reconciliation? Options: Workday, Banner, Oracle/PeopleSoft, Homegrown/Other, None — manual reporting
    • Who will hold primary responsibility for monthly reconciliations and approvals? Options: Customer (research office), Seller (our team), Shared - specify split below
    • What SLA do you require for invoice preparation, review, and submission (days)? Options: 3 business days, 7 business days, 14 business days, Custom
    • What are your acceptance criteria or deliverables for financial management (e.g., month-end reconciled ledger, submitted invoices, variance reports)?

    Prepare and submit federal financial reports (FFR)

    • Should we prepare and submit FFRs on your behalf for this award? Options: Yes — full service, No — you will submit, Assistance only (review/dry run)
    • What reporting frequency and deadlines apply (e.g., quarterly, annual, per award)? Options: Monthly, Quarterly, Annual, Other / milestone-based
    • Are there agency-specific FFR formats or portal integrations required (eRA Commons, NIH ASSIST, FedConnect, other)? Options: eRA Commons, NIH ASSIST, FedConnect, Agency portal (other), No portal integration
    • Do F&A/cost share calculations require special handling or institutional approvals? Options: Yes, No, Not sure — need assessment
    • Who signs or certifies FFR submissions at your institution? Options: PI, Department Chair, Sponsored Programs Office, Authorized Institutional Official (AIO)
    • What acceptance criteria indicate an FFR is complete (e.g., portal submission confirmation, CFO sign-off, variance explanations)?

    Perform award modifications and prior approvals processing

    • Do you want us to manage all award modifications and prior approvals (No Cost Extensions, budget revisions, PI changes)? Options: Yes — end-to-end, No — advisory only, Shared
    • Estimate the expected volume: how many modifications per year should we plan for? Options: 0-2, 3-5, 6-12, 12+
    • Which agency-specific prior approval rules apply and must be tracked? Options: NIH, NSF, DOE, DoD, Other/Multiple
    • Do modifications require internal institutional routing or approvals before submission? Options: Yes — multiple approvers, Yes — single approver, No
    • What SLA is expected for preparing and submitting a modification once approved internally? Options: 3 business days, 7 business days, 14 business days, Custom
    • What acceptance criteria should be used to close a modification task (e.g., agency acknowledgement, updated award document, internal record updated)?

    Provision FISMA-compliant research IT workspace

    • Do you require a FISMA-authorized IT workspace for this project (hosted computing, data storage, collaboration tools)? Options: Yes — required, No — not required, Maybe — need assessment
    • What types of data will be stored or processed (e.g., CUI, PHI, export-controlled data, general research data)? Options: CUI/Controlled, PHI, Export-controlled, Non-sensitive research data
    • Which integration points are needed with institutional identity and access systems (SSO/SAML, AD, Okta, LDAP)? Options: SSO/SAML, Active Directory, Okta, LDAP, No integration
    • What environment scale and timeline are required (number of user accounts, storage TB, provisioning lead time)?
    • Who will be responsible for ongoing system administration and incident response? Options: Seller, Customer IT, Shared — define roles
    • What acceptance criteria demonstrate workspace readiness (e.g., FISMA ATO/POA&M status, user accounts provisioned, baseline controls validated)?

    Implement NIST 800-171 controls for project

    • Should we implement NIST 800-171 controls end-to-end for the project environment? Options: Yes — full implementation, No — advisory only, Partial (controls assessment only)
    • Have any baseline assessments, SSPs, or gap analyses already been completed? Options: Yes — SSP available, Gap analysis only, No prior work
    • Which control families are highest priority (AC, IA, MP, SI, RA, etc.)? Options: Access Control (AC), Identification & Authentication (IA), Media Protection (MP), System & Info Integrity (SI), Risk Assessment (RA), Other
    • Will controls cover on-premises, cloud, or hybrid systems? Options: Cloud, On-premises, Hybrid
    • What timeline and milestones are required for control implementation and validation? Options: 30 days, 60-90 days, 3-6 months, Custom
    • What acceptance criteria are required to close NIST 800-171 implementation (e.g., documented evidence, automated control tests, auditor sign-off)?

