For colleges and universities involved in R&D, the switch from DFARS to CMMC is big news. But just what is it, what is the impact on DoD contracts, and how does it fit in with information security?
The Cybersecurity Maturity Model Certification (CMMC) is enforced by the U.S. Department of Defense (DoD) and builds upon the existing Defense Federal Acquisition Regulation Supplement (DFARS) regulation. The CMMC combines various cybersecurity standards and best practices in an effort to ensure all defense contractors are successfully protecting sensitive information and are capable of adapting to new and evolving cyber threats.
What information is protected?
CMMC measures an organization’s ability to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
For reference, FCI is “Information not intended for public release. It is provided by or generated by the Government under a contract to develop or deliver a product or service to the Government. FCI does not include information provided by the Government to the public.” CUI is government-created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations, and government-wide policies. It is not corporate intellectual property unless created for or included in requirements related to a government contract. Some examples include critical infrastructure, tax, or health/privacy information.
What are the requirements?
CMMC uses NIST SP 80-171 Rev 2 for securing FCI and CUI. FCI is considered Level 1, which requires 15 controls from SP 800-171 to be fully met. Additionally, all 15 controls for Level 1 must be met before proceeding to Level 2. For CUI, which is considered Level 2, all 110 controls from SP 800-171 must be met. A Plan of Action and Milestones (POA&M) can be used for controls that are not fully met at Level 2 but must be remediated within six months.
In addition to meeting the SP 800-171 controls for Level 2, there is a significant amount of documentation that must be generated to explain how the institution meets the 110 controls. The most important document is the System Security Plan (SSP). This document is not required to be in any specific format, but it is recommended to follow the examples given for consistency and thoroughness. A typical SSP will be over 100 pages with details that succinctly explain how the institution meets the control objectives.
Additional documentation such as diagrams, inventories, a responsibility matrix, and more is also needed. These documents should collectively define and explain the CMMC scope. The challenges for colleges and universities are developing a comprehensive SSP and confidently defining CMMC scope.
The DoD will specify the required CMMC level in their Requests for Information (RFIs) and Requests for Proposals (RFPs). Only those organizations that have been CMMC certified at the required level or above will be eligible to bid on those contracts.
For the most up-to-date information about this new requirement, visit the U.S. Department of Defense website.
When does CMMC go into effect?
CMMC version 2.0 is being implemented in four phases. The Final Rule was published on Dec 16, 2024, which was the first step for the CMMC program. Phase 1 started on March 10, 2025. Phases 2, 3, and 4 will occur at 12-month increments afterward.
How does the CMMC apply to higher education?
CMMC applies to higher education and research institutions doing business with the DoD via grants, contracts, cooperative agreements, sub-awards, or sub-contracts. This includes university-based research labs and facilities, FFDRCs (Federally Funded Research and Development Centers), and UARCs (University Affiliated Research Centers).
The entire institution does not need to be certified, it will only apply to those areas of the institution conducting DoD-sponsored research—either as primes or subcontractors.
What next steps should your organization be taking?
Start by forming a working group or committee to assess how the CMMC requirements impact your organization and identify those individuals or groups responsible for achieving and maintaining compliance.
Next, determine the scope of CMMC for your institution by identifying all DoD research and activities currently being performed. Gather information on all active DoD contracts, including all research subject to FARS and DFARS Clause 252.204-7012. As part of this effort, you should also inventory all systems that are being used to collect, store, and process data related to the DoD work.
Familiarize yourself with the CMMC framework and begin comparing the current state of your cybersecurity program with the requirements of the CMMC level against which you will need to certify. You may want to consider engaging a third-party consultant to help perform the gap assessment and prepare for your future CMMC audit. A key outcome of this assessment is the creation of an action or remediation plan to address any identified gaps.
CampusGuard is here for you as well! Contact us to get started today!
What are the consequences of non-compliance?
Failure to meet the CMMC requirements may possibly prevent an organization from bidding on defense contracts and could put DoD grant funding at risk for research institutions.
CampusGuard is in a unique position to assist higher education organizations in performing a CMMC preparation assessment. CampusGuard has an extensive history in performing security assessments for higher education organizations, including CMMC Documentation Gap Analysis.
