CMMC is coming for higher education: 3 ways to prepare

For the past year, U.S. colleges and universities have anxiously awaited news about a federal government security protocol that could change everything: the Cybersecurity Maturity Model Certification (CMMC). The program was established by the U.S. Department of Defense (DOD) in September 2020 to provide guidelines around security-critical data and digital assets for all entities that interact with the DOD.

CMMC recently launched its 2.0 model based off the well-known NIST cybersecurity framework. The DOD’s phased rollout plan requires all organizations engaging with the DoD to be CMMC 2.0-compliant by October 1, 2025. This presents a unique challenge for higher education institutions that depend on DoD contracts and funding for essential research programs.

Many CMMC security requirements and provisions will be instituted at higher education institutions that already receive funding from the U.S. Department of Health and Human Services (HHS) and the National Science Foundation (NSF). This includes any system relying on federal funds, including student financial aid records – meaning nearly every college and university in the U.S. will be impacted.

Research institutions with millions of dollars at stake are concerned that CMMC’s data access mandates could disrupt their flow of information, as well as the review and publication cycles of important research. The new program could limit scientific peer review or even curtail idea sharing across institutions. CMMC will require schools to prove full compliance before they can apply for grant or research contracts. For many schools, this could be financially ruinous.

Here are three things organizations can do to prepare:

1. Assess how CMMC affects your institution and improve accordingly

CMMC requirements vary based on the DOD entity you work with and the data you use. For example, universities conducting highly sensitive defense research will likely have more stringent requirements than those pursuing medical research.

To minimize subsequent CMMC remediation for your institution, start by analyzing your security program and the implementation/maturity of security technologies in your environment. By conducting a security posture review, you can identify:

• Your current security process optimization levels
• Gaps in your cybersecurity program
• Risk priorities, so you know where to focus resources first
• External vendors/partners who will need to adopt more stringent security protocols
• Opportunities for cost containment, automation, and consolidation

Next, work with your cybersecurity technology partners to build a roadmap of solutions (including managed services), processes, and technology. You should also obtain a CMMC audit from a trusted third-party vendor to validate your remediation efforts and identify any remaining gaps.

2. Strive for alignment across your unique cybersecurity ecosystems

Additional challenges with CMMC compliance arise when research involves multiple organizations, even in the same institution. For example, many universities share data across a school, a research arm, and a medical center – each with its own CISO.

How, then, do you keep sensitive information safe, secure, and CMMC-compliant – while allowing access to essential personnel from each entity? Very few universities are equipped to mitigate risk while providing access for physicians who teach, conduct research, and practice medicine.

The following solutions are examples that segregate systems and user access across departments. Tools like these can help achieve alignment among many moving parts and players, ensuring CMMC compliance:

• Identity and Access Management (IAM): Implementing the right identity and access management solutions will allow you to strike the right balance between usability and security to maintain greater control over how users interact with applications and data.
• Unified Endpoint Management (UEM): Platform solutions with combined capabilities such as asset, vulnerability, and patch management – just to name a few – allow your IT teams to manage and secure devices across all platforms from a single source.
• Governance, Risk, and Compliance (GRC): Incorporating IT into your institution’s GRC strategy bridges potential gaps and silos between technology risks, financial risks, and data compliance.
• Managed Detection and Response (MDR): Leveraging a services solution that consolidates Security Information and Event Management (SIEM) capabilities with 24×7 managed services for security monitoring and alerting has become increasingly affordable, effective, and reliable. MDR further reduces your need for headcount while increasing visibility and flexibility.

 3. Choose the optimal technology partner

When choosing technology partners, make sure you work with a vendor who can help identify new cybersecurity funds. SHI has a grants team that helps schools conduct funding assessments to identify potential grants for your cybersecurity purchases.

We also enable our public sector customers to procure through 500+ contracts and cooperatives, identifying the right cybersecurity procurement vehicles for your college or university so you get the best pricing while meeting procurement compliance requirements.

Don’t let CMMC take your institution by surprise or disrupt your research. Assess and improve your cybersecurity and get ahead of the game. Connect with your SHI account representative to learn more about the specific solutions that can be utilized to address your CMMC cybersecurity needs.