Navigating CMMC 2.0: New Cybersecurity Standards Impact Higher Education

• 02/13/25

The DoD has made it clear that if universities fail to meet CMMC requirements they will face major consequences. For instance, non-compliant universities may be ineligible for future contract awards. The Department of Justice's Civil Cyber-Fraud initiative is already taking action against universities (e.g.,  Georgia Tech, Pennsylvania State University) that fail to meet the required cybersecurity standards.  

Furthermore, the DoD has the authority to review the compliance practices of universities that are already CMMC certified. If the review uncovers that a university has not followed the stipulated cybersecurity practices, or has falsified its claims, then this could lead to loss of contracts and other penalties.  

How Can Universities Prepare for CMMC Compliance?

Higher ed institutions must begin preparing for CMMC as soon as possible, given its far reaching implications for funding and security posture. Listed below are best practices:

Get Acquainted: Understand the CMMC 2.0 requirements, as these may vary based on the DoD entity or the type of data you work with. For instance, universities engaged in highly sensitive research may be subject to more stringent requirements, while universities that rely on commercial off-the-shelf (COTS) procurements may be eligible for an exemption.

Determine the Scope: Identify all DoD research activities being performed. Gather information on all active DoD contracts. Identify external vendors that are managing sensitive data or information. Inventory all systems that are collecting, storing, or processing data related to DoD work.

Run A Gap Analysis: Assess your current cybersecurity controls and practices; compare them with the applicable CMMC requirements; identify any gaps that exist in the program; prioritize which areas you want to focus on first; and build a roadmap to achieve the desired compliance outcomes.  

Document Controls and Processes: It's important to document and demonstrate your compliance against CMMC requirements. Ensure that all your controls, processes, and protocols for safeguarding information as well as procedures for responding and recovering from cybersecurity incidents are established and well-documented.

Conduct Self-Assessments Or Undergo A Formal Assessment: Depending on the level of CMMC certification your institution is seeking, you will be required to undergo a self-assessment or undertake a formal risk assessment using a government authorized C3PAO.  

Leveraging Expert Partners Can Facilitate CMMC Compliance

CMMC requirements and its processes can seem daunting and burdensome. Consider teaming up with a seasoned agency for interpretation, advice, risk assessments, training and support. Conduct a gap analysis. Create a roadmap to help achieve compliance, and establish controls and procedures as needed. Practice simulated assessments to prepare for a third-party evaluation. Educate your team on CMMC obligations and provide cybersecurity training on best practices and potential threats.