Higher education research centers with government research contracts are affected by the new Cybersecurity Maturity Model Certification (CMMC) requirements. All organizations, including higher education centers, engaging with DoD will need to be CMMC 2.0 compliant by Oct. 1, 2025.
CMMC security controls and provisions will be instituted at higher education institutions that already receive funding from the U.S. Department of Health and Human Services (HHS) and the National Science Foundation (NSF). This includes any system relying on federal funds, including student financial aid records – meaning nearly every college and university in the U.S. will be impacted. CMMC will require schools to prove full compliance before they can apply for grants or research contracts. For many schools, this will impact them financially.
The CMMC requirements were initially released in January 2020, with a follow up interim rule regarding assessments coming out in November 2020. This DoD interim rule outlined assessment methodology, required a basic self-assessment, and caused many educational and research organizations to raise their eyebrows.
An Open Community
Though the CMMC cybersecurity standards are designed for the government contractor community, this includes all information sharing and safeguarding, so partnering and subcontracting research institutions are included. In addition, many higher education institutions may need to be CMMC-compliant if they receive grant funds or partner with the defense industrial base (DIB) in any way. The defined methodology, and the CMMC requirements in general, pose serious problems for the research and education communities – communities based on open access to shared research and the exchange of ideas.
Yet not all research and operations fall strictly under the five CMMC levels, and exactly what research content would fall under which level is unclear. As a result, higher education institutions aren’t sure where they stand as subcontractors in the DIB.
Unclear Expectations
EDUCAUSE and a number of other university research groups sent a letter to the DoD expressing concerns about the CMMC requirements and specifically noting how the lack of clarity regarding university research was problematic:
“Without specific guidance from the DOD to the contrary, prime contractors are very likely to simply extend the security requirements for the overall project to our subcontracts, regardless of whether they apply.”
To solve the problem, EDUCAUSE requested that fundamental research be excluded from the certification program entirely, allowing critical research partnerships with the DIB to continue unhindered.
Next Steps
As of today, the DoD hasn’t distinguished any separate requirements or standards for the education or research communities, so all organizations have to assume they must follow the same standards, preparing as best they can. With no direct reimbursement from the DoD and an aggressive five-year rollout timeline, research universities and community colleges must do their best to follow CMMC security standards by:
- Identifying DoD projects and what specific areas are covered by CMMC
- Determining the level of CMMC compliance required for specific information
- Conducting a cybersecurity self-assessment
- Creating a plan to address weaknesses and resolving CMMC red flags
- Staying updated on CMMC changes and rules
Until the DoD clarifies how the CMMC requirements will be enforced in education and research, however, this might be easier said than done. Explore how cybersecurity affects higher educational institutions here or download the CMMC preparedness checklist below!
This post was updated 11/9/22.