Cybersecurity is making headlines in many industries regularly. Last year's high-profile SolarWinds attack and the recent Colonial Pipeline hack have government officials scrambling to implement new...
6/14/2021
New CMMC guidelines are already affecting some contractors and subcontractors who do business with the U.S. Department of Defense (DoD). However, many other organizations will be subject to the requirements in the near future. While there has been much discussion about the 300,000 DoD contractors and subcontractors within the U.S. Defense Industrial Base (DIB) obtaining CMMC, most people haven’t considered the impact on colleges and universities. CMMC is also for higher education.
Since CMMC is a way to safeguard information, it affects more than contractors and subcontractors in the U.S. defense industrial base, it also impacts university-based research labs & facilities, University Affiliated Research Centers (UARCs), and Federally Funded R&D Centers (FFRDCs). CMMC requirements state that all contractors will need at least Level 1 certification for the handling of federal contact information (FCI) and at least Level 3 certification when responsible for controlled, unclassified information (CUI).
While higher education institutions aren’t exempt from the rule, there are some instances in which the entire organization won’t be subject to CMMC. For higher education institutes with individual DoD-sponsored research labs, it’s likely possible to create a system security plan
(SSP) that covers the systems, people, and locations that handle FCI or CUI. This approach can also lead to the necessity for multiple SSPs that must meet certain CMMC standards within the same organization.
Colleges and universities subject to CMMC compliance face the question of how and when to accomplish this seemingly monumental task. The phased rollout plan states all organizations engaging with the DoD must be CMMC compliant by October 1, 2025, but some contracts already require the certification. This presents a unique challenge for higher education institutions that depend on DoD contracts and funding for essential research programs. Delaying certification could mean these contracts go to other schools, and there’s no guarantee an institution would have the opportunity to reconvene work with the DoD in the future.
Understanding exactly how your organization is impacted by CMMC and the scope of your certification requirements is the best way to get started on the journey to compliance. With the right assistance, higher education institutions can not only avoid the penalties of non-compliance, but some organizations can also gain advantages by achieving compliance early.
How CMMC Affects Colleges and Universities
The impact of CMMC on higher education organizations is unique because it doesn’t necessarily apply to every college or university, and applicable institutions may only have requirements within designated sections. Adding to the confusion, networks within learning environments present individual challenges that many other industries don’t face. CMMC compliance for colleges and universities will depend on unique factors of the research programs within the organization.
A Variety of Reasons Colleges and Universities Need CMMC CMMC levels are designed to provide adequate security that meets the standards of the U.S. government. The biggest factor in whether colleges or universities need certification depends on the types of information they handle during research. These are the main reasons higher education institutions need to comply with CMMC standards.
- DoD funded research
- DoD contracts requiring research
- Subcontractors from DoD prime contractors
FCI or CUI
CMMC requirements are designed to protect certain types of government information included in the contracts, details, or research used by DoD contractors. The CMMC framework consists of five levels of cybersecurity best practices for organizations to achieve. The type of information handled by your organization will dictate the level of compliance you need to achieve.
- Federal Contact Information (FCI): Defined as information provided by or generated for the U.S. government not intended for public release, FCI is the type of information commonly associated with many types of higher ed research. Institutions handling FCI will likely only be required to achieve Level 1 CMMC compliance.
- Controlled, Unclassified Information (CUI): Information that requires protection consistent with laws, regulations, and government-wide policies is called CUI. Institutions handling CUI must achieve Level 3 CMMC compliance.
Since departments within higher education institutions are responsible for varied types of research and learning, it’s possible for varied CMMC requirements to exist in one facility.
Prime Contractors and Subs
Many of the interactions between the DoD and higher education institutions aren’t exactly direct and can confuse. While some colleges and universities work with direct contracts from the DoD, many research projects are further down the supply chain. Prime contractors are those that bid
for DoD request for proposals (RFPs) and manage any subcontractors under the plan. Often, the research programs within higher education organizations are subcontractors instead of primes.
In the past, self-assessed security practices were taken care of by prime contractors. CMMC requirements are making big changes. Prime contractors are still responsible for achieving the correct level of compliance. However, now, they’re also responsible for ensuring that all subcontractors can prove CMMC compliance for the level required by the project. The addition of subcontractor compliance greatly increases the number of higher education institutions that must seek certification.
Do I Need CMMC?
For many higher education institutions, the implementation of CMMC standards for at least part of the organization is likely. The new CMMC mandate includes university-based research labs and facilities—as well as FFDRCs (Federally Funded Research and Development Centers) and UARCs (University Affiliated Research Centers). However, only the part of the organization conducting DoD-sponsored research (as primes or subcontractors) must obtain certification.
One way to determine your need for certification at a certain level is to examine all DoD-sponsored research being done and contract renewal dates. Studying the details of information on all active DoD contracts the university has, including all research subject to FARS and DFARS Clause 252.204-7012 can help determine the level of CMMC required for the organization.
