What Should Higher Education Institutions Know About CMMC Compliance?

Colleges and universities that perform research and development services for the federal government related to national security and infrastructure must meet the same cybersecurity standards as commercial businesses within the U.S. Defense Industrial Base (DIB).

Although they’re often an overlooked group, institutions of higher education also handle sensitive federal information as part of their federally-funded research contracts.

This means that they, too, are mandated to satisfy the cybersecurity and assessment requirements of the Cybersecurity Maturity Model Certification (CMMC) 2.0 framework in order to maintain their existing contracts and be eligible for new federal funding award opportunities.

CMMC 2.0 requires that all organizations within the Department of Defense (DoD) supply chain implement strong security protections to ensure the safety and integrity of the sensitive federal data they handle.

In this article, we’ll discuss what the CMMC 2.0 cybersecurity regulation means for institutions of higher education like yours and deadlines to keep in mind.

With this information you’ll be able to establish a timeline for becoming compliant so you can get assessed and certified so you can keep your existing DoD contracts and be positioned to win new ones.

How Much Do Colleges And Universities Rely On Federal DoD Funding For Research?

According to preliminary estimates from the National Center for Science and Engineering Statistics (NCSES), government funding for research and development (R&D) is expected to top $195.7 billion in FY2024, a projected five percent increase from FY2023 R&D obligations.

Of that amount, approximately $93 billion is earmarked for the DoD. The funds target areas such as:

• national defense
• cybersecurity
• artificial intelligence (AI) and automation
• robotics
• future generation wireless technology
• quantum science
• space technology
• integrated network systems
• microelectronics

The federal government remains the largest source of academic R&D funds for U.S. colleges and universities. This funding enables universities to conduct research, development, testing, and evaluation (RDT&E) on the government’s behalf.

In FY2023, the DoD alone awarded $9 billion in federal R&D funds to U.S. universities, according to NCSES data; total federal R&D expenditures at universities topped $108 billion in FY2023.

There are several different government university funding programs. For instance, Multidisciplinary University Research Initiative (MURI) grants support exploratory research.

Another example is the Defense University Research Instrumentation Program (DURIP). The program provides grant money to allow universities with defense contracts to buy the advanced equipment they need to enhance their research.

Are Colleges And Universities With DoD Research Contracts Exempt From Meeting CMMC Compliance?

When most people think of CMMC 2.0 compliance, they generally think of the more than 300,000 commercial enterprises within the DIB that handle federal contract information (FCI) and controlled unclassified information (CUI).

Related Article: Step 1 For CMMC Certification: Understanding Your CUI & CMMC Level

The reality is, however, that any organization that stores, processes, or transmits FCI or CUI in the process of carrying out their federal contract or grant must implement the required security measures.

Those groups include university-affiliated research centers (UARCs) and federally-funded research and development (FFRDC) centers. 

Despite concerns expressed by some higher education institutions about the impact of CMMC mandates on research—including peer reviewed research and collaborations with other university research teams—along with the financial impact, the government has not carved out any exemptions.

Without a government compliance exclusion, these groups are equally responsible for safeguarding federal contract information (FCI) and controlled unclassified information (CUI) as commercial contractors and subcontractors within the government’s defense supply chain.

The intent of CMMC 2.0 Final Rule is to strengthen the security of the DoD’s supply chain against increasing cyber threats.

To reduce the risks of its sensitive data falling into the wrong hands, the government set up a system to have DIB organizations prove that they’ve taken the necessary measures to safeguard the sensitive data.

So, all higher education institutions and non-profit research centers or labs with DoD contracts that handle CUI and FCI are held to the same standards for meeting CMMC compliance as all other DIB members.

Whether CMMC compliance will be required for the entire university or research lab will depend on the type of data being stored, processed, and transmitted and where it lives.

Related Article: CMMC Step 2: How A Gap Analysis Can Help You Find Your Security Risks

What Are The Regulatory Requirements Of CMMC For University Research Centers?

CMMC 2.0 divides DIB organizations into one of three categories or levels, defined by the type of data they handle. The security and assessment requirements become more robust as the levels go up.

Under CMMC 2.0, most colleges and universities handling CUI will have to meet Level 2 compliance and CMMC assessment standards. The exact level, however, will depend on the type of information they handle, and will be specified in the contract language.

Keep in mind that not all CUI is the same, so some CUI may require Level 3, at the government’s discretion. Organizations at Level 3 must meet the most stringent cybersecurity requirements and undergo a federal CMMC audit.

From a planning standpoint, most organizations should be eyeing October 1, 2025. The start of fiscal year 2026 is widely considered to be the true kickoff for CMMC language to begin appearing in all DoD contracts as part of the government’s phased rollout.

