Navigating CMMC 2.0: New Cybersecurity Standards Impact Higher Education -- Campus Technology

Cybersecurity

Navigating CMMC 2.0: New Cybersecurity Standards Impact Higher Education

By Michelle Drolet
02/13/25

The Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity standard introduced in 2020 to ensure that defense contractors and subcontractors protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). While the scope of the CMMC was initially limited to organizations within the Defense Industrial Base, it was recently expanded to include universities and colleges since many of these institutions are already engaged in defense-related research and collaborations. Some even rely on the Department of Defense (DoD) contracts to secure funding for research projects.

The Arrival of CMMC 2.0

In October 2024, the DoD published a new update to its Cybersecurity Maturity Model Certification (a.k.a. the CMMC 2.0) enforcing new cybersecurity standards on universities and colleges. The three main points of the new CMMC rule include:

1) A Three-Tiered Model: CMMC requires higher ed institutions that are entrusted with CUI and FCI to implement cybersecurity best practices and standards at three progressively advanced levels:

Foundational: Focuses on protection of FCI
Advanced: Focuses on protection of CUI
Expert: Focuses on protection of critical national security programs

2) Assessment Requirements: The framework introduces a new assessment process that allows regulators to verify the institution's implementation of the cybersecurity standards.

3) Phased Implementation: The new requirements will be implemented in DoD contracts over a three-year period using a four-phased implementation approach. Phase 1 begins in 2025, and phase 4 (full implementation) is expected to be attained by 2028.

What CMMC 2.0 Means for Higher Education

Below is a quick summary of the new CMMC requirements for universities:

Applicability: CMMC applies to universities and colleges, including research labs and facilities, federally funded research and development centers, and university-affiliated research centers. Certification may not apply to the entire institution — only to lab facilities conducting DoD-sponsored research.

Requirements: Depending on the type and sensitivity of the information being managed, universities and colleges handling CUI and FCI must achieve a particular CMMC certification level as a condition of the contract award.

Self-Assessment Option: Universities that process FCI and are seeking a maturity Level 1 certification will be allowed to conduct a self-assessment. The DoD may also permit universities seeking Level 2 certification to perform a self-assessment.

Third-party Assessments: Universities that support critical national security programs and seeking Level 3 certification will have to get themselves assessed by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). Certain Level 2 universities that work on CUI data may also be required to get an assessment done by CMMC Third-party Assessment Organizations (C3PAO).

Subcontractor Flow Down: If a university's domestic or international supply chain partner processes, stores, or transmits either CUI or FCI, then CMMC requirements will apply to them as well.

What Happens if Universities Fail to Demonstrate Compliance with CMMC?

E-Mail this page

Printable Format

Featured

University of Illinois System Sets Sights on Community College Transfers with One Million Degrees Partnership

In a multiyear pilot program, the University of Illinois System is working with nonprofit One Million Degrees to bridge the community college transfer gap and improve student outcomes.
3 Areas Where AI Will Impact Higher Ed Most in 2025

What should colleges and universities expect from the evolving landscape of artificial intelligence in the coming year? Here's what the experts told us.
Study: Generative AI Could Inhibit Critical Thinking

A new study on how knowledge workers engage in critical thinking found that workers with higher confidence in generative AI technology tend to employ less critical thinking to AI-generated outputs than workers with higher confidence in personal skills.
IBM to Enhance Watsonx Portfolio Through DataStax Acquisition

IBM has announced it will acquire AI and data solutions provider DataStax, in a move aimed at enhancing its watsonx portfolio and advancing generative artificial intelligence (AI) capabilities for enterprises.