Higher education institutions must comply with government cybersecurity regulations due to their handling controlled unclassified information (CUI) they receive from the federal government related to research work, which is often conducted in conjunction with colleges and universities. Additionally, federal student aid programs also connect institutions of higher learning with the federal government, further requiring a higher level of security due to the exchange of personally identifiable information (PII).
CMMC and Institutions of Higher Learning
The CMMC is a new requirement that has been in development for the last couple of years and is finally coming to fruition in 2021. This new requirement applies to all institutions of higher learning, as well as research institutions, that conduct business with the United States Department of Defense (DoD). This business may revolve around the award of federal grants, contracts, and cooperative agreements. It even impacts those with subawards or subcontracts as part of the flow down requirements of CMMC.
Though any given research or educational institution working with the DoD may not be handling CUI, they will still be impacted. What this means is that all institutions of higher learning and those conducting research are now required to institute cybersecurity best practices and certification by a CMMC Third-Party Assessor Organization (C3PAO). A CMMC Registered Provider Organization (RPO) such as Dox Electronics, can provide advice, consulting, and recommendations to help research institutions and institutions of higher learning prepare for certification by a C3PAO. Research organizations and colleges and universities could face losing future DoD contracts, subcontracts, grants, and awards that require certification at a CMMC level that they have not yet achieved.
Cybercriminals see institutions of higher learning and organizations conducting research as prime targets for three reasons. First, there are financial opportunities. According to the 2020 Data Breach Investigations Report by Verizon, 79 percent of attacks on educational institutions were financially motivated, especially using ransomware.
The second reason is the theft of PII. With large student populations, colleges and universities are a wealth of data for would-be criminals. They can steal everything from social security numbers to bank account information and passport information. This allows them to commit identity theft or sell the data on the dark web for a handsome profit.
On Jan. 31, 2020, the DoD released a custom CMMC framework based on a number of cybersecurity standards and requirements already in place including the NIST SP 800-171. The CMMC framework maps out a wide variety of cybersecurity best practices and processes for five maturity levels ranging from level 1, basic cybersecurity hygiene, to level 5, the highest level of cybersecurity hygiene. Each level includes the security practices and procedures of the previous level and incorporates escalating cybersecurity practices and procedures necessary to mitigate the increasing level of cyber risk.
Any institution of higher learning or research conducting business with the DoD must now achieve, at the least, certification at CMMC Level 1. Depending on the nature of the work being done for the DoD, the institution may be required to achieve a higher level of certification, especially when working with CUI. In order to achieve certification, the institution must pass an independent audit by a C3PAO as mentioned above. Moving forward, the DoD intends to include the CMMC requirements in requests for information (RFI) and requests for quote/proposal (RFQ/RFP).
Exceptions for CMMC
Note that an entire institution does not require CMMC certification. Only those departments, systems, and networks conducting the DoD-sponsored work as a prime contractor or subcontractor are required to achieve CMMC certification. If a university research lab is a subcontractor, they may not be required to achieve the same CMMC level of certification as the prime contractor depending upon what information is being shared in the collaboration process.
To begin the certification process for CMMC and ensure that your institution is meeting the requirements of NIST SP 800-171, there is preparation work to be done. A CMMC certified RPO such as Dox can assist in moving your organization toward achieving successful certification.
The process begins with an inventory of all DoD work currently being conducted at your institution to determine the requirements from NIST SP 800-171 and the CMMC maturity level certification it will require. This is followed by an inventory of all systems and networks used to collect, store, and process data related the DoD contract, award, grant, or subcontract at your institution. A self-assessment with the RPO will determine your organization’s ability to meet the requirements of NIST SP 800-171 and the target CMMC level.
Should any shortfalls be identified, the RPO will assist in creating a plan for remediating any security gaps identified during the inventory and self-assessment process. The RPO can also keep you updated to changes as the CMMC Accreditation Body (AB) makes adjustments to the CMMC levels or certification process.
The Cost of CMMC
Katie Arrington, the Chief Information Security Officer (CISO) for the United Stated Department of Defense, said during a keynote session about CMMC that the DoD will cover institutions’ costs for CMMC preparation and certification. She said institutions conducting work with the DoD should include the cost of the time and work preparing for CMMC audits and the certification process in their RFQs and RFPs. It is expected that all institutions of higher learning and research institutions will need to have achieved CMMC certification no later than Fall 2021 so work, awards, and grants with the DoD are not negatively impacted.
For additional information on cybersecurity requirements for institutions of higher learning and research organizations conducting work with the DoD, contact Dox at (585) 473-7766. The initial consultation is free and there is no obligation. Dox is a CMMC-AB certified RPO.