Navigating CMMC 2.0: New Cybersecurity Standards Impact Higher Education

  • By Michelle Drolet
  • 02/13/25

The Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity standard introduced in 2020 to ensure that defense contractors and subcontractors protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). While the scope of the CMMC was initially limited to organizations within the Defense Industrial Base, it was recently expanded to include universities and colleges since many of these institutions are already engaged in defense-related research and collaborations. Some even rely on the Department of Defense (DoD) contracts to secure funding for research projects.  

The Arrival of CMMC 2.0

In October 2024, the DoD published a new update to its Cybersecurity Maturity Model Certification (a.k.a. the CMMC 2.0) enforcing new cybersecurity standards on universities and colleges. The three main points of the new CMMC rule include:

1) A Three-Tiered Model: CMMC requires higher ed institutions that are entrusted with CUI and FCI to implement cybersecurity best practices and standards at three progressively advanced levels:

  • Foundational: Focuses on protection of FCI
  • Advanced: Focuses on protection of CUI
  • Expert: Focuses on protection of critical national security programs

2) Assessment Requirements: The framework introduces a new assessment process that allows regulators to verify the institution's implementation of the cybersecurity standards.  

3) Phased Implementation: The new requirements will be implemented in DoD contracts over a three-year period using a four-phased implementation approach. Phase 1 begins in 2025, and phase 4 (full implementation) is expected to be attained by 2028.

What CMMC 2.0 Means for Higher Education

Below is a quick summary of the new CMMC requirements for universities:

Applicability: CMMC applies to universities and colleges, including research labs and facilities, federally funded research and development centers, and university-affiliated research centers. Certification may not apply to the entire institution — only to lab facilities conducting DoD-sponsored research.

Requirements: Depending on the type and sensitivity of the information being managed, universities and colleges handling CUI and FCI must achieve a particular CMMC certification level as a condition of the contract award.  

Self-Assessment Option: Universities that process FCI and are seeking a maturity Level 1 certification will be allowed to conduct a self-assessment. The DoD may also permit universities seeking Level 2 certification to perform a self-assessment.  

Third-party Assessments: Universities that support critical national security programs and seeking Level 3 certification will have to get themselves assessed by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). Certain Level 2 universities that work on CUI data may also be required to get an assessment done by CMMC Third-party Assessment Organizations (C3PAO).

Subcontractor Flow Down: If a university's domestic or international supply chain partner processes, stores, or transmits either CUI or FCI, then CMMC requirements will apply to them as well.  

What Happens if Universities Fail to Demonstrate Compliance with CMMC?

The DoD has made it clear that if universities fail to meet CMMC requirements they will face major consequences. For instance, non-compliant universities may be ineligible for future contract awards. The Department of Justice's Civil Cyber-Fraud initiative is already taking action against universities (e.g.,  Georgia Tech, Pennsylvania State University) that fail to meet the required cybersecurity standards.  

Furthermore, the DoD has the authority to review the compliance practices of universities that are already CMMC certified. If the review uncovers that a university has not followed the stipulated cybersecurity practices, or has falsified its claims, then this could lead to loss of contracts and other penalties.  

How Can Universities Prepare for CMMC Compliance?

Higher ed institutions must begin preparing for CMMC as soon as possible, given its far reaching implications for funding and security posture. Listed below are best practices:

Get Acquainted: Understand the CMMC 2.0 requirements, as these may vary based on the DoD entity or the type of data you work with. For instance, universities engaged in highly sensitive research may be subject to more stringent requirements, while universities that rely on commercial off-the-shelf (COTS) procurements may be eligible for an exemption.

Determine the Scope: Identify all DoD research activities being performed. Gather information on all active DoD contracts. Identify external vendors that are managing sensitive data or information. Inventory all systems that are collecting, storing, or processing data related to DoD work.

Run A Gap Analysis: Assess your current cybersecurity controls and practices; compare them with the applicable CMMC requirements; identify any gaps that exist in the program; prioritize which areas you want to focus on first; and build a roadmap to achieve the desired compliance outcomes.  

Document Controls and Processes: It's important to document and demonstrate your compliance against CMMC requirements. Ensure that all your controls, processes, and protocols for safeguarding information as well as procedures for responding and recovering from cybersecurity incidents are established and well-documented.

Conduct Self-Assessments Or Undergo A Formal Assessment: Depending on the level of CMMC certification your institution is seeking, you will be required to undergo a self-assessment or undertake a formal risk assessment using a government authorized C3PAO.  

Leveraging Expert Partners Can Facilitate CMMC Compliance

CMMC requirements and its processes can seem daunting and burdensome. Consider teaming up with a seasoned agency for interpretation, advice, risk assessments, training and support. Conduct a gap analysis. Create a roadmap to help achieve compliance, and establish controls and procedures as needed. Practice simulated assessments to prepare for a third-party evaluation. Educate your team on CMMC obligations and provide cybersecurity training on best practices and potential threats.

Featured

  • laptop on a clean desk with digital padlock icon on the screen

    Study: Data Privacy a Top Concern as Orgs Scale Up AI Agents

    As organizations race to integrate AI agents into their cloud operations and business workflows, they face a crucial reality: while enthusiasm is high, major adoption barriers remain, according to a new Cloudera report. Chief among them is the challenge of safeguarding sensitive data.

  • flowing lines and geometric shapes representing data flow and analysis

    Complete College America Launches Center to Boost Data-Driven Student Success Strategies

    National nonprofit Complete College America (CCA) recently launched the Center for Leadership, Institutional Metrics, and Best Practices (CLIMB), with the goal of helping higher education institutions use data-driven strategies to improve student outcomes.

  • cybersecurity analyst in a modern operations center monitors multiple digital screens showing padlock icons, graphs, and a global map with security markers

    Louisiana State University Doubles Down on Larger Student-Run SOC

    In an effort to provide students with increased access to real-world cybersecurity experience, Louisiana State University has expanded its relationship with cybersecurity solutions provider TekStream to launch TigerSOC, a new student-run security operations center.

  • floating digital interface with glowing icons, surrounded by faint geometric shapes

    Digital Education Council Defines 5 Dimensions of AI Literacy

    A recent report from the Digital Education Council, a global community devoted to "revolutionizing the world of education and work through technology and collaboration," provides an AI literacy framework to help higher education institutions equip their constituents with foundational AI competencies.