CMMC & Higher Education

Higher education research centers with government research contracts are affected by the newly released Cybersecurity Maturity Model Certification (CMMC) requirements, but exactly how yet remains to be seen. 

The CMMC requirements were initially released in January 2020, with a follow up interim rule regarding assessments coming out in November 2020. This DoD interim rule outlined assessment methodology, required a basic self-assessment, and caused many educational and research organizations to raise their eyebrows. 

An Open Community

Though the CMMC cybersecurity standards are designed for the government contractor community, this includes all information sharing and safeguarding, so partnering and subcontracting research institutions are included. In addition, many higher education institutions may need to be CMMC-compliant if they receive grant funds or partner with the defense industrial base (DIB) in any way. The defined methodology, and the CMMC requirements in general, pose serious problems for the research and education communities – communities based on open access to shared research and the exchange of ideas. 

Yet not all research and operations fall strictly under the five CMMC levels, and exactly what research content would fall under which level is unclear. As a result, higher education institutions aren’t sure where they stand as subcontractors in the DIB.

Unclear Expectations

EDUCAUSE and a number of other university research groups sent a letter to the DoD expressing concerns about the CMMC requirements and specifically noting how the lack of clarity regarding university research was problematic:

“Without specific guidance from the DOD to the contrary, prime contractors are very likely to simply extend the security requirements for the overall project to our subcontracts, regardless of whether they apply.”

To solve the problem, EDUCAUSE requested that fundamental research be excluded from the certification program entirely, allowing critical research partnerships with the DIB to continue unhindered. 

Next Steps

As of today, the DoD hasn’t distinguished any separate requirements or standards for the education or research communities, so all organizations have to assume they must follow the same standards, preparing as best they can. With no direct reimbursement from the DoD and an aggressive five-year rollout timeline, research universities and community colleges must do their best to follow CMMC security standards by:

  • Identifying DoD projects and what specific areas are covered by CMMC
  • Determining the level of CMMC compliance required for specific information
  • Conducting a cybersecurity self-assessment
  • Creating a plan to address weaknesses and resolving CMMC red flags
  • Staying updated on CMMC changes and rules

Until the DoD clarifies how the CMMC requirements will be enforced in education and research, however, this might be easier said than done. Explore how cybersecurity affects higher educational institutions here or download the CMMC preparedness checklist below!

Download 6 Steps to CMMC Readiness!

* indicates required