Navigating CMMC 2.0: New Cybersecurity Standards Impact Higher Education

  • 02/13/25

The Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity standard introduced in 2020 to ensure that defense contractors and subcontractors protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). While the scope of the CMMC was initially limited to organizations within the Defense Industrial Base, it was recently expanded to include universities and colleges since many of these institutions are already engaged in defense-related research and collaborations. Some even rely on the Department of Defense (DoD) contracts to secure funding for research projects.  

The Arrival of CMMC 2.0

In October 2024, the DoD published a new update to its Cybersecurity Maturity Model Certification (a.k.a. the CMMC 2.0) enforcing new cybersecurity standards on universities and colleges. The three main points of the new CMMC rule include:

1) A Three-Tiered Model: CMMC requires higher ed institutions that are entrusted with CUI and FCI to implement cybersecurity best practices and standards at three progressively advanced levels:

  • Foundational: Focuses on protection of FCI
  • Advanced: Focuses on protection of CUI
  • Expert: Focuses on protection of critical national security programs

2) Assessment Requirements: The framework introduces a new assessment process that allows regulators to verify the institution's implementation of the cybersecurity standards.  

3) Phased Implementation: The new requirements will be implemented in DoD contracts over a three-year period using a four-phased implementation approach. Phase 1 begins in 2025, and phase 4 (full implementation) is expected to be attained by 2028.

What CMMC 2.0 Means for Higher Education

Below is a quick summary of the new CMMC requirements for universities:

Applicability: CMMC applies to universities and colleges, including research labs and facilities, federally funded research and development centers, and university-affiliated research centers. Certification may not apply to the entire institution — only to lab facilities conducting DoD-sponsored research.

Requirements: Depending on the type and sensitivity of the information being managed, universities and colleges handling CUI and FCI must achieve a particular CMMC certification level as a condition of the contract award.  

Self-Assessment Option: Universities that process FCI and are seeking a maturity Level 1 certification will be allowed to conduct a self-assessment. The DoD may also permit universities seeking Level 2 certification to perform a self-assessment.  

Third-party Assessments: Universities that support critical national security programs and seeking Level 3 certification will have to get themselves assessed by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). Certain Level 2 universities that work on CUI data may also be required to get an assessment done by CMMC Third-party Assessment Organizations (C3PAO).

Subcontractor Flow Down: If a university's domestic or international supply chain partner processes, stores, or transmits either CUI or FCI, then CMMC requirements will apply to them as well.  

What Happens if Universities Fail to Demonstrate Compliance with CMMC?

The DoD has made it clear that if universities fail to meet CMMC requirements they will face major consequences. For instance, non-compliant universities may be ineligible for future contract awards. The Department of Justice's Civil Cyber-Fraud initiative is already taking action against universities (e.g.,  Georgia Tech, Pennsylvania State University) that fail to meet the required cybersecurity standards.  

Furthermore, the DoD has the authority to review the compliance practices of universities that are already CMMC certified. If the review uncovers that a university has not followed the stipulated cybersecurity practices, or has falsified its claims, then this could lead to loss of contracts and other penalties.  

How Can Universities Prepare for CMMC Compliance?

Higher ed institutions must begin preparing for CMMC as soon as possible, given its far reaching implications for funding and security posture. Listed below are best practices:

Get Acquainted: Understand the CMMC 2.0 requirements, as these may vary based on the DoD entity or the type of data you work with. For instance, universities engaged in highly sensitive research may be subject to more stringent requirements, while universities that rely on commercial off-the-shelf (COTS) procurements may be eligible for an exemption.

Determine the Scope: Identify all DoD research activities being performed. Gather information on all active DoD contracts. Identify external vendors that are managing sensitive data or information. Inventory all systems that are collecting, storing, or processing data related to DoD work.

Run A Gap Analysis: Assess your current cybersecurity controls and practices; compare them with the applicable CMMC requirements; identify any gaps that exist in the program; prioritize which areas you want to focus on first; and build a roadmap to achieve the desired compliance outcomes.  

Document Controls and Processes: It's important to document and demonstrate your compliance against CMMC requirements. Ensure that all your controls, processes, and protocols for safeguarding information as well as procedures for responding and recovering from cybersecurity incidents are established and well-documented.

Conduct Self-Assessments Or Undergo A Formal Assessment: Depending on the level of CMMC certification your institution is seeking, you will be required to undergo a self-assessment or undertake a formal risk assessment using a government authorized C3PAO.  

Leveraging Expert Partners Can Facilitate CMMC Compliance

CMMC requirements and its processes can seem daunting and burdensome. Consider teaming up with a seasoned agency for interpretation, advice, risk assessments, training and support. Conduct a gap analysis. Create a roadmap to help achieve compliance, and establish controls and procedures as needed. Practice simulated assessments to prepare for a third-party evaluation. Educate your team on CMMC obligations and provide cybersecurity training on best practices and potential threats.

About the Author

Michelle Drolet is CEO of Towerwall, a pure-play cybersecurity consulting firm offering security and compliance services with clients such as Foundation Medicine, Boston College, and UMass Medical Center. Founded in 1999 in Framingham, MA, Towerwall focuses exclusively on providing organizations with customized cybersecurity programs. She can be reached at [email protected].

Featured

  • data professionals in a meeting

    Data Fluency as a Strategic Imperative

    As an institution's highest level of data capabilities, data fluency taps into the agency of technical experts who work together with top-level institutional leadership on issues of strategic importance.

  • stacks of glowing digital documents with circuit patterns and data streams

    Mistral AI Introduces AI-Powered OCR

    French AI startup Mistral AI has launched Mistral OCR, an advanced optical character recognition (OCR) API designed to convert printed and scanned documents into digital files with "unprecedented accuracy."

  • geometric pattern of interconnected triangles and hexagons

    Gravyty Merges with AI-Powered Student Engagement Companies Ivy.ai and Ocelot

    Gravyty, a provider of alumni and donor engagement and fundraising solutions, has announced a merger with AI-powered student enrollment and engagement companies Ivy.ai and Ocelot. The combined company will operate under the Gravyty brand.

  • blue AI cloud connected to circuit lines, a server stack, and a shield with a padlock icon

    AI Security Controls Lag Behind Adoption of AI Cloud Services

    Nearly nine out of 10 organizations are already using AI services in the cloud — but fewer than one in seven have implemented AI-specific security controls, according to a recent report from cybersecurity firm Wiz.