CMMC and Fundamental Research: EDUCAUSE Joins Groups in Raising Concerns

Earlier this month, EDUCAUSE worked in partnership with the Council on Governmental Relations (COGR), the Association of American Universities (AAU), and the Association of Public and Land-grant Universities (APLU) to submit comments to the Under Secretary of Defense for Acquisition and Sustainment, Ellen M. Lord, raising concerns that the higher education research and information security communities have about the Cybersecurity Maturity Model Certification (CMMC) program released by the US Department of Defense (DOD).

Through the CMMC, the DOD is attempting to establish a requirements framework for information security that will set baseline standards across the ecosystem of defense contractors and related organizations known as the defense industrial base (DIB). This framework expands on the previously adopted, government-wide requirement that organizations holding controlled unclassified information (CUI) follow the NIST SP 800-171 information security guidelines for CUI. The DOD framework defines five levels of organizational information security maturity, with the implementation of 800-171 plus additional controls drawn from other security standards forming the Level 3 midpoint certification tier for CMMC. The more advanced Levels 4 and 5 of the framework draw on NIST SP 800-172 [https://csrc.nist.gov/publications/detail/sp/800-172/draft] (previously known as 800-171b) CUI guidelines developed at the request of the DOD. The request entails more rigorous standards and requirements to address "critical program" or "high value asset" CUI security concerns, such as "advanced persistent threats," i.e., continuous security compromise efforts by nation-state actors. Levels 1 and 2, however, address security considerations for information related to defense contracts that the DOD sees as relevant but that don't rise to the CUI category.

Current CMMC documentation and statements by DOD officials, including those that Katie Arrington, CISO at the DOD Office of Acquisition and Sustainment, made as recently as September 15 during the CMMC Virtual Summit (hosted by PreVeil and co-sponsored by EDUCAUSE) indicate that fundamental research conducted at higher education institutions as part of DOD contracts would fall under CMMC Level 1.¹ If this were to occur, research universities would have to apply significant security standards and controls to research activities that, by their very nature, are often meant to have their findings and results shared openly across the research community. The compliance costs associated with meeting security requirements on research data that will generally be made publicly available could force some higher education researchers and their institutions to forego pursuing DOD contracts, to the detriment of our national defense and higher education research. In addition, some higher education information security leaders and professionals are concerned that complying with CMMC Level 1 may put institutions in the position of having to apply the relevant requirements to their institutional network environments in general. This would further increase the operational and financial problems associated with CMMC compliance and thus the potential for institutions and their researchers to opt-out of participating in defense-related projects.

These problems, combined with the financial distress created by the coronavirus pandemic, led EDUCAUSE and its partners to ask that the DOD avoid applying CMMC requirements—even those at Level 1—to fundamental research programs and projects. Not only would this be appropriate given the nature of the research being conducted and the handling of the results it generates, but it would also eliminate potentially tricky issues with managing project relationships between primary defense contractors and fundamental research subcontractors. For example, university research administrators expressed concern that a failure to exclude fundamental research from CMMC could easily lead to primary contractors attempting to impose the CMMC requirements they face on their university research subcontractors, even when it is neither appropriate nor necessary (per previous DOD guidance).

The associations also requested that the DOD initiate a dialogue with research institutions to explore and resolve related concerns. For example, even those university researchers and activities to which CMMC might reasonably apply, such as those working with CUI, questions remain about what security compromise efforts would require an institution to seek a certification level beyond Level 3. The possibility and nature of a waiver process for CMMC requirements is another important topic of discussion for higher education institutions, given the diverse types of research conducted at our institutions and the varying information security needs generated as a result.

We have yet to receive a formal response to our comments, although the recent remarks by Katie Arrington (mentioned above) include a rejection of an exemption from CMMC for fundamental research. EDUCAUSE and its partner associations do not consider Arrington's comments as an official DOD response to our points, however. We plan to continue pressing our case with more senior DOD officials, such as Under Secretary Lord and the DOD's leadership for areas that work more directly with university researchers and research institutions, with the goals of securing a CMMC exemption for fundamental research conducted at our member institutions and opening an ongoing dialogue with the DOD on other member concerns arising from the CMMC program.

Note

1. Katie Arrington and Karlton Johnson, "Keynote: CMMC Must Do's for 2020," (Keynote presentation, CMMC Summit, September 15, 2020). ↩

---

Jarret Cummings is Senior Advisor for Policy and Government Relations at EDUCAUSE.