CMMC and Higher Ed:
Understanding the Basics

For colleges and universities around the country, the government’s embrace of the new Cybersecurity Maturity Model Certification (CMMC) means creating a plan to get compliant—or risk losing out on millions of dollars in grant and research funding. Follow along to learn the basics.  


  • What is CMMC? 

    CMMC is a new regulation and security requirement from the DoD, requiring researchers and universities that receive funding from the DoD to have specifically built secure environments for all of their DoD-funded research. The environments will need to be accessed and regulated by an independent third party, and universities will need to maintain compliance with that assessment program moving forward.

  • Why was CMMC developed?  

    Cyberattacks against all institutions increased during the pandemic, but universities have been a special focus. Attacks against the education sector comprised 10% of all cyberattacks in early 2021, compared to 7.5% the year before. The DoD is worried that hackers who break into university databases could also get their hands on sensitive data that could harm national security. The government embraced CMMC as its answer to this increased threat.

  • When do institutions need to implement CMMC? 

    While the CMMC has not taken effect yet, higher ed institutions don’t have much time. The Department of Defense (DoD) issued guidance about CMMC 2.0 in November 2021 and, according to the DoD’s CMMC website, “The rulemaking process and timelines can take 9-24 months. CMMC 2.0 will become a contract requirement once rulemaking is completed.” It’s essential that universities start the process now, since the requirements will start showing up in new contract language and grants moving forward. Since the time to build a secure environment for research can sometimes be extensive, it’s much better to start early if you don’t want to lose out on winning grants—or talent.


An Ad-Hoc Approach Won’t Work

Many universities have taken an ad-hoc approach to the cloud, migrating department by department, or even project by project. When organizations or departments spend individual project money to build their own environments, those environments often operate separately from central IT, meaning that there isn’t a lot of visibility on security or privacy protections. But that won’t work for CMMC. To meet CMMC compliance, institutions will need a new process, entirely. Don’t worry, we’ve got you covered. In our e-book, CMMC Compliance in Higher Education: How to Choose a Path to Compliance, we’ll explore three different avenues that universities can take to become compliant, depending on their unique needs. Download our e-book here


Stefan Deusch

Forward-thinking Engineering leader offering 20 years of experience with a background in effective and dynamic work environments. Clear communicator, decision-maker, and problem solver focused on achieving project objectives with speed and accuracy. I am passionate about building quality teams, cloud computing, and machine learning.

Let’s see how we can
empower your organization
to make a difference.

Let's Talk About Everything!