    Manage subcontracts and vendor compliance

    • Will we manage subcontract setup, flow-down clauses, and compliance monitoring? Options: Yes — full management, No — advisory only, Shared
    • How many active subawards or vendors will need onboarding and oversight? Options: None, 1-2, 3-10, 10+
    • What vendor risk requirements are mandatory (insurance, financial checks, FISMA/NIST compliance, export controls)? Options: Insurance, Financial vetting, FISMA/NIST, Export control screening, Other
    • Do you require templated subaward agreements and automated flow-down tracking? Options: Yes, No, Partial
    • What SLA should apply for subcontractor onboarding and compliance remediation? Options: 7 business days, 14 business days, 30 business days, Custom
    • What acceptance criteria show subcontractor compliance (signed subaward, completed security attestations, proof of insurance)?

    Draft and submit technical progress reports

    • Do you want us to draft and submit technical progress reports to the sponsor on your behalf? Options: Yes — full drafting & submission, No — customer drafts, Review & finalize only
    • What frequency and format do sponsors require for technical reporting? Options: Quarterly, Semi-annual, Annual, Milestone-based
    • Are there agency-specific templates or portal requirements for technical reports? Options: NIH, NSF, DOE, DoD, Custom/Other
    • Who provides the technical content (PI, delegated staff, or our technical writers)? Options: PI, Department staff, Our writers, Hybrid
    • What turnaround time do you require from draft to submission? Options: 3 business days, 7 business days, 14 business days, Custom
    • What acceptance criteria confirm a technical report is complete (e.g., PI sign-off, sponsor acknowledgement, portal upload confirmation)?

    Coordinate IRB/IACUC filings and compliance actions

    • Should we coordinate IRB/IACUC submissions and follow-up for this project? Options: Yes — full coordination, No — advisory only, Assist with renewals only
    • Is the research human subjects, animal, or both? Options: Human subjects (IRB), Animal (IACUC), Both, Neither
    • Are there existing protocols that need amendment, or will new protocols be created? Options: New protocol, Amendment, Renewal, Not applicable
    • What institutional approvals or local contacts must be looped into filings?
    • What SLA is expected for preparing and submitting IRB/IACUC packages once materials are available? Options: 3 business days, 7 business days, 14 business days, Custom
    • What acceptance criteria indicate compliance (e.g., approval letters, protocol numbers, training certificates on file)?

    Administer export control compliance and licensing

    • Do any project activities involve export-controlled information, technologies, or foreign national participation? Options: Yes — export controls apply, No, Unsure — need assessment
    • Which export control regimes may apply (ITAR, EAR, deemed export, other)? Options: ITAR, EAR, Deemed Export, Other/Unknown
    • Do you need us to manage license applications, technology reviews, and screening of personnel? Options: Yes — full service, No — advisory only, Screening only
    • Are there planned foreign collaborations or transfers of equipment/software? Options: Yes — planned, No, Possible — TBD
    • What timeframe is expected for licensing activities and compliance reviews? Options: 30 days, 60-90 days, 90+ days, Depends on license
    • What acceptance criteria demonstrate export compliance (e.g., license granted, export control matrix, personnel deemed-export cleared)?

    Maintain property and equipment inventory records

    • Will we maintain the property and equipment inventory and handle tagging/record updates? Options: Yes — full inventory management, No — customer manages, Assist with audits only
    • How many unique items or equipment records are expected to be tracked? Options: <50, 50-200, 200-1,000, 1,000+
    • Do equipment records need integration with institutional asset systems or federal property reporting? Options: Yes — institutional asset system, Yes — federal property reporting, Both, No integration required
    • Who is responsible for physical inventory verification and annual reconciliations? Options: Seller, Customer, Shared
    • What acceptance criteria indicate inventory management is complete (e.g., tagged assets, reconciled ledger, disposal records)?
    • Are there special handling or storage requirements (e.g., hazardous materials, temperature control) for tracked equipment? Options: Yes, No, Not sure — need assessment
  5. Mutual Commit

    Finalize contractual modules, access authorizations, integration tasks, pricing, and governance required to start delivery.

