Skip to main content
Add as a preferred source on Google


Navigating CMMC 2.0: New Cybersecurity Standards Impact Higher Education

  • By Michelle Drolet
  • 02/13/25

The Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity standard introduced in 2020 to ensure that defense contractors and subcontractors protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). While the scope of the CMMC was initially limited to organizations within the Defense Industrial Base, it was recently expanded to include universities and colleges since many of these institutions are already engaged in defense-related research and collaborations. Some even rely on the Department of Defense (DoD) contracts to secure funding for research projects.  

The Arrival of CMMC 2.0

In October 2024, the DoD published a new update to its Cybersecurity Maturity Model Certification (a.k.a. the CMMC 2.0) enforcing new cybersecurity standards on universities and colleges. The three main points of the new CMMC rule include:

1) A Three-Tiered Model: CMMC requires higher ed institutions that are entrusted with CUI and FCI to implement cybersecurity best practices and standards at three progressively advanced levels:

  • Foundational: Focuses on protection of FCI
  • Advanced: Focuses on protection of CUI
  • Expert: Focuses on protection of critical national security programs

2) Assessment Requirements: The framework introduces a new assessment process that allows regulators to verify the institution's implementation of the cybersecurity standards.  

3) Phased Implementation: The new requirements will be implemented in DoD contracts over a three-year period using a four-phased implementation approach. Phase 1 begins in 2025, and phase 4 (full implementation) is expected to be attained by 2028.

What CMMC 2.0 Means for Higher Education

Below is a quick summary of the new CMMC requirements for universities:

Applicability: CMMC applies to universities and colleges, including research labs and facilities, federally funded research and development centers, and university-affiliated research centers. Certification may not apply to the entire institution — only to lab facilities conducting DoD-sponsored research.

Requirements: Depending on the type and sensitivity of the information being managed, universities and colleges handling CUI and FCI must achieve a particular CMMC certification level as a condition of the contract award.  

Self-Assessment Option: Universities that process FCI and are seeking a maturity Level 1 certification will be allowed to conduct a self-assessment. The DoD may also permit universities seeking Level 2 certification to perform a self-assessment.  

Third-party Assessments: Universities that support critical national security programs and seeking Level 3 certification will have to get themselves assessed by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). Certain Level 2 universities that work on CUI data may also be required to get an assessment done by CMMC Third-party Assessment Organizations (C3PAO).

Subcontractor Flow Down: If a university's domestic or international supply chain partner processes, stores, or transmits either CUI or FCI, then CMMC requirements will apply to them as well.  

What Happens if Universities Fail to Demonstrate Compliance with CMMC?

The DoD has made it clear that if universities fail to meet CMMC requirements they will face major consequences. For instance, non-compliant universities may be ineligible for future contract awards. The Department of Justice's Civil Cyber-Fraud initiative is already taking action against universities (e.g.,  Georgia Tech, Pennsylvania State University) that fail to meet the required cybersecurity standards.  

Furthermore, the DoD has the authority to review the compliance practices of universities that are already CMMC certified. If the review uncovers that a university has not followed the stipulated cybersecurity practices, or has falsified its claims, then this could lead to loss of contracts and other penalties.  

How Can Universities Prepare for CMMC Compliance?

Higher ed institutions must begin preparing for CMMC as soon as possible, given its far reaching implications for funding and security posture. Listed below are best practices:

Get Acquainted: Understand the CMMC 2.0 requirements, as these may vary based on the DoD entity or the type of data you work with. For instance, universities engaged in highly sensitive research may be subject to more stringent requirements, while universities that rely on commercial off-the-shelf (COTS) procurements may be eligible for an exemption.

Determine the Scope: Identify all DoD research activities being performed. Gather information on all active DoD contracts. Identify external vendors that are managing sensitive data or information. Inventory all systems that are collecting, storing, or processing data related to DoD work.

Run A Gap Analysis: Assess your current cybersecurity controls and practices; compare them with the applicable CMMC requirements; identify any gaps that exist in the program; prioritize which areas you want to focus on first; and build a roadmap to achieve the desired compliance outcomes.  

Document Controls and Processes: It's important to document and demonstrate your compliance against CMMC requirements. Ensure that all your controls, processes, and protocols for safeguarding information as well as procedures for responding and recovering from cybersecurity incidents are established and well-documented.

Conduct Self-Assessments Or Undergo A Formal Assessment: Depending on the level of CMMC certification your institution is seeking, you will be required to undergo a self-assessment or undertake a formal risk assessment using a government authorized C3PAO.  

Leveraging Expert Partners Can Facilitate CMMC Compliance

CMMC requirements and its processes can seem daunting and burdensome. Consider teaming up with a seasoned agency for interpretation, advice, risk assessments, training and support. Conduct a gap analysis. Create a roadmap to help achieve compliance, and establish controls and procedures as needed. Practice simulated assessments to prepare for a third-party evaluation. Educate your team on CMMC obligations and provide cybersecurity training on best practices and potential threats.

Featured

  • cyber security padlock

    AI Adoption Forces Trade-Off Between Speed and Identity Security, Study Finds

    AI adoption is forcing enterprises to trade security for speed — and identity controls are the first casualty, according to a new report from Delinea, a provider of identity security solutions for both human and AI agent identities.

  • silhouette of business person facing wall of data

    Why AI Strategy Belongs in the President's Office

    Institutions that are succeeding with AI share one thing in common, and it is not a better committee, a larger budget, or a more sophisticated technology stack. It is a president who never handed off the steering wheel.

  • large group of college students sitting on an academic quad

    Student Readiness: Learning to Learn

    Melissa Loble, Instructure's chief academic officer, recommends a focus on 'readiness' as a broader concept as we try to understand how to build meaningful education experiences that can form a bridge from the university to the workplace. Here, we ask Loble what readiness is and how to offer students the ability to 'learn to learn'.

  • businesspeople in silhouette with colorful network lines

    Report: AI Will Reshape Work More than Replace It, but Global Impact Is Uneven

    Richer countries face greater exposure to AI-driven changes than developing countries, which are less exposed to AI but risk being left behind, according to a joint report from the International Labour Organization and World Bank.