Following an earlier letter to the US Department of Defense (DOD), EDUCAUSE joined other groups in highlighting problems with an interim DOD regulation that could impose unnecessary cybersecurity requirements on university fundamental research.
The US Department of Defense (DOD) released an interim rule this fall that formally incorporates its Cybersecurity Maturity Model Certification (CMMC) framework into its contracting regulations, setting the stage for the five-year implementation of CMMC requirements across all defense contracts beginning with several pilot contracts in December.1 The rule also mandates that defense contractors that are required to follow the NIST SP 800-171 controlled unclassified information (CUI) guidelines conduct and post the results of a "basic" self-assessment of their compliance with those guidelines. Contractors that have to conduct a self-assessment will not be eligible for new contracts until they have posted their self-assessment results, which are good for three years, to the DOD's official contractor information database. In addition, the regulations allow the DOD to subsequently select contractors for "medium" or "high" assessments—to be conducted by DOD or contract personnel—based on its review of the self-assessment results.
The DOD used special authority to mandate that compliance with the rule begin on November 30, 2020, even though the rule remains under interim status until it is finalized pending the analysis of public comments. The deadline for submitting such comments was November 30 as well. The DOD justified this step—requiring compliance with regulations that are not yet in final form—on the grounds that the necessity of ensuring cybersecurity across the contractor community (otherwise known as the Defense Industrial Base, or DIB) made getting the CMMC groundwork in place and forcing contractors to focus on 800-171 compliance in the near term essential.
EDUCAUSE had previously worked with the Council on Governmental Relations (COGR), the Association of American Universities (AAU), and the Association of Public and Land-grant Universities (APLU) to send a letter to the Under Secretary of Defense for Acquisition and Sustainment, Ellen Lord. In the letter, the associations raised significant concerns about the potential application of CMMC requirements to fundamental research projects. (University researchers often conduct such projects as subcontractors for defense firms or as direct contractors for the DOD itself.) The associations noted that fundamental research projects by definition do not involve the CUI (or "covered defense information" [CDI] in the defense context) that the CMMC program is primarily designed to protect. Therefore, EDUCAUSE and its partners argued that formally exempting fundamental research projects from CMMC was both justified and necessary to prevent the potential misapplication of CMMC requirements to those projects by primary contractors and/or DOD contract officers.2
Since the interim rule did not resolve the issues presented in the groups' earlier letter, they decided to submit shared comments on the interim rule, with the American Council on Education (ACE) participating as well. Addressing the problems with the DOD's approach in greater detail, the associations highlighted that fundamental research rarely involves even the federal contract information (FCI) that serves as the basis for the lowest tier of CMMC certification, CMMC Level 1. Thus, applying Level 1 certification requirements to fundamental research projects, except in those unusual cases where the DOD supplies FCI as part of the project, would lead to unnecessary burden and expense, which is especially problematic given the pandemic-related financial crises most institutions are experiencing. On that basis, EDUCAUSE and its partners reiterated their call for the CMMC framework to explicitly exclude fundamental research from its scope.
Turning to the NIST SP 800-171 self-assessment mandate, the associations noted that the DOD contract clause requiring 800-171 compliance self-cancels when a contracted project receives a fundamental research designation. Therefore, the 800-171 CUI guidelines do not apply to fundamental research. On that basis, it should be clear that the 800-171 self-assessment mandate (and the subsequent possibility of DOD-conducted "medium" and "high" assessments) in the interim rule similarly does not apply to fundamental research projects. EDUCAUSE and its partners made the point in their comments, though, that the failure of the interim rule to explicitly exempt fundamental research from the self-assessment requirement creates the potential for confusion among higher education researchers and their institutions, primary defense contractors, and DOD contract officers. Since the rule prohibits any DOD contract or subcontract from being awarded to an organization that is required to submit an 800-171 self-assessment but has yet to do so, a lack of clarity on this issue could result in significant barriers to fundamental research contracts until it is resolved, either in individual cases or in general. Thus, the associations requested that the DOD make clear in the final rule that the self-assessment mandate does not apply to contracts or subcontracts that receive a fundamental research designation.
The DOD has not indicated when it will issue the final version of the CMMC framework/NIST SP 800-171 assessment rule, and it is not clear how the transition from the Trump administration to the Biden administration will affect its implementation once the rule has been finalized. The independent organization charged with developing, implementing, and maintaining the third-party certification process, the CMMC Accreditation Body (CMMC-AB), recently signed a no-cost contract with the DOD confirming its status as the sole accreditor of CMMC assessment organizations and professionals.3 The degree to which that contract will limit the new DOD leadership from pursuing a different model or altering the requirements of the existing model, however, remains to be seen. Regardless, EDUCAUSE will continue to work with other higher education associations to press for a fundamental research exclusion in the rule as well as for CMMC accreditation guidelines and processes that address university research concerns if an exclusion is not provided.
For more information about policy issues impacting higher education IT, please visit the EDUCAUSE Review Policy Spotlight blog as well as the EDUCAUSE Policy web page.
Notes
- Defense Acquisition Regulations System, Department of Defense, Interim Rule, "Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041)," ↩
- EDUCAUSE, Council on Government Relations, Association of American Universities, and Association of Public and Land-grant Universities to The Honorable Ellen M. Lord, Washington DC, September 1, 2020. ↩
- Sarah Sybert, "CMMC-AB Signs No-Cost Contract with DOD," ExecutiveGov, November 30. 2020. ↩
Jarret Cummings is Senior Advisor for Policy and Government Relations at EDUCAUSE.
© 2020 Jarret Cummings. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.