One research building. One semester start. 1,247 devices reconciled.
A tier-1 US research university ran SpacesIQ across one research building during fall semester start, ahead of an upcoming CMMC Level 2 review for its federally funded research arm. By week's end the platform had returned 1,247 devices fingerprinted, 142 missing from the asset register, and 11 federally funded lab instruments traced back to the wrong department. The CMMC inventory-baseline finding closed in the next assessment cycle. Engagement anonymized at the customer's request.
The setup
The customer is a tier-1 US research university with a federally funded research portfolio spanning DoD, NSF, and DoE awards. The compliance picture: HIPAA at the medical school, PCI 4.0 at the bursar and athletics, GLBA for financial aid, NIST 800-171 / CMMC Level 2 for the defense-adjacent research arm, FERPA-adjacent controls across the rest. Distributed IT, with every school running its own infrastructure team.
The CMMC review was the immediate driver. The federally funded research arm operates inside a defense-adjacent program, and the inventory-baseline control (AC.L2-3.4.1) had been a recurring finding for two consecutive cycles. The university's central audit team had been hand-reconciling lab equipment lists with departmental procurement records every three months. The 40-hour-per-cycle exercise produced a document the federal assessor was politely declining to take at face value.
The ask: produce per-device evidence the federal assessor would take at face value, without rebuilding the inventory by hand for every CMMC review cycle.
Why CybrIQ
The university's CISO and the CMMC compliance lead had reached the same conclusion. Lab equipment cycles in and out of CUI (Controlled Unclassified Information) handling on different schedules; agent-based tooling could not see specialized research instruments. NAC saw the corporate VLAN; the federally funded labs ran on segmented infrastructure with mixed-vendor switching that NAC was not configured to scan.
The decision criteria were narrow:
- No agent on research instruments. Lab equipment is procured under specialized terms; agent installation often violates manufacturer support agreements.
- CMMC-defensible per-device evidence. The federal assessor needed dated, scoped, per-port records mapped to AC.L2-3.4.1 and AC.L2-3.4.2.
- Distributed-IT-friendly deployment. Each department's IT runs its own switches; the platform had to read across mixed-vendor fabric without standardized configuration.
- Multi-framework reuse. The same evidence had to feed HIPAA at the med school and GLBA at the bursar, not be CMMC-only.
The engagement
The engagement scoped one research building to start, the home of three federally funded labs and one shared instrument core. SpacesIQ deployed on Monday of fall semester start. The university's CISO, the CMMC compliance lead, and one ITSM lead from the central IT team joined the daily review. Two PIs (principal investigators) joined the Day-3 lab-equipment walkthrough.
What the wire showed
- 1,247 devices identified across the building's mixed fabric. The departmental asset registers covered roughly 80% of the population. The remaining ~250 were on the wire, fingerprinted by the end of the week.
- 142 devices missing from the asset register entirely. Most were lab instruments procured directly by PIs through grant funds and never entered into central IT systems. Several were teaching-assistant-owned equipment in shared classrooms.
- 11 federally funded lab instruments traced to the wrong department. The procurement records placed them in the chemistry department's CUI-handling lab; the wire showed them connected in the materials-science lab fabric. Funding-tracking required reconciling the difference.
- 4 IoT sensors on the federally funded research VLAN. Vendor-managed environmental monitors that someone had connected to a CUI-adjacent network. CybrIQ flagged the misplacement on Day-2 review; the security team moved them to the correct VLAN before the assessor's site visit.
- 2 unmanaged switches behind a graduate-student office drop. Discovered during the per-port walkthrough. Each one extended the lab fabric in ways central IT had not authorized.
The outcome
The CMMC inventory-baseline finding (AC.L2-3.4.1) closed in the next assessment cycle. The federal assessor took CybrIQ's continuous per-device evidence as the source-of-truth artifact and stopped requesting the central audit team's hand-reconciled spreadsheet. Over the following semester the university expanded SpacesIQ across two more research buildings and the medical school's clinical-trial environments; ComplianceIQ now wires the evidence into both CMMC and HIPAA fieldwork.
The audit category that produced the most findings on every prior cycle, "asset inventory completeness," has not produced a finding since.
"The federal assessor used to ask for our reconciliation method. Now they ask for the CybrIQ export."
CMMC Compliance Lead, tier-1 US research university. Quote anonymized at the customer's request.
Why this engagement is the reference
This engagement is the higher-ed reference we cite for distributed-IT environments specifically. Universities run more network surface than most enterprises, with less central control over what gets connected; the 1,247 / 142 numbers are typical for a single research building in our experience.
The pattern (distributed IT producing wider register gaps than central-IT environments) generalizes across higher ed.
Reading list
- The asset register lies. Why the spreadsheet drifts from the wire on day one and never reconciles.
- "Looks good" is not Layer 1 evidence. What an environmental dashboard tells you, what it does not.
- Five reports, one truth. Mapping a single Layer 1 record to HIPAA, PCI, SOC 2, NIST CSF, and CMMC.
Bring one campus. Walk out with the inventory the next audit asks for.
The 30-minute working session. One environment. The deliverables stay with you whether you convert the engagement or not.