The Defense Industrial Base (DIB) has been preparing for the Cybersecurity Maturity Model Certification for some time now, but higher education institutions who work with the Defense Department are more recently responding to expected CMMC requirements that will begin showing up in their contracts. Many of these institutions face different challenges than industry, including a deficit of information about these requirements in academic circles.
Federal News Network collaborated with Scott Edwards, CEO of Summit 7, to create an FAQ to help guide higher education institutions in their CMMC compliance journey.
Q: How is CMMC going to impact higher education institutions throughout the US? Have these institutions been given adequate resources to garner a solid understanding of CMMC compliance?
CMMC is going to impact higher education universities, federally funded research and development centers, and university-affiliated research centers; specifically the research institutions that are maintaining government research contracts. If you’re not pursuing federal government or DoD research contracts, then you’re likely not going to be impacted, at least initially. As far as the resources that have been made available, the universities have basically been left to their own devices to navigate federal compliance mandates. The only data that’s out there is provided by either the Undersecretary of Defense for Acquisition and Sustainment through Katie Arrington’s office, or potentially through the CMMC Accreditation Body. Now, you have a large amount of people out there talking about unofficial takes on CMMC and information about CMMC compliance. Many companies are attempting to provide the adequate information via webinars and online events, but obviously, they can’t speak for the government. They are basically interpreting what the government is telling everyone and providing guidance to customers based on that interpretation.
One datapoint that’s a fairly safe assumption is universities that do any sort of work with the DoD will need to be CMMC Level 3 because their role in the DIB is largely data driven and often addressing sensitive technical subject matters.
Q: For higher education institutions and universities, federally funded research and development centers, and university-affiliated research centers, how will holding, storing, and processing Controlled Unclassified Information (CUI) affect them on their CMMC compliance journey?
If you have CUI and/or subsets, such as ITAR or EAR content, as a part of the DoD research contracts or grants currently in your portfolio or future pipeline, then you’re institution will need to meet CMMC Level 3. This is the reason so many large universities have already been working towards compliance with DFARS 7012.
The University of Tennessee Space Institute (UTSI) in Tullahoma is very close to our headquarters and they, for example, recently announced a half a million dollar contract award to help further develop hypersonic technology for the Air Force and other applications. UTSI was one of eight institutions selected for this particular contract, and all eight of these organizations will need to meet CMMC Level 3. This is one example of many.
Another thing worth pointing out is the data residency and access requirements in DFARS 7012 associated with CUI. These requirements necessitate organizations to use FedRAMP Moderate accredited cloud systems, and specific CUI types prohibit system access to foreign nationals, including faculty and students.
Q: Will the federal government reimburse institutions for the cost of achieving CMMC Level 3 compliance?
There will not be any direct reimbursement for higher ed institutions. There has been mention– and there have been some trial balloons floated — about things such as tax incentives. However, that is all in the very, very early stages of discussion from the DoD. There has also been discussion about the ability for institutions to charge project implementation costs directly to a contract for certain portions, or including it as an expense in their rates.
Q: What is the timeframe that these higher education institutions need to be CMMC compliant? Is it the same as the rest of the DIB?
The time frame for CMMC adoption is the same as industry. It depends on where the university is in their pursuit of these contracts. If they have contracts that are coming up for rebid in the near term, like 2021 or 2022, or new contracts that they are pursuing in that timeframe, then they need to be preparing for a CMMC assessment now. It is going to take, in most cases, a minimum of six to nine months for an organization to be able to get CMMC compliant, depending on the Level needed. And that’s an aggressive timeline.
Universities face a disadvantage because awareness of these requirements has been far lower. In academia and compliance initiatives in academia, it could take multiple departments and colleges to make a determination of budgeting and a resolution. It is very common to have the office of the CSO/CISO, office of the CTO, one or more department/college heads, and respective IT Directors from those colleges all in the decision making process.
Q: What solution sets can higher education and research institutions leverage in achieving CMMC Level 3 compliance?
Almost identical to the solution set that a commercial company has, a CMMC Level 3 solution set is defined for a specific group of people in the university or research institution. In most cases, the institutions have a unique scenario that likely the whole university will not be using the same infrastructure or solutions. Often times, it is cost prohibitive to secure every information system across the enterprise to CMMC Level 3. Universities often choose to create what’s defined as a ‘green-field’ environment for CMMC and users/data tied to DoD contracts.
As far as approach goes, institutions can always attempt CMMC compliance on premises. If you want to do an on premises implementation, it can be very challenging. There is a large amount of software involved, and it’s not a solution most companies are going with these days. The majority of companies are going with cloud-based solutions because they are more comprehensive, easier to deploy, and easier to maintain long term. From a cloud standpoint, some of the common platforms that we see are deployments of Amazon Web Services, GovCloud, or Microsoft Azure Government from an IaaS standpoint, which is very common. If you’re looking for a SaaS based solution for things like email and file collaboration, Microsoft 365 is a widely adopted throughout the DIB and higher ed; specifically Microsoft 365 GCC High. If instituions are looking to handle data that’s not export controlled, that maybe is only CUI, then they might be able to deploy in Microsoft 365 GCC instead of GCC High. It really just depends on the kind of data that they’re going to be handling, storing, or processing.
One solution that a lot of universities seem to be moving toward is a deployment of Windows Virtual Desktop (WVD), a virtualized approach to compliance. Essentially, WVD builds out an enclave within their Azure Government or their Microsoft 365 environment that allows a user to use a university furnished laptop — which is not necessarily controlled — to connect to the research environment that is secured to CMMC Level 3. The beauty of this approach is that faculty and students can do work in that enclave on a secured platform without having to impact the configuration of their existing laptop. This is a solution that we see universities like because they’re able to control the boundary of where CUI flows, and control the access to that information through the Azure environment. This allows a large amount of flexibility for the university, while also maintaining a high level of security.
Q: Can a cloud solution also help higher education institutions get around the challenge of staff that can't be cleared for the environment?
Yes – it can help. It doesn’t completely alleviate the need, because someone still has to manage the platform. While the infrastructure might be managed by Microsoft or Amazon, the data, the data access and the endpoints still have to be managed by the university. One solution to the aforementioned is a managed services provider, or MSP. Essentially, the university uses the environment, while the managed services provider maintains the environment. This is one method we see universities and research instiutions getting around the requirement of having a U.S. person on staff. This leads to ensuring that only appropriate individuals have access to the content in the Government cloud infrastructure.
Q: What should universities and institutions be doing to prepare for upcoming assessments this year and next year?
The first thing is start building the technical infrastructure that they need. If organizations haven’t made progress toward building out the technical infrastructure, this should be one of the first steps. Once they have met NIST 800-171 requirements under DFARS 7012, then look to meet the 20 additional practices found in CMMC Level 3. CMMC also requires organizations to meet requirements from a policy/process/procedure standpoint leading to maturity level processes. It really is a progression of activities. Some of them are technical in nature, some of them are documentation and process related; however, all of that has to come together before you can go get a CMMC assessment through a C3PAO (CMMC assessor) to officially get a certification.