CMMC and the Far Reaching Cybersecurity Compliance Requirements

Impacts to Higher Education

As the federal government continues to focus on cybersecurity issues and set the tone for heightened standards to defend against cyber threats, more and more industry sectors are feeling the effects. The Cybersecurity Maturity Model Certification ("CMMC") program is one such example, and one that Higher Education needs to pay attention to.

To address growing risks to defense suppliers (collectively the "Defense Industrial Base" or "DIB") due to malicious cyber activity, threat to intellectual property, economic espionage and data loss, the US Department of Defense (DoD) is implementing enhanced requirements to protect sensitive data associated with DoD contracts. It applies to all DoD prime- and sub-contractors, and cuts across a large network of companies and into many product classifications. This ranges from obvious defense sector products like weapon and communication systems to less obvious products sold to the Pentagon, such as clothing, food or building materials, as well as to manufacturers, systems integrators, service and technology providers. It applies to approximately 300,000 global providers of $264 billion in goods and services procured by the Pentagon, extending to labs and research centers that reside in the Higher Education sector.

The CMMC program materially raises the bar for Higher Education. It imposes a formal certification of the maturity of their cybersecurity programs by independent third-party assessors. Failure to meet CMMC standards could impact their ability to participate in future Pentagon procurements, jeopardizing critical government funded grants that schools rely upon.

CMMC Compliance Explained

CMMC replaces the previous cybersecurity self-attestation to NIST 800-171 with a tougher third-party certification approach. It consists of 17 core security domains and integrates various existing cybersecurity control standards into one unified standard for DoD contractors to demonstrate the maturity of their cybersecurity programs and practices.

The CMMC is more prescriptive and nuanced than other frameworks and standards. It will measure how well contractors and subcontractors in the defense supply chain have implemented and operationalized their cybersecurity practices and processes against a five-level maturity standard from Level 1 (Basic Cyber Hygiene) to Level 5 (Advance/Progressive):

The CMMC mandate began in 2020 and moved through an early "demonstration” stage. It will progress to its full implementation and enforcement as late as 2025-2026. All Defense Department procurements (through RFIs and RFPs) will require one of the five maturity levels as a binary threshold for vendor participation. For example, if Level 3 is the minimum level of maturity is required, all vendors certified at Levels 1 and 2 will be ineligible to submit a proposal.

Areas of Focus

The 17 CMMC cybersecurity domains map to several other established security frameworks and standards, and include:

Access Control

Asset Management

Audit & Accountability

Awareness & Training

Configuration Management

Identification & Authentication

Incident Response

Maintenance

Media Protection

Personnel Security

Process Maturity

Recovery

Risk Management

Security Assessment

Situational Awareness

System and Communications Protection

System & Information Integrity

What Can Higher Education Do Now?

Educational institutions that directly or indirectly participate in the DIB and may be covered entities under the CMMC program should prepare now by taking the following steps:

Consult with counsel to determine if your organization is likely to be affected by the CMMC program.
Either internally assess the current state of your company's cybersecurity program, capabilities and practices or engage a third-party expert firm to independently assess your security environment – ideally against the NIST 800-171 standard. This remains the optimal pro forma cybersecurity standard for indicating your potential gaps against the bulk of the CMMC requirements.
Explore the gaps the company may have in complying with the NIST 800-171 standard and begin to remediate those gaps. If your assessment reveals that your organization aligns with NIST 800-171, it may be close to achieving the CMMC Level 3, an excellent starting point.

Leveraging CMMC Compliance: Strategies for the Path Ahead

These actions will inevitably improve the maturity of the education sector's current cybersecurity posture as they gain visibility into the current state of their programs, remediate gaps in their cybersecurity practices and processes, and prepare for independent assessment and certification against the CMMC.

These efforts will align with the current stringent expectations of the cyber insurance underwriting community who remain laser focused on data security controls of their prospective insureds. As CMMC becomes fully implemented we foresee cyber insurance underwriters aligning their expectations closely with those of CMMC when evaluating risks in certain sectors, including Higher Education. Those that do so may benefit from more favorable cyber insurance rates, expanded coverage terms, the ability to obtain higher policy limits and a more efficient process when applying for cyber insurance. Therefore, we suggest that CMMC compliance efforts be leveraged to demonstrate how early prophylactic cybersecurity efforts in these areas may place organizations in a more positive light as they navigate the cyber insurance market.

John Farley

Managing Director — Cyber Liability Practice

New York, NY

Phone Number (212) 763-3424

CMMC and the Far-Reaching Cybersecurity Compliance Requirements