Cybersecurity Maturity Model Certification (CMMC) impacts on the research enterprise at higher education and research institutions

How does CMMC impact higher education and research institutions?

• This new requirement applies to all higher education and research institutions doing business with the Department of Defense (DoD), via grants, contracts, cooperative agreements, subawards or subcontracts.
• All institutions doing business with DoD will be impacted, whether or not handling controlled unclassified information (CUI).
• All impacted institutions must obtain certifications for their cybersecurity practices, performed by a DoD approved independent auditor.
• Institutions without a certification and/or receiving negative audit results could lose the ability to work with DoD.

What are the requirements for institutions?

• DoD released a custom CMMC framework on Jan. 31, 2020, based on various existing cybersecurity standards and leading practices, including National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.
• The CMMC framework maps cybersecurity practices and processes to defined maturity levels ranging from one (basic) to five (advanced), where each level contains specific practices and processes necessary to mitigate increasing degrees of cyber risk.
• All institutions conducting business with the DoD will need to achieve a minimum level one CMMC maturity; higher maturity levels may be required depending on the nature of the institutions’ work with DoD, including when working with CUI.
• To achieve certification, an institution must pass an independent audit conducted by a DoD approved third-party auditor that determines the level of maturity achieved.
• DoD plans to include CMMC requirements within its solicitations (e.g., requests for information (RFI) and requests for quote/proposal (RFQ/RFP)) starting in 2020.

What can institutions do now to prepare?

• Inventory all existing DoD work being conducted at the institution and determine existing cybersecurity requirements for that work.
• Inventory all systems at the institution that collect, store and process data related to DoD work.
• Conduct a self-assessment of the institution’s ability to meet the CMMC framework control practices for existing DoD work and systems with DoD-related data.
• Create a plan of action to address any identified gaps identified during the self-assessment.
• Consider engaging an independent third-party organization that specializes in higher education research compliance and DoD cybersecurity to further support assessments and help address gaps.
• Proactively monitor the CMMC initiative and future developments throughout 2020 at https://www.acq.osd.mil/cmmc/.

For more information on this topic, or to learn how Baker Tilly specialists can help, contact our team.