First Steps Toward CMMC Compliance for Higher Education Institutions
For many organizations worried about meeting CMMC standards, a big question is how long do I have before I have to be compliant? A better question should be – How soon can we get started? When it comes to CMMC, waiting until the last minute to approach the demands of certification isn’t advisable. A major part of passing the assessment will be about more than simply having a plan in place. It’s about how your organization is actively using cybersecurity best practices and procedures.
Waiting for an applicable RFP to get started means you’ll be too late to be involved in the project of interest. Besides assessing your organization’s security deficiencies, certification requires an audit by a third-party assessor (C3PAO). This means you’ll need time to adequately prepare for the audit and schedule an appointment with a potentially delayed timeline. Getting prepared now means you’ll be available when opportunities for your institution arise. Here’s how you can get started.
Learn the Scope of Your Institution’s CMMC Requirements If your institution handles DoD-sponsored research, you’ll need to identify the type of information the facility is responsible for, the localized environment, and the current security practices used to protect this information. For organizations only responsible for FCI, Level 1 certification (containing 17 NIST standards is required. Organizations responsible for CUI must achieve certification at Level 3 or higher.
Since many higher education institutions won’t be required to adhere to CMMC compliance for the entire organization, it’s important to define the locations and systems that are used for CUI. Define a specific CUI environment to cover where CUI is stored, processed, and transmitted. Once you have a clear definition of the information used by your facility and the environment, it’s time to investigate the cybersecurity practices you have in place and how they compare to NIST standards outlined in the CMMC framework.
Perform a Gap Assessment
Many higher education organizations don’t have the funds or employee base for a robust in-house IT team. This means it’s unlikely for most institutions to have the necessary tools and controls in place to handle CMMC prep and compliance without assistance from a third-party provider. MSSPs are experienced in many of the techniques required by various industries for different types of government compliance and have templates and tools for gap assessment.
Your gap assessment will examine the details of your current cybersecurity standards and compare them to the standards needed to reach your target level of CMMC compliance. The “gap” between the standards will define how much work needs to be done to prepare you for your CMMC audit.
Create and Implement a Remediation Plan
The details of your gap assessment will define the parameters of your remediation plan to prepare for the CMMC audit. Your plan should outline the resources and actions you’ll need to reach compliance as well as a timeline with a defined completion date. Since your remediation plan will be unique to the needs of your organization, it could only entail small changes or a completely new cybersecurity plan. It’s vital to not only have a plan in place but to also implement practices and document how the new system works, and whether it needs improvements.
How To Tackle the Cost of CMMC Compliance For many colleges and universities, the cost of compliance is a major factor. Every step of the process costs money, and most educational institutions have allotted every cent that comes into the organization for necessary tools or practices. During the keynote session of the CMMC virtual summit, Arrington noted that DoD will cover institutions’ costs of CMMC certification, including the time and effort to prepare for CMMC audits and the cost of the audits themselves. However, organizations will be required to assess the costs and build them into their rates.
The DoD states the cost of certification will be considered an allowable, reimbursable cost. This means that organizations will be required to keep an inventory of the costs of CMMC prep and audit costs for reimbursement when an RFP is acquired. For reimbursement of preparation costs, you’ll need to keep track of the costs of every step from obtaining a third-party assessment, to system upgrades and any other resources outlined in your remediation plan. Any RFP with CMMC requirements will include instructions for building these compliance costs into the rate of the bid.
Initial costs of compliance and the overhead of ongoing subscription services are a given for organizations required to maintain this level of security. However, there are still many questions surrounding the financial responsibilities of CMMC. Unfortunately, subcontractors will likely face even more costs than prime contractors to beef up security since many primes are already operating more robust security systems.
CMMC Requirements
With so many complications surrounding the technical details of achieving CMMC compliance, it can be difficult to even find time to learn the facts about certification requirements, how to obtain certification, and how the five levels of CMMC affect your organization. Here are the facts every organization needs to know about CMMC.
What is the CMMC Framework?
The CMMC framework describes the security regulations required for any contractor, subcontractor, or organization that does business with the DoD. The CMMC regulations consist of five maturity levels that require contractors to start from Level 1 and advance through each level to achieve compliance at higher levels. The regulations will be completed in a five-year roll-out that will be completed by 2026. When the roll-out is complete, all DoD contractors and subcontractors will be required to prove CMMC compliance to bid on DoD contracts.
5 Levels of CMMC
The CMMC framework consists of five levels with advancing security levels depending on the requirements of the RFP in question. It’s expected that most higher education institutions will mainly fall under the categories of Level 1 or Level 3. The responsibilities of the five CMMC levels can be summarized as follows.
- Level 1: Basic Cyber Hygiene- Referred to as “performed,” Level 1 requires the first 17 NIST SP 800-171 standards performed without the requirements of documentation. ● Level 2: Intermediate Cyber Hygiene- Called “documented” because Level 2 compliance requires organizations to establish and document processes to guide CMMC implementation, this level is also the bridge that introduces CUI for Level 3 and adds 55 NIST SP 800-171 requirements.