    Agreement Modules

    • Statement of Work (SOW)
    • Master Services Agreement (MSA)
    • Pricing & Billing Schedule / Order Form
    • Service Level Agreement (SLA)
    • Data Processing & Security Addendum (DPA/Security Addendum)
    • Access Authorization & Roles Matrix
    • Integration & Onboarding Task Order
    • Subcontractor Approval & Flow-downs
    • Security Authorization Package (FISMA/ATO Prereqs)
    • Acceptance Criteria & Go-Live Conditions
    • Governance, Reporting & Change Control Agreement
    • Institutional Purchase Order / eProcurement Link
  6. Deployment

    Operationalize rollout with readiness checks, enablement, and outcome validation.

    1. Pre-Deployment Readiness

      Confirm data access, FISMA authorizations, onboarding plans, subcontractor approvals, and risk mitigations prior to go‑live.

      Readiness Questions

      Starting Line: What's already in motion?

      • Who on your team is currently accountable for preparing systems, data access, and approvals for this award's go‑live? Options: Program Manager, Principal Investigator (PI), Sponsored Research Office/Research Admin, IT Security/InfoSec, External Program Manager/Integrator, Other
      • What is your target go‑live timeframe for initial delivery of services under this award? Options: Within 2 weeks, Within 1 month, 1–3 months, 3–6 months, 6+ months, No firm date set
      • Which institutional systems and endpoints will we need to integrate with to deliver services (select all that apply)? Options: eRA Commons/agency portals, Grants administration system (e.g., Cayuse/InfoEd), Institutional ERP/HR/Payroll, Single Sign‑On/IdP (Okta, SAML, etc.), Research data storage / LIMS, Clinical systems/EHR, Cloud environments (Azure/AWS/GCP), Other
      • Which milestones for pre‑deployment have already been completed (brief list)?
      • How would you characterize the institution's tolerance for temporary exceptions during onboarding (e.g., limited user workarounds, manual approvals)? Options: Very low — exceptions unacceptable, Low — only for critical reasons, Moderate — acceptable with controls, High — willing to accept to meet schedule, Unsure

      If a single control failed tomorrow, what would it cost you?

      • Which types of data generated or handled under this award need special legal or regulatory protection? Options: Controlled Unclassified Information (CUI), Personally Identifiable Information (PII), Protected Health Information (PHI), Export‑controlled data, Proprietary/Confidential research data, Other
      • Where is that protected data currently stored (cloud, institution servers, researcher laptops, external vendors)?
      • How often do research staff or PIs transfer data off institutional systems (personal drives, external clouds, physical media)? Options: Daily, Weekly, Monthly, Rarely, Unknown
      • Tell us about any recent security incidents, audit findings, or sponsor concerns related to research data and what was done in response.
      • What compensating controls or manual processes are you relying on today when technical controls are limited? Options: Formal approvals/DUA, Isolated lab networks, Encrypted devices only, Time‑limited access windows, In‑person data handling, Other

      Who holds the keys — and are we comfortable with that?

      • Do you have confidence that the current access model will prevent unauthorized exposure of CUI or other controlled data? Options: Yes — confident, Mostly — with known gaps, Somewhat — concerns exist, No — not confident, Unsure
      • List the roles that will require system‑level access for this award and the minimum privileges each role needs.
      • Which identity and access controls are in place today (SSO provider, MFA, RBAC, service accounts) and which are missing?
      • Which identity proofing or background checks are required before granting access to research systems or data? Options: Institutional background check, FBI fingerprint or federal background check, Agency suitability check, No formal check required, Unsure/Varies by role
      • On average, how long does provisioning or deprovisioning of a user take today? Options: Same day, 1–3 business days, 1–2 weeks, 2+ weeks, Unknown
      • Who within the institution has final approval authority for vendor or external user access to systems and data?

      What would onboarding look and feel like for your team?

