Understanding Cybersecurity Maturity Model Certification (CMMC)
[ZOOM EVENT] Wednesday, June 23, 2021 @ 11AM-12PM ET


Colleges and universities required to meet security rules

By Ken Michael

When it comes to government cybersecurity regulations, many people think of aerospace manufacturers, weapons production, or even power companies, yet often overlook the impact of security rules on institutions of higher learning. Like other government contractors, colleges and universities must also meet certain cybersecurity regulations including the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 and Cybersecurity Maturity Model Certification (CMMC) when working with the United States government.

Higher education institutions must comply with government cybersecurity regulations due to their handling controlled unclassified information (CUI) they receive from the federal government related to research work, which is often conducted in conjunction with colleges and universities. Additionally, federal student aid programs also connect institutions of higher learning with the federal government, further requiring a higher level of security due to the exchange of personally identifiable information (PII).

CMMC and Institutions of Higher Learning

The CMMC is a new requirement that has been in development for the last couple of years and is finally coming to fruition in 2021. This new requirement applies to all institutions of higher learning, as well as research institutions, that conduct business with the United States Department of Defense (DoD). This business may revolve around the award of federal grants, contracts, and cooperative agreements. It even impacts those with subawards or subcontracts as part of the flow down requirements of CMMC.

Though any given research or educational institution working with the DoD may not be handling CUI, they will still be impacted. What this means is that all institutions of higher learning and those conducting research are now required to institute cybersecurity best practices and certification by a CMMC Third-Party Assessor Organization (C3PAO). A CMMC Registered Provider Organization (RPO) such as Dox Electronics, can provide advice, consulting, and recommendations to help research institutions and institutions of higher learning prepare for certification by a C3PAO. Research organizations and colleges and universities could face losing future DoD contracts, subcontracts, grants, and awards that require certification at a CMMC level that they have not yet achieved.

Why the Need for Regulations?

It’s a well-known fact that cyberattacks are on the rise globally and institutions of higher learning are not free from them. In fact, attacks on institutions of higher learning are also on the rise, especially where ransomware is concerned. Within two weeks in the month of June 2020, the University of California, San Francisco, Michigan State University, and Columbia College Chicago were all successfully hacked using the malicious software called NetWalker. Sensitive information was stolen and the bad actors threatened to share it on the dark web unless a “ransom” was paid.

Cybercriminals see institutions of higher learning and organizations conducting research as prime targets for three reasons. First, there are financial opportunities. According to the 2020 Data Breach Investigations Report by Verizon, 79 percent of attacks on educational institutions were financially motivated, especially using ransomware.

The second reason is the theft of PII. With large student populations, colleges and universities are a wealth of data for would-be criminals. They can steal everything from social security numbers to bank account information and passport information. This allows them to commit identity theft or sell the data on the dark web for a handsome profit.

Research is the final lure for hackers when it comes to attacks on institutions of research and/or higher learning. Both nation-state actors and non-state actors want to get their hands on top-secret research, military or otherwise, for personal benefit. In 2019, Chinese hackers targeted 27 universities including the Massachusetts Institute of Technology (MIT) and the University of Washington, according to a piece by The Wall Street Journal.

The CMMC Requirements

On Jan. 31, 2020, the DoD released a custom CMMC framework based on a number of cybersecurity standards and requirements already in place including the NIST SP 800-171. The CMMC framework maps out a wide variety of cybersecurity best practices and processes for five maturity levels ranging from level 1, basic cybersecurity hygiene, to level 5, the highest level of cybersecurity hygiene. Each level includes the security practices and procedures of the previous level and incorporates escalating cybersecurity practices and procedures necessary to mitigate the increasing level of cyber risk.

Any institution of higher learning or research conducting business with the DoD must now achieve, at the least, certification at CMMC Level 1. Depending on the nature of the work being done for the DoD, the institution may be required to achieve a higher level of certification, especially when working with CUI. In order to achieve certification, the institution must pass an independent audit by a C3PAO as mentioned above. Moving forward, the DoD intends to include the CMMC requirements in requests for information (RFI) and requests for quote/proposal (RFQ/RFP).

Exceptions for CMMC

Note that an entire institution does not require CMMC certification. Only those departments, systems, and networks conducting the DoD-sponsored work as a prime contractor or subcontractor are required to achieve CMMC certification. If a university research lab is a subcontractor, they may not be required to achieve the same CMMC level of certification as the prime contractor depending upon what information is being shared in the collaboration process.

Due to concerns about the potential negative impact of CMMC requirements on fundamental research at institutions of higher learning, several organizations have joined forces to press for an exemption. The Association of American Universities (AAU), the Association of Public and Land-Grant Universities (APLU), the Council on Governmental Relations (COGR), and EDUCAUSE have all submitted a joint letter to the DoD expressing their concerns about CMMC requirements on fundamental research but to date, there are no exceptions or exemptions.

Getting Started

To begin the certification process for CMMC and ensure that your institution is meeting the requirements of NIST SP 800-171, there is preparation work to be done. A CMMC certified RPO such as Dox can assist in moving your organization toward achieving successful certification.

The process begins with an inventory of all DoD work currently being conducted at your institution to determine the requirements from NIST SP 800-171 and the CMMC maturity level certification it will require. This is followed by an inventory of all systems and networks used to collect, store, and process data related the DoD contract, award, grant, or subcontract at your institution. A self-assessment with the RPO will determine your organization’s ability to meet the requirements of NIST SP 800-171 and the target CMMC level.

Should any shortfalls be identified, the RPO will assist in creating a plan for remediating any security gaps identified during the inventory and self-assessment process. The RPO can also keep you updated to changes as the CMMC Accreditation Body (AB) makes adjustments to the CMMC levels or certification process.

The Cost of CMMC

Katie Arrington, the Chief Information Security Officer (CISO) for the United Stated Department of Defense, said during a keynote session about CMMC that the DoD will cover institutions’ costs for CMMC preparation and certification. She said institutions conducting work with the DoD should include the cost of the time and work preparing for CMMC audits and the certification process in their RFQs and RFPs. It is expected that all institutions of higher learning and research institutions will need to have achieved CMMC certification no later than Fall 2021 so work, awards, and grants with the DoD are not negatively impacted.

For additional information on cybersecurity requirements for institutions of higher learning and research organizations conducting work with the DoD, contact Dox at (585) 473-7766. The initial consultation is free and there is no obligation. Dox is a CMMC-AB certified RPO.
Share This Posting
Copyright ©   DoxWeb Design & SEO by Scriptable Solutions