CMMC for Higher Education
For colleges and universities involved in R&D, the switch from DFARS to CMMC is big news. But just what is it, what is the impact on DoD contracts, and how does it fit in with information security?
The Cybersecurity Maturity Model Certification (CMMC) is enforced by the US Department of Defense (DoD) and builds upon the existing Defense Federal Acquisition Regulation Supplement (DFARS) regulation. The CMMC combines various cybersecurity standards and best practices in an effort to ensure all defense contractors are successfully protecting sensitive information and are capable of adapting to new and evolving cyber threats.
What information is protected?
CMMC measures an organization’s ability to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
For reference, FCI is “Information not intended for public release. It is provided by or generated by for the Government under a contract to develop or deliver a product or service to the Government. FCI does not include information provided by the Government to the public.” (1)
CUI is government created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations and government wide policies. It is not corporate intellectual property unless created for or included in requirements related to a government contract. Some examples include critical infrastructure, tax, or health/privacy information.
What are the requirements?
CMMC combines various cybersecurity standards, most specifically building on the NIST SP 800-171. However, the CMMC model takes this further and categorizes cybersecurity best practices into 17 domains, such as “Access Control” and “Systems and Communications Protection.” Forty-three distinct capabilities, such as “control remote system access” and “control communications at system boundaries,” are distributed across those domains.
CMMC has five certification levels that reflect the maturity and reliability of an organizations’ cyber infrastructure, ranging from “Basic Cybersecurity Hygiene” to “Advanced/Progressive.” Contractors are evaluated based on the implementation of technical controls, documentation, and policies and can receive a certification level of 1 to 5, 5 being the most secure. The need to demonstrate all, or a selection of, the 43 capabilities will be based on this assigned level.
The DoD will specify the required CMMC level in their Requests for Information (RFIs) and Requests for Proposals (RFPs). Only those organizations who have been certified at the required level or above will be eligible to bid on those contracts.
How is CMMC different than previous DFARS requirements?
Previously, contractors were responsible for implementing, monitoring, and certifying the security of their systems and any sensitive DoD information stored on or transmitted by those systems. One of the most significant changes with the CMMC is the shift from the ability for organizations to self-assess; the requirement now stipulates the need for an external third-party assessment validating their cybersecurity status.
In the past, non-compliance with DoD security regulations was also acceptable as long as organizations prepared a POAMS (Plan of Action and Milestones) outlining their plans to address the deficiencies. Any form of non-compliance will not be allowed under CMMC.
When does CMMC go into effect?
The DoD released CMMC Module version 1.0 to the public on January 31, 2020 with a comments period. Version 1.02 was released on March 18, 2020 and can be found here: https://www.acq.osd.mil/cmmc/docs/CMMC_ModelMain_V1.02_20200318.pdf
The CMMC implementation, along with so many other projects, was delayed slightly as a result of the coronavirus pandemic. However, on September 29, 2020, the DoD issued an Interim Rule, “Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041),” that states all federal contractors must self-certify their compliance with the NIST SP 800-171 requirements, as well as three new regulations that become effective November 30, 2020. One of the clauses in the interim rule formally begins the DoD’s adoption of the CMMC and requires contractors to have and maintain a current assessment score. This Interim Rule allows federal contractors to phase in the requirements for CMMC between November 30, 2020 and October 1, 2025. All contractors will be required to achieve CMMC by October 1, 2025.
Projections indicate that some of the larger DoD contracts will begin including the CMMC requirements in late 2020 or early 2021.
How does an organization become certified?
CMMC requires contractors to undergo a third-party assessment/audit to validate compliance with the outlined practices, procedures, and capabilities.
The CMMC Accreditation Body (CMMC-AB) will be certifying companies as CMMC Third-Party Assessor Organizations (C3PAOs). Organizations are able to visit the CMMC-AB’s Marketplace to locate and contract with a C3PAO to schedule an official assessment.
The CMMC-AB will also be certifying Registered Provider Organizations (RPOs) that employ staff trained in CMMC methodology and are focused on helping organizations prepare for future CMMC assessments.
In September 2020, the CMMC Accreditation Body shared that they had provided the initial training of provisional assessors, but at this point there are no certified C3PAO or RPO organizations.
How does the CMMC apply to higher education?
CMMC applies to higher education and research institutions doing business with the DoD via grants, contracts, cooperative agreements, sub-awards, or sub-contracts. This includes university-based research labs and facilities - as well as FFDRCs (Federally Funded Research and Development Centers) and UARCs (University Affiliated Research Centers).
The entire institution does not need to be certified, it will only apply to those areas of the institution conducting DoD-sponsored research—either as primes or subcontractors.
Will fundamental research be exempt from CMMC?
On September 24, 2020, EDUCAUSE shared that, in partnership with the Council on Governmental Relations, the Association of American Universities, and the Association of Public and Land-grant Universities, they had submitted comments to the Undersecretary of Defense, raising concerns about the possible negative impacts of including fundamental research conducted at higher education institutions as part of DOD contracts under CMMC Level 1. These concerns are due to the fact that the findings and results from these research activities are openly shared across the research community, which would not be possible if the universities had to apply the significant security standards and controls put in place by CMMC. The group has asked that the DoD avoid applying CMMC requirements to fundamental research programs and projects that are typically shared openly across the research community and the results will be publicly available. At the time of this article (November 2020), they had not received a formal response.
In a recent session during the CMMC Virtual Summit, it was indicated, that the CMMC-AB would potentially be forming an academic advisory council to represent higher education’s interests, gather input from the community, and inform the CMMC-AB’s work.
What next steps should your organization be taking?
Start by forming a working group or committee to assess how the CMMC requirements impact your organization and identify those individuals or groups responsible for achieving and maintaining compliance.
Next, determine the scope of CMMC for your institution by identifying all DoD research and activities currently being performed. Gather information on all active DoD contracts, including all research subject to FARS and DFARS Clause 252.204-7012. As part of this effort, you should also inventory all systems that are being used to collect, store, and process data related to the DoD work.
Familiarize yourself with the CMMC framework and begin comparing the current state of your cybersecurity program with the requirements of the CMMC level against which you will need to certify. You may want to consider engaging a third-party consultant to help perform the gap assessment and prepare for your future CMMC audit. A key outcome of this assessment is the creation of an action or remediation plan to address any identified gaps.
What are the consequences of non-compliance?
Failure to meet the CMMC requirements will disqualify an organization from bidding on defense contracts and could put DoD grant funding at risk for research institutions.
Some additional guidance from the CampusGuard Security Advisor team:
[Coudeyras]: It is important to note that CMMC levels are cumulative and build upon one another. For instance, a CMMC level 3 organization must have every practice under levels 1-3 documented; a policy must exist for all activities; and a resource plan must exist for all activities. Indeed, one of the major additions CMMC requires past NIST SP-171 is an emphasis on documentation. As you begin evaluating CMMC practices in your organization, remember to “say as you do, and do as you say.” In other words, you must document what occurs in business practices and also ensure business practices reflect documentation.
CampusGuard is in a unique position to assist higher education organizations perform a CMMC preparation assessment. CampusGuard has extensive history in performing security assessments for higher education organizations, including CMMC Documentation Gap Analysis.
1 Federal Acquisition Regulation 52.204-21 “Basic Safeguarding of Covered Contractor Information”