      • If onboarding reduced workload, which team’s pain would you want relieved first (PI, research admin, IT, other)? Options: Principal Investigators (PIs), Research administration staff, IT security/operations, Subaward/subcontract managers, Other
      • Which onboarding tasks must be completed before any user can access controlled research data? Options: Signed Data Use/DUA agreements, FISMA/AO/Fed authorization in place, User accounts provisioned with MFA, Required training completed, Endpoint security checks, Other
      • What documentation or artifacts will you require as evidence that onboarding is complete and auditable? Options: System Security Plan (SSP), POAM status report, Training rosters/completions, Signed DUAs and access approvals, Access logs and provisioning records, Other
      • What is an acceptable timeline from start of onboarding to full operational readiness for your team? Options: < 1 week, 1–2 weeks, 2–4 weeks, 1–3 months, 3+ months
      • Who should be the primary day‑to‑day contact for onboarding questions and first‑line support once we start? Options: Institutional IT, Research Admin/Grants Office, PI or lab manager, Host (our onboarding lead), Shared model, Other

      Third Parties: Partners who accelerate or complicate go‑live

      • Are your current subcontractors and vendors prepared to meet the FISMA/NIST controls required by this award, or will they introduce gaps? Options: Fully prepared, Mostly prepared with known gaps, Not prepared, Unknown
      • Please list third‑party vendors or subcontractors involved, the services they deliver, and any known readiness concerns.
      • Which approvals must be secured from sponsors, institutional reviewers, or contracting officers for subcontractor participation? Options: Contracting officer approval/JOA, Institutional security review, Legal/Compliance review, Export control review, Other
      • Do any subcontractors already hold an ATO, FISMA authorization, or equivalent formal security package that covers this work? Options: Yes — for this engagement, Yes — for related work only, No, Unsure
      • If a subcontractor is delayed, what contingency approaches would you accept to keep progress (select all that apply)? Options: Temporary limited vendor access, Manual/parallel workflows, Use an alternate vendor, Shift scope to later phase, Delay go‑live

      How will we know we're ready — and who signs off?

      • Would your institution approve a go‑live without clear, auditable proof that NIST 800‑171 controls are implemented and tested? Options: Yes — with exceptions, Maybe — conditional, No — must have evidence, Unsure
      • What specific acceptance criteria or evidence do you require for major control domains (e.g., Access Control, Audit & Accountability, Incident Response)?
      • Who must formally sign off on go‑live (choose all roles that apply)? Options: IT Security Officer/CISO, Principal Investigator (PI), Sponsored Research Office/VP, Institutional Legal/Compliance, Agency/Sponsor representative, Other
      • What reporting cadence and delivery format do you expect during deployment validation and acceptance? Options: Daily status email, Weekly executive summary, Real‑time dashboard access, Formal validation packet on completion, Ad hoc as requested
      • Are there agency‑specific validation or inspection steps (e.g., sponsor security office checklist, external assessor) we must incorporate into acceptance testing? Options: Yes — will provide details, No, Unsure
      • Which live tests should we run pre‑go‑live to give you confidence (select all that apply)? Options: User access audit, Tabletop incident response, Penetration test/VA scan, Data flow verification, Backup/restore exercise, Other

      If go‑live goes sideways, who cleans up the mess?

      • Which failures would be intolerable enough to pause or reverse go‑live (select all that apply)? Options: Confirmed security breach, Irrecoverable data loss, Major integration failure preventing essential workflows, Sponsor or agency objection, Regulatory non‑compliance finding, Other
      • Describe your incident response ownership and escalation path for research projects — who gets notified, in what order, and by whom?
      • What SLA windows do you require for incident detection, initial response, and remediation communications? Options: Detection within 1 hour / Response 1–4 hours, Detection within 24 hours / Response within 24 hours, Response within 72 hours, As negotiated per incident type
      • Which mitigation or rollback options are acceptable immediately after a post‑go‑live issue (select all that apply)? Options: Rollback to prior system state, Isolate affected users/systems, Suspend new user provisioning, Activate manual processes temporarily, Engage alternate vendor/responder
      • How would you like communications to PIs, participants, and sponsors handled in the event of a service incident (tone, frequency, and approvers)?
      • After deployment, who will own ongoing monitoring, residual risk acceptance, and periodic reauthorization activities? Options: Institutional IT/Security, Research Admin/PI, Host (our operations team), Shared governance board, Sponsor/agency
    2. Deployment Enablement

      Schedule tasks, integrate with institutional systems, onboard staff, and execute initial compliance controls with clear owners.

