How Cybersecurity Maturity Model Certification will impact your institution

On November 10, 2021, EAB’s IT Forum hosted a Q&A panel with three senior IT leaders with experience navigating Cybersecurity Maturity Model Certification (CMMC) at their institutions: Helen Patton, Advisory CISO at Cisco and former CISO at The Ohio State University, Donna Kidwell, CISO at Arizona State University, and Masood Sidiqyar, Senior Director of Information Security at Vanderbilt University.

Read on to learn about some roundtable takeaways below or scroll to the next steps.

Download the resources from the Q&A panel.

Get the slides

What is CMMC?

CMMC is a forthcoming cybersecurity requirement that will apply to all higher education and research institutions doing business with the Department of Defense (DoD). CMMC certifies the level of an organization’s ability to protect federal contract information (FCI) and controlled unclassified information (CUI). Arguably the most significant standard in InfoSec’s history, CMMC is coming to higher ed in no uncertain terms.

Not only does CMMC bring pivotal changes in requirements for DoD grants, but it also introduces as an assessment program that dwarfs all others. Early indications also suggest CMMC will not be limited to DoD grants-it may become a standard requirement for a whole host of federal grants as government agencies look to harmonize their cybersecurity approaches.

What is CMMC?

Review the Key Takeaways

1. Higher ed institutions should not bet on lax enforcement of CMMC 2.0 despite reduced stringency compared to CMMC 1.0.

Unlike CMMC 1.0, which required third-party assessment for all maturity levels, all CMMC 2.0 level one and a proportion of level two contracts will permit self-assessment. Institutions that plan to handle controlled unclassified information (CUI) require CMMC 2.0 level two controls and will require triennial third-party assessment in cases where they have access to critical national security information (yet to be clearly defined).

Helen Patton, Advisory CISO at Cisco, warned institutions against assuming that their contracts will not include the critical information that will require third-party assessment and/or that that their self-assessments or plans of actions and milestones will not be continuously vetted and enforced. Helen also noted that whoever submits CMMC compliance information can be held criminally liable for false claims. As a result, in the private sector, many organizations are requiring CIOs themselves to submit CMMC self-attestation.

How does CMMC 2.0 work? 

2. Most institutions have pursued CMMC-compliant enclaves for research data, but experts advise thinking towards a long-term plan that expands some security controls across the institution.

Instead of pursuing CMMC compliance across the enterprise, leading institutions are creating research enclaves on campus compliant with certain CMMC levels to house all DoD research and data. This is simply because as Helen Patton remarked, “In higher ed, if you were to apply the 110+ CMMC controls across the environment, you would stop the university from doing what it does”. For such reasons, Masood Sidiqyar, Vanderbilt University’s Senior Director of Information Security, currently employs three research enclaves on campus, two on-premises and one in the cloud.

However, the panelists predicted these research enclaves will not be the end of their CMMC compliance journeys. For example, Helen stressed that since data is incredibly distributed in higher ed, institutions will need to go through necessary data governance and architecture exercises and implement CMMC controls more widely as other federal agencies may soon place more stringent restrictions in line with CMMC in areas such as student financial aid data.

Donna Kidwell, CISO at Arizona State University (ASU), is pushing the entire campus to towards CMMC 2.0 level one, which is comprised of 17 foundational practices aligned with FAR 52.204-21[1], while also pursuing level two in specific research enclaves.

3. Collaborate with the full scope of research, IT, and security stakeholders to avoid internal misalignment or – at worst – inaccurate attestation of compliance and possible whistleblowing.

“CMMC compliance requires an ongoing governance structure. Research has to play nicely in the sandbox with IT and security-they have to work together like legs on a three-legged stool”

Helen Patton Advisory CISO at Cisco

Partnership between research, IT, and security stakeholders who may not be involved in day-to-day CMMC operations is key to avoiding incorrect assumptions and submitting inaccurate information.

Each group serves an integral role in maintaining ongoing CMMC compliance and all groups must be responsible for documentation. The security group directs and drives the cybersecurity program and its policies. IT executes the security vision and ensures controls are in place. And the research community must understand not only how and why CMMC compliance is important, but how they themselves are responsible for it.

For example, Donna Kidwell conducts roadshows twice a year with ASU’s 38 deans to make sure they are all in alignment and understand the reasons for and associated responsibilities with regulations like CMMC and NIST SP 800-171[2]. Donna is also creating working groups to organize the CMMC compliance effort, especially to ensure coordination with representatives from distributed IT units.

4. CMMC compliance can promise a competitive advantage but warrants a preliminary cost-benefit analysis

Earning compliance can position your institution for DoD grants and research dollars inaccessible to most. Masood Sidiqyar mentioned that of the over 300,000 organizations in the defense industrial base, a large proportion will not become certified in the near future-a trend that rings even truer in higher ed.

Nevertheless, the decision to pursue CMMC compliance should be a business decision driven by key research and academic leaders and dependent on how much DoD engagement your institution plans to pursue. In other words, the potential for research dollars and activity weighed against the cost of the investment to achieve a desired level of maturity. While IT leaders must encourage the institution to adopt core controls and support movement to higher levels of CMMC compliance, CMMC decisions should be a strategic, widely agreed-upon, and driven by the academy.

However, the session’s panelists did advise that for institutions to engage in any business with the DoD, even if they are not prime contractors or pursuing DoD contracts themselves, they would have to achieve CMMC 2.0 level one compliance. For example, if your institution wanted to partner or subcontract with Boeing on work for the DoD, it would still need to earn a certain level of compliance based on Boeing’s contract with the DoD.

Furthermore, CMMC 2.0 is expected to set the tone for other federal agencies like the Department of Education and the General Services Administration, which may adopt similar enforceable standards in the future.

5. Earning and maintaining CMMC certification requires dedicated staff roles and resources.

The session panelists all agreed that someone on campus needs to own CMMC full-time. Donna Kidwell stressed that importance of dedicating CMMC-focused resources not only initially but on an ongoing basis due to the need for maintenance and continuous enforcement. She also cautioned against fully outsourcing CMMC compliance since institutions own the responsibility and thus risk for outcomes.

ASU is focusing three roles on CMMC compliance:

A chief-level role related to privacy and risk to oversee CMMC governance and drive collaboration across compliance working groups

A senior business analyst that understands the CMMC space and will help operationally shepherd the compliance process

A process compliance automation engineer to design processes and automate compliance with requirements like HIPAA[3] and CMMC

Footnotes

1. FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems
2. National Institute of Standards and Technology Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
3. The Health Insurance Portability and Accountability Act

Take the Next Steps

Join future roundtable sessions

Tune in for our cybersecurity executive roundtables sessions in January-March where we will present best practice tactics in cybersecurity culminating from months of research and calls with CIOs and CISOs.

Join the roundtable

Share the summary slides

Distribute the information from the Q&A panel to your leadership team, deans, and associate deans.

Spread the word

Connect With the Experts

Afia Tasneem

Director, Strategic Research

Afia leads best practice research in EAB’s Information Technology Forum. As a higher education strategist, Afia equips Chief Technology Officers with the insights, data, and resources to advance their institutional goals. Afia’s areas of expertise include cost containment, strategic vendor management, and organizational design.

Abhilash Panthagani

Senior Analyst, IT Forum

Abhilash is a senior analyst on the IT Forum at EAB. During his time at EAB, Abhilash’s work has focused on business affairs and IT. In particular, Abhilash has conducted research on topics such as administrative transformation, process improvement, and cybersecurity in higher education.