On July 22, the DoD sent the final 48 CFR rule (Code of Federal Regulations) to the Office of Information & Regulatory Affairs (OIRA) for review.

The final 48 CFR rule modifies the Defense Federal Acquisition Regulation Supplement (DFARS) to incorporate the CMMC 2.0 requirements, officially requiring compliance for all DIB contractors and subcontractors.

Once the final 48 CFR rule is reviewed and published in the Federal Register, it will immediately go into effect, possible as early as October.

Once this happens, the new leveled assessment and cybersecurity requirements for CMMC 2.0 will begin appearing in nearly all non-commercial-off-the-shelf (COTS) DoD contracts and bid solicitations.

Phase II of the regulation is officially set to kick in after December 16, 2025, a year after the  CMMC 2.0 Final Rule went into effect. Language for the new regulation has already started appearing in certain priority DoD contracts, however.

Organizations will either perform a self-assessment or need to get audited by an independent third-party organization. Most Level 2 DIB organizations will be required to undergo an assessment by a third-party assessor organization (C3PAO).

Related Article: How To Choose A C3PAO For Your CMMC Audit: 7 Factors To Consider

Why Colleges & Universities Can’t Afford To Delay Their Compliance Journey

Institutions of higher education are facing the same deadlines as commercial businesses to implement the required cybersecurity controls to satisfy the CMMC 2.0 requirements and get certified.

Those that wait too long could risk damaging their reputations and jeopardizing their standing with the DoD. Importantly, this could cause them to lose their valuable, federally-funded research contracts and grants and possibly become disqualified from obtaining new ones.

Failing to meet the regulatory security standards could also result in significant fines and penalties. 

For instance, in 2024, Pennsylvania State University reached a $1.25 million settlement as part of the Department of Justice’s Civil Cyber-Fraud Initiative (CFI).

The Penn State case stemmed from a lawsuit initially brought by former Penn State chief information officer (CIO) at Penn State's Applied Research Laboratory under the whistleblower provision of the False Claims Act (FCA).

Following a major cyber breach at Penn State, the former university official alleged that the institution submitted false cybersecurity compliance self-attestations to the government.

The lawsuit alleged that between 2018 and 2023, the university failed to satisfy required cybersecurity standards for protecting the sensitive federal data it handled in its 15 DoD and NASA contracts or subcontracts.

In 2023, the government stepped in to take over the case. Among the violations, the government said Penn State failed to include a plan of action and milestones (POAM) when submitting its SPRS score to detail how and when it planned to fix identified security flaws.

Related Article: CMMC Step 3: How Defect Implementation Support Can Fix Security Gaps

 The government also alleged that Penn State also failed to ensure that the external cloud service provider it used to handle CUI flow-down had itself met the necessary cybersecurity standards. 

 On October 22, 2024, the university agreed to pay $1.25 million to settle the case.

"Universities that receive federal funding must take their cybersecurity obligations seriously," then-Principal Deputy Assistant Attorney General Brian M. Boynton said in a press release announcing the settlement.

"We will continue our efforts under the department's Civil Cyber-Fraud Initiative to hold contractors accountable when they fail to honor cybersecurity requirements designed to protect government information," Boynton said in the release. 

In 2021, the U.S. Department of Justice launched the Civil Cyber-Fraud Initiative using the FCA for enforcement, following a rash of cyberattacks against contractors and public and private organizations within the DoD supply chain.

The Bottom Line: Colleges & Universities Face Looming Deadline For CMMC Compliance

Now that you’ve read this article, you understand that CMMC 2.0 compliance requirements are universal for organizations within the DIB handling sensitive FCI and CUI.

At Kelser, we know navigating the CMMC process can be complicated and confusing. That’s why we’re committed to providing customized compliance solutions to help our clients navigate the complex compliance process and pass their CMMC audit.

Our team of IT and cybersecurity professionals has extensive experience helping clients meet compliance for various regulations and cybersecurity frameworks, including HIPAA, DFARS, and NIST.

If your compliance efforts have stalled or you have yet to get started, the time to act is now. Remember, with a limited number of C3PAOs nationwide, slots are already filling up to schedule an independent Level 2 assessment.

You should also be aware that it can take organizations anywhere from six months to 18 months to become compliant and get assessed.

Without sufficient internal cybersecurity experts with regulatory compliance knowledge, many colleges and universities are turning to external IT service providers to guide their CMMC readiness strategy. 

While we know managed IT support isn't right for everyone, if your organization lacks staff with cybersecurity compliance expertise, you may not have the right internal support necessary to fully understand what your obligations are under CMMC 2.0 and what the best practices are for meeting those standards.

With the compliance deadline fast approaching, don’t risk waiting until it’s too late. Reach out now to schedule a free CMMC consultation to jumpstart your CMMC compliance journey.