    3. Validation Checklist

      Verify NIST 800‑171 controls, reporting workflows, and acceptance criteria are met and documented.

      Validation Questions

      Tell Us About This Award (Quick Start)

      • Which type of award or trigger brought you here? Options: New federal award requiring NSPM‑33/NIST 800‑171, Audit finding or compliance gap, Large multi‑site program, PI overwhelmed by admin burden, Other
      • Which agency and program is this award associated with? Options: NIH, NSF, DOE/ARPA‑E, DoD (e.g., ONR, DARPA), Other federal agency, State or private funder
      • Roughly how many sites, subcontractors, or research groups are covered by this award? Options: Single PI / single site, 2–5 sites, 6–20 sites, 21–50 sites, 50+ sites
      • What is the award’s expected start date or critical deadline we should know about?
      • Who on your side will be the day‑to‑day contact for operations and for technical/security questions?

      Are You Comfortable Leaving Compliance to Habits?

      • What routines or legacy processes are you currently relying on that would surprise a security auditor?
      • Which NIST 800‑171 families do you believe are already met versus those you expect to be gaps? Options: Access Control, Awareness & Training, Audit & Accountability, Configuration Management, Identification & Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment
      • Have you had a recent audit, assessment, or finding tied to NSPM‑33 or similar research security requirements? Options: Yes – within 6 months, Yes – within 1–2 years, Yes – older than 2 years, No formal audit, but internal concerns, No
      • How does it feel when you think about your team’s current compliance posture—confident, anxious, overwhelmed, defensive, or something else? Options: Confident, Somewhat confident, Anxious, Overwhelmed, Defensive, Other
      • If a single compliance risk could be eliminated in the next 30 days, which one would you choose and why?

      What’s Really Stealing Scientific Time?

      • Can you estimate the percentage of PI and research staff time currently spent on administrative compliance versus research activities? Options: <10%, 10–25%, 26–40%, 41–60%, >60%
      • Which administrative tasks consistently take the most time or cause the most delays? Options: Proposal reporting, Subaward management, Security documentation, IRB/IACUC coordination, Data sharing agreements, Other
      • Tell a recent story where compliance work materially delayed science or strained a collaborator relationship—what happened?
      • When administrative burden peaks, what are the emotional and operational consequences for PIs and research staff? Options: Reduced morale, Missed deadlines, Increased errors, Reduced collaboration, Other
      • Which tasks would you most want to hand off to a trusted partner tomorrow? Options: Grants administration, Subcontractor oversight, FISMA/NIST control implementation, Technical reporting, Data access provisioning, Other

      If Security Didn’t Slow You Down, What Would You Change?

      • Imagine security obligations were handled invisibly—what would your team do differently this quarter?
      • Which program outcomes would improve first if PI administrative load dropped by 30%? Options: More experiments completed, Faster publications, Improved trainee mentoring, Stronger collaborations, Faster regulatory approvals, Other
      • What evidence would convince you that an external managed service did not interfere with scientific independence? Options: Clear ROI metrics, Pilot on a noncritical project, Faculty testimonials, Defined data governance, SLA guaranteeing PI control, Other
      • Which downstream stakeholders (funders, chairs, VPRAs, collaborators) would notice improvements first, and how would they measure it?
      • What concerns would make you hesitate to accept a hands‑off security model—even if it freed up time? Options: Loss of control, Cost, Integration complexity, Data residency, Trust in third party, Other

      Who Holds the Real Switch—Decision Roles & Timelines

      • Who will have final sign‑off authority to engage a managed research services partner for this award? Options: PI, Department Chair, VP Research, Sponsored Projects Office, External Program Officer, Other
      • Which factors will sway the ultimate decision—risk reduction, cost savings, speed to compliance, or something else? Options: Risk reduction, Cost, Time to compliance, Ease of integration, Academic autonomy, Other
      • Who do you expect will push back, and what are their likely objections?
      • What is the ideal decision timeline from initial conversation to contract signature? Options: <2 weeks, 2–4 weeks, 1–2 months, 3+ months, Undetermined
      • What internal approvals or governance gates should we plan to navigate (e.g., IT security, legal, procurement)? Options: IT security review, Legal/contract office, Procurement, Export control office, Department leadership, IRB/IACUC, Other

