Navigating CMMC 2.0: New Cybersecurity Standards Impact Higher Education -- Campus Technology

Cybersecurity

Navigating CMMC 2.0: New Cybersecurity Standards Impact Higher Education

By Michelle Drolet
02/13/25

The Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity standard introduced in 2020 to ensure that defense contractors and subcontractors protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). While the scope of the CMMC was initially limited to organizations within the Defense Industrial Base, it was recently expanded to include universities and colleges since many of these institutions are already engaged in defense-related research and collaborations. Some even rely on the Department of Defense (DoD) contracts to secure funding for research projects.

The Arrival of CMMC 2.0

In October 2024, the DoD published a new update to its Cybersecurity Maturity Model Certification (a.k.a. the CMMC 2.0) enforcing new cybersecurity standards on universities and colleges. The three main points of the new CMMC rule include:

1) A Three-Tiered Model: CMMC requires higher ed institutions that are entrusted with CUI and FCI to implement cybersecurity best practices and standards at three progressively advanced levels:

Foundational: Focuses on protection of FCI
Advanced: Focuses on protection of CUI
Expert: Focuses on protection of critical national security programs

2) Assessment Requirements: The framework introduces a new assessment process that allows regulators to verify the institution's implementation of the cybersecurity standards.

3) Phased Implementation: The new requirements will be implemented in DoD contracts over a three-year period using a four-phased implementation approach. Phase 1 begins in 2025, and phase 4 (full implementation) is expected to be attained by 2028.

What CMMC 2.0 Means for Higher Education

Below is a quick summary of the new CMMC requirements for universities:

Applicability: CMMC applies to universities and colleges, including research labs and facilities, federally funded research and development centers, and university-affiliated research centers. Certification may not apply to the entire institution — only to lab facilities conducting DoD-sponsored research.

Requirements: Depending on the type and sensitivity of the information being managed, universities and colleges handling CUI and FCI must achieve a particular CMMC certification level as a condition of the contract award.

Self-Assessment Option: Universities that process FCI and are seeking a maturity Level 1 certification will be allowed to conduct a self-assessment. The DoD may also permit universities seeking Level 2 certification to perform a self-assessment.

Third-party Assessments: Universities that support critical national security programs and seeking Level 3 certification will have to get themselves assessed by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). Certain Level 2 universities that work on CUI data may also be required to get an assessment done by CMMC Third-party Assessment Organizations (C3PAO).

Subcontractor Flow Down: If a university's domestic or international supply chain partner processes, stores, or transmits either CUI or FCI, then CMMC requirements will apply to them as well.

What Happens if Universities Fail to Demonstrate Compliance with CMMC?

The DoD has made it clear that if universities fail to meet CMMC requirements they will face major consequences. For instance, non-compliant universities may be ineligible for future contract awards. The Department of Justice's Civil Cyber-Fraud initiative is already taking action against universities (e.g., Georgia Tech, Pennsylvania State University) that fail to meet the required cybersecurity standards.

Furthermore, the DoD has the authority to review the compliance practices of universities that are already CMMC certified. If the review uncovers that a university has not followed the stipulated cybersecurity practices, or has falsified its claims, then this could lead to loss of contracts and other penalties.

How Can Universities Prepare for CMMC Compliance?

Higher ed institutions must begin preparing for CMMC as soon as possible, given its far reaching implications for funding and security posture. Listed below are best practices:

Get Acquainted: Understand the CMMC 2.0 requirements, as these may vary based on the DoD entity or the type of data you work with. For instance, universities engaged in highly sensitive research may be subject to more stringent requirements, while universities that rely on commercial off-the-shelf (COTS) procurements may be eligible for an exemption.

Determine the Scope: Identify all DoD research activities being performed. Gather information on all active DoD contracts. Identify external vendors that are managing sensitive data or information. Inventory all systems that are collecting, storing, or processing data related to DoD work.

Run A Gap Analysis: Assess your current cybersecurity controls and practices; compare them with the applicable CMMC requirements; identify any gaps that exist in the program; prioritize which areas you want to focus on first; and build a roadmap to achieve the desired compliance outcomes.

Document Controls and Processes: It's important to document and demonstrate your compliance against CMMC requirements. Ensure that all your controls, processes, and protocols for safeguarding information as well as procedures for responding and recovering from cybersecurity incidents are established and well-documented.

Conduct Self-Assessments Or Undergo A Formal Assessment: Depending on the level of CMMC certification your institution is seeking, you will be required to undergo a self-assessment or undertake a formal risk assessment using a government authorized C3PAO.

Leveraging Expert Partners Can Facilitate CMMC Compliance

CMMC requirements and its processes can seem daunting and burdensome. Consider teaming up with a seasoned agency for interpretation, advice, risk assessments, training and support. Conduct a gap analysis. Create a roadmap to help achieve compliance, and establish controls and procedures as needed. Practice simulated assessments to prepare for a third-party evaluation. Educate your team on CMMC obligations and provide cybersecurity training on best practices and potential threats.

E-Mail this page

Printable Format

Featured

Internet2 Kicks Off 2025 with a Major Cloud Scorecard Update

The latest release on Internet2's Cloud Scorecard Finder website previews new features that include dynamic selection criteria and options to explore multiple solutions side-by-side. More updates are planned in the new year.
5 Trends to Watch in Higher Education for 2025

In 2025, the trends shaping higher education reflect a continuous transformation of the higher education landscape to meet the changing needs of students and staff, while maintaining sustainable and cost-effective institutional practices.
Google Announces Upgrade to Flagship Gemini AI Platform, Enhancing Multimodal Capabilities

Google has launched Gemini 2.0, designed to empower enterprise users and developers with advanced multimodal capabilities and enhanced performance.
OpenAI to Unify AI Models with GPT-5 Launch

OpenAI has scrapped plans to release its o3 model, opting instead for a "simplified" product lineup centered on its upcoming GPT-5 product.