The Cybersecurity Maturity Model Certification (CMMC) was developed to enhance the cybersecurity posture of organizations within the defense supply chain, as well as those that collaborate with the defense industry, such as university laboratories and research centers.
The CMMC framework has evolved since its original version in January 2020 and has since been consolidated from five maturity levels into three with the release of CMMC 2.0. It also now closely mirrors existing cybersecurity frameworks (i.e., NIST SP 800-171 Rev 3) which allows organizations to more easily navigate compliance and align their security controls across various cybersecurity requirements.
These controls include measures like network segmentation, data encryption, access controls, regular risk assessments, physical security, and training to ensure colleges and universities are protecting Controlled Unclassified Information (CUI) and preventing unauthorized access.
CMMC 2.0 is almost live, but the DOD’s phased roll-out plan is expected to allow most organizations until October 1, 2025, to ensure they are compliant. CMMC 2.0 also allows for a bit more flexibility. Government regulators will have the ability to still approve contracts based on an organization’s System Security Plan or Plan of Action and Milestones if there is a concrete plan in place to address any identified security gaps.
What steps should your institution take now to prepare for CMMC?
-
Identify your Required CMMC Level
CMMC requirements vary based on the DOD entity you are contracting with and the data involved, so you will want to review any related research contracts to determine the desired CMMC Level. This will also help you understand compliance requirements and if you will need to engage with a third-party assessor/auditor for certification.
-
Conduct a Comprehensive Inventory
It is important to understand all current, in-scope systems and technologies. This includes not only the main network infrastructure but also any connected devices that may present additional risks. Without a detailed inventory, you will not know what systems (or staff) are involved and what needs protection.
-
Classify CUI Data
Organizations should also review the sensitivity of the information they handle. This involves classifying data based on its level of confidentiality, integrity, and availability.
-
Create dedicated networks/locations for CUI data
Many higher education institutions have created segmented data enclaves or networks in which CUI data can be stored and accessed. This allows them to apply only the more stringent access controls to the enclaves vs. full university networks. However, just building the enclave(s) isn’t enough to ensure compliance. You will also need to ensure staff understand the requirements for accessing those systems and what happens to information as it moves in and out of the university.
-
Perform a Gap or Readiness Assessment
Either internally, or through a third-party partner, perform a gap assessment to confirm how security controls are implemented and identify any deficiencies, as well as recommendations to improve processes. An assessment will allow your organization to effectively assess risks, prioritize remediation, and allocate resources needed to achieve CMMC compliance.
Implementing the necessary security controls and obtaining the necessary resources for compliance can be difficult, however, the potential consequences of a cybersecurity breach and/or the inability to secure research grants and funding are far worse. Conducting an assessment sooner than later allows time to address any findings and budget for necessary remediation.
As a Registered Provider Organization (RPO) trained in the CMMC methodology, CampusGuard offers consultative services to our customers for CMMC readiness and assessment preparation. Contact us to get started.