      Where Your Data Lives and Who Actually Touches It

      • If you had to name the top three systems where controlled/unclassified research data flows today, what would they be?
      • Which of the following currently store or process CUI for this project? Options: Institutional file servers, Cloud storage (institutional), Personal drives/laptops, Collaborator systems, Third‑party vendors, Lab instruments
      • Do you have existing FISMA ATOs, POA&Ms, or Authority to Operate documentation that we should align with? Options: Yes – current ATO/POA&M available, Partially – some artifacts exist, No formal documentation, Unsure
      • Which integration points are must‑haves for go‑live (e.g., institutional SSO, grants system API, HR directory)? Options: SSO/Identity Provider, Grants Management System, Payroll/HR directory, LIMS/Lab systems, Email/Collaboration tools, Other
      • What controls or safeguards are non‑negotiable for your institution (e.g., data residency, encryption at rest, contractor background checks)?

      What Would Make You Say Yes Today?

      • If a single contractual or technical condition were in place, could you onboard a managed service immediately? Options: Yes — with current leadership approval, Yes — pending minor legal review, Maybe — need pilot first, No — too many blockers
      • Which contractual elements do you require before we begin work (pick all that apply)? Options: Defined scope of modules, Clear SLAs and acceptance criteria, Data handling addendum, Subcontractor disclosure, Pricing and billing terms, Termination and liability clauses
      • Would a short pilot focused on one module (e.g., subcontract management or FISMA controls) help move decision‑makers forward? Options: Yes — preferred, Maybe — depends on scope, No — prefer full engagement
      • What minimal performance metrics would satisfy you that a pilot was successful? Options: Reduced PI time by X%, Closure of specific controls, Successful data integration, Onboarded users trained, Positive stakeholder feedback
      • What budget or procurement path will this initiative use (internal discretionary, central funds, new proposal, or other)? Options: Department discretionary, Central research office funds, Included in award budget, External grant/contract, Pending/unknown

      How Will Your Funders and Auditors Judge Success?

      • If a program officer asked for one short report that proves success, what must it contain?
      • Which KPIs would you want us to report regularly to demonstrate program health? Options: Audit findings resolved, Time saved for PIs, Percent of NIST controls implemented, Number of onboarded subcontractors, Incidents detected and remediated, Other
      • How often do your funders expect formal compliance reporting—monthly, quarterly, annually, or ad hoc? Options: Monthly, Quarterly, Biannually, Annually, Ad hoc/on request
      • What level of transparency does leadership expect into day‑to‑day operations versus periodic executive summaries? Options: Daily operational dashboards, Weekly summaries, Monthly executive reports, Quarterly deep dives, Only on request
      • Which stakeholders should receive direct access to dashboards or evidence artifacts (e.g., OPM, PI, VPR, Program Officer)? Options: PI, VPR/Dean, Sponsored Projects Office, Institutional IT, Program Officer, Other

      If Nothing Changes, What’s the Likely Consequence?

      • What realistic adverse outcomes worry you most if the current approach continues (pick the top two)? Options: Award suspension/delay, Unfavorable audit finding, Data breach, Lost collaborators/funding, PI burnout/turnover, Regulatory fines
      • How likely do you think those outcomes are in the next 12–24 months on a scale from unlikely to very likely? Options: Very unlikely, Unlikely, Possible, Likely, Very likely
      • What existing mitigations are in place, and why might they be insufficient?
      • If an audit found non‑compliance tomorrow, what would be the first three actions your team would take?
      • What level of financial or reputational exposure would be acceptable to leadership versus intolerable? Options: Minimal (none), Manageable with reserves, Significant but recoverable, Intolerable

      What Should Our First Move Be Together?

      • If we could remove one immediate obstacle for you this week, what would you have us take off your plate?
      • Which quick wins would you like to see in the first 30–60 days (pick up to three)? Options: Security control baseline, Subaward inventory and outreach, PI admin relief on reporting, Pilot integration with grants system, Onboarding checklist for staff
      • Who do we need to engage from your organization right now to make that quick win happen?
      • How do you prefer we demonstrate progress—weekly check‑ins, shared backlog, dashboard access, or milestone reports? Options: Weekly check‑ins, Shared backlog (ticketed), Live dashboard, Milestone reports, Ad hoc updates
      • On a scale from 1–10, how ready are you to begin a pilot or phased onboarding within the next 60 days? Options: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10
  7. Success

    Review outcomes against success signals, capture lessons learned, and maintain a shared backlog for issues and enhancements.

