CMMC and Higher Ed: Understanding the Basics
For colleges and universities around the country, the government’s embrace of the new Cybersecurity Maturity Model Certification (CMMC) means creating a plan to get compliant—or risk losing out on millions of dollars in grant and research funding. Follow along to learn the basics.
What is CMMC?
CMMC is a new regulation and security requirement from the DoD, requiring researchers and universities that receive funding from the DoD to have specifically built secure environments for all of their DoD-funded research. The environments will need to be accessed and regulated by an independent third party, and universities will need to maintain compliance with that assessment program moving forward.Why was CMMC developed?
Cyberattacks against all institutions increased during the pandemic, but universities have been a special focus. Attacks against the education sector comprised 10% of all cyberattacks in early 2021, compared to 7.5% the year before. The DoD is worried that hackers who break into university databases could also get their hands on sensitive data that could harm national security. The government embraced CMMC as its answer to this increased threat.When do institutions need to implement CMMC?
While the CMMC has not taken effect yet, higher ed institutions don’t have much time. The Department of Defense (DoD) issued guidance about CMMC 2.0 in November 2021 and, according to the DoD’s CMMC website, “The rulemaking process and timelines can take 9-24 months. CMMC 2.0 will become a contract requirement once rulemaking is completed.” It’s essential that universities start the process now, since the requirements will start showing up in new contract language and grants moving forward. Since the time to build a secure environment for research can sometimes be extensive, it’s much better to start early if you don’t want to lose out on winning grants—or talent.
An Ad-Hoc Approach Won’t Work
Many universities have taken an ad-hoc approach to the cloud, migrating department by department, or even project by project. When organizations or departments spend individual project money to build their own environments, those environments often operate separately from central IT, meaning that there isn’t a lot of visibility on security or privacy protections. But that won’t work for CMMC. To meet CMMC compliance, institutions will need a new process, entirely. Don’t worry, we’ve got you covered. In our e-book, CMMC Compliance in Higher Education: How to Choose a Path to Compliance, we’ll explore three different avenues that universities can take to become compliant, depending on their unique needs. Download our e-book here CMMC Compliance in Higher Education How to Choose a Path to Compliance