- Level 3: Good Cyber Hygiene- Described as “managed”, Level 3 requires organizations to establish, maintain and resource a plan demonstrating the management of activities for practice implementation. Level 3 requires the completion of all 110 NIST SP 800-171 requirements and an additional 20 practices to mitigate threats. Organizations responsible for CUI must obtain Level 3 compliance.
- Level 4: Proactive- Called “reviewed” because Level 4 organizations must review and measure practices for effectiveness, Level 4 includes corrective action and the ability to report recurring issues to higher management.
- Level 5: Progressive- The highest level of CMMC called “optimizing,” requires an organization to standardize and optimize process implementation across the organization.
3rd Party Organizations
A big change from earlier cybersecurity requirements of DoD contracts is the removal of self-certification. In the past, organizations had the option to investigate their security practices in-house and address security gaps in a Plan of Action and Milestones (POA&M). These options
are no longer available, which means institutions must address weaknesses and solve potential security issues to achieve compliance and receive certification.
Instead, organizations must obtain certification from a third-party organization that has received accreditation from the CMMC Accreditation Body. Third-party organizations (C3PAOs) are listed on the CMMC Marketplace.
Is Exemption a Possibility for Colleges and Universities? Since the role of research requires a variety of unique communication factors, there has been some concern surrounding the effects of CMMC requirements on colleges and universities. For this reason, several organizations have assembled to support an exemption from CMMC requirements for higher education institutions. At the moment, this seems unlikely since the question was directly addressed by Katie Arrington, CISO at the DoD, during the virtual CMMC summit in September 2020. However, some organizations are still pursuing the question.
Reasons for Exemption from CMMC for Higher Education In a letter submitted to Ellen M. Lord, the Under Secretary of Defense for the Acquisition and Sustainment, DoD, a group of higher education organizations expressed concerns about the potential negative impact of CMMC requirements on fundamental research. The group requested that the DOD should exclude fundamental research from the CMMC program for these reasons.
- Many institutions would be unlikely to be able to absorb the costs related to CMMC compliance and the necessary preparations
- Confusion between the required compliance levels between prime contractors and their subs that would exempt colleges and universities from being eligible for contracts with DoD primes
- Limited exchange of information essential to fundamental research
- A significant amount of the university-based research relevant to defense contracts doesn’t involve the CUI for the contract
Why CMMC is Likely to become Commonplace in Higher Education While a definitive response to the exemption letter hasn’t been received, likely, CMMC is here to stay for higher education organizations. In the immediate future, CMMC is only being applied to DoD contracts. However, the implementation is being closely observed by other federal organizations. These organizations include NSF and NIH, both of which supply more research grants to colleges and universities than the DoD. Additionally, The Department of Education is considering the benefits of using the CMMC framework for protecting student records and medical records subject to HIPAA.
Although none of these agencies have taken steps to officially announce the requirements, higher education institutions already following these standards would be a step ahead when changes occur.
Getting Ahead by Preparing for the Demands of CMMC Compliance
The processes and costs associated with CMMC compliance can seem prohibitive, but the consequences of non-compliance for higher education institutions can be worse than those for contractors in commercial industries. Without DoD funding, many colleges and universities would lose access to important research programs and opportunities. Additionally, if other government organizations implement CMMC standards in the future, institutions that have failed to achieve compliance will be a step behind.
Delaying the certification process can seem tempting, but it can result in added problems. The steps required to perform a gap assessment, complete a remediation plan, and accurately perform the standards associated with CMMC compliance can take several months. As the 300,000 DoD contractors and subcontractors seek their target level of CMMC, there are expected delays with the scheduling process for C3PAO audits. Passing your first audit early means you’ll have the certification your organization needs for the next three years.
Still, rushing ahead to obtain compliance would likely be a mistake. Forgoing the early steps and walking straight into a CMMC audit could delay the process even further. An organization that fails to meet the targeted compliance level audit will be required to address gaps and schedule a follow-up assessment to obtain certification.
How BitLyft Cybersecurity Can Help Higher Education Institutions Achieve CMMC Compliance
Colleges and universities face unique challenges when it comes to achieving CMMC compliance. Higher education institutions are designed to provide students with easy access to the network and the integration of a variety of devices. Additionally, the nature of research requirements means organizations must communicate with other institutions and potentially pass along information involved in a project that includes DoD-sponsored research. Seeking third-party assistance can help your organization solve these issues and develop a plan for CMMC compliance.
BitLyft Cybersecurity is a full-service cybersecurity company with vast experience in the challenges that higher education institutions face. Our expert team is familiar with NIST standards and the abundance of compliance requirements already in place for colleges and universities. BitLyft has the tools and skilled employees to help your organization with an investigation of your current security standards, a gap assessment, remediation plan, and the creation and implementation of a security plan to access your target level of CMMC.
To learn more about CMMC and how much it affects your organization, get in touch with our security experts, today. Starting the journey early can put your institution one step ahead when
it comes time to renew your existing DoD contracts or seek new opportunities for your research program.