    Success Reviews

    • Success Review & Validation
    • Lessons Learned & Root Cause Review
    • Shared Backlog Prioritization & Roadmap
    • Operational Handoff & Governance Review
    • Quarterly Performance & Risk Check-in (Ongoing)

    Meetings

    • Complete knowledge transfer and documentation handoff with assigned owners.
    • Plan a short training session for impacted staff on any new processes or controls.
    • Backlog Review & Categorization
    • Produce a prioritized backlog with owners, acceptance criteria, and target delivery windows.
    • Ensure top items are traceable to customer value (reduced PI burden, closed compliance gaps, lowered risk).
    • Agree on reporting cadence and escalation routes for backlog items.
    • Publish prioritized backlog with acceptance criteria and add to shared tracking tool with owners.
    • Create a delivery plan for the next sprint/release including compliance verification steps.
    • Set recurring backlog review cadence and owner for maintaining priorities.
    • Governance Roles & RACI
    • Ensure clear operational ownership and documented governance for long-term sustainment.
    • Confirm monitoring and audit plans meet agency and institutional requirements for NSPM-33/NIST 800-171.
    • One-sentence Current State Confirmation
    • Deliver final governance RACI, SOP package, and training completion evidence to the customer.
    • Set up recurring governance meetings and monitoring reports (monthly/quarterly) with owners.
    • Record and circulate incident response contacts and escalation matrix for operations.
    • KPI Dashboard Review
    • Maintain alignment on performance against success signals and adjust priorities as needed.
    • Proactively manage risk and ensure audit readiness between formal reviews.
    • Capture continuous improvement items and feed them into the shared backlog.
    • Update KPI dashboard and distribute to stakeholders before the next quarterly check-in.
    • Refresh the risk register with mitigation status and responsible owners.
    • Add captured enhancement requests to the backlog with initial impact/effort estimates.
    • Obtain explicit customer validation against each success signal.
    • Document any acceptance criteria not met and agree remediation or extension path.
    • Confirm closure decision and owners for any outstanding items with deadlines.
    • Produce a one-page Acceptance Summary mapping each success signal to evidence and formal customer confirmation.
    • Create remediation tickets for any failed signals with owners and SLA dates.
    • Schedule a follow-up validation checkpoint if conditional acceptance is chosen.
    • Quick Data Review (Incidents, Delays, Feedback)
    • Create a prioritized list of durable improvements tied to root causes.
    • Assign owners and timelines for all corrective/preventive actions and documentation updates.
    • Capture lessons in a reusable format for institutional learning across future awards.
    • Publish a Lessons Learned report with RCA findings, prioritized actions, and assigned owners.
    • Update SOPs and onboarding checklists to reflect agreed changes (include NIST/NSPM mapping where relevant).
    • Risk Register & Emerging Threats
    • Access & Authorization Review
    • What Worked / High-Impact Wins
    • Consequence Summary (Cost/Time/Risk)
    • Impact vs Effort Prioritization
    • Monitoring, Reporting & Audit Plan
    • Outcome Evidence vs Success Signals
    • Define Acceptance Criteria & SLAs
    • What Didn’t Work / Pain Points
    • Backlog & Roadmap Status
    • Proof Points: How the Future State Was Delivered
    • Roadmap & Sprint Planning
    • SOPs, Runbooks & Training Handoff
    • Customer Feedback & Continuous Improvement
    • Root Cause Analysis
    • Communication & Escalation Path
    • Validation & Customer Confirmation
    • Preventive & Corrective Actions
    • Service Continuity & Escalation Paths
    • Actions & Next Checkpoint
    • Knowledge Transfer & Documentation Plan
    • Decision & Next Steps
First-Party AI

1-2 minutes please — Your AI agent is working

First-Party AI™ can make mistakes. Always check important information.