Implementation Timeline

This is a drafted timeline that is subject to change. Campus CIO's will work with their communities to develop a timeline for each campus.

December 31, 2022 (Complete)

All new university-owned endpoints are enrolled in management where made available by NU ITS.

January 3, 2023 (Complete)

Auto (UNL) email account provisioning for existing employees.
Auto (UNL) email account provisioning for new employees.
Email forwarding no longer permitted.
Begin inventory of systems/services.
Security Awareness Training requirements for new employees implemented (All new employees have 30 days from hire/start date to complete).

March 1, 2023 (Complete)

Essential Security services will be applied to all managed endpoints (Cortex XDR, Vulnerability and Patch Management).
Continue enrolling university-owned endpoints in management where made available by NU-ITS. For additional detail, see Endpoints.

May 22, 2023 (Complete)

All university-owned endpoints are enrolled in management where made available by NU ITS. High Risk endpoint security posture required to access High Risk Information Systems.

July 5, 2023 (Complete)

Remote VPN access to Medium Risk Information Systems will require Medium Risk endpoint security posture.
Inbound access to general endpoint roles in Edge Network Levels 1, 2, & 3 will be limited to secure remote access protocols and ITS Remote Support service.

August 1, 2023 (Complete)

University faculty and staff must use university email accounts for university business.
Unified Edge Network access to Medium Risk Information Systems will require Medium Risk endpoint security posture for university owned and BYOD endpoints. Disk Encryption will not be required for Medium Risk university owned and BYOD endpoints until March 1, 2024.
Security awareness training requirements for current employees.
Supported OS required on university owned endpoints to authenticate on the Unified Edge Network (Level 2 and above).
Removal of shared accounts for accessing university Information Systems. Shared accounts for university email will be removed by March 1, 2024.
Low Risk endpoint security posture and individual user accounts will be required to authenticate university owned endpoints to Low-Risk Network (Level 2).

March 15, 2024 (Complete)

All Medium Risk university-owned endpoints will operate with the Enterprise Endpoint Management and Minimum Security Controls. Medium Risk endpoint security posture required to access Medium Risk Information Systems on University Networks.
Disk Encryption required for Medium Risk university owned and BYOD endpoints.
Removal of shared accounts for accessing university email.

July 8, 2024 (Complete)

All Low Risk university-owned endpoints will operate with Enterprise Endpoint Management and Minimum Security Controls to access to Low Risk University Networks.

October 1, 2024 (In Progress)

January 1, 2025

Inventory and risk classification of systems and services operating in legacy data center networks. Continue migrating systems and services to a data center segment aligned with the risk classification of the system or service.

July 1, 2025

Duplicate systems and services are deprovisioned.
University information systems shall be used for university business and university data and records shall not be stored outside of university information systems.
Access to legacy data center networks from the Unified Edge Network and the VPN will require an endpoint security posture aligned with the data center network's risk classification
University systems and networks shall implement Privileged Access Management (PAM) for privileged accounts.