In September 2020, PreVeil hosted its CMMC Virtual Summit featuring a keynote session with Katie Arrington, CISO at the Department of Defense (DoD) Office of Acquisition & Sustainment, and Karlton Johnson, CMMC-AB (CMMC Accreditation Body) board chair. One of the Summit’s breakout sessions focused on CMMC compliance for higher education institutions. That session was conducted in partnership with EDUCAUSE and moderated by Brian Kelly, director of the EDUCAUSE Cybersecurity Program; Johnson participated in that session as well.
Several top-of-mind questions emerged from the higher education community during the Summit, reflecting concerns expressed in other venues over the past several months as the CMMC framework has moved closer to implementation. Those top questions are answered here, to the extent possible at this point.
Note that ongoing dialogue among higher education representatives, the DoD, and the CMMC-AB—as jump started by the Summit—will shed further light on the application of CMMC to university-based research labs and facilities, as well as FFDRCs (Federally Funded Research and Development Centers) and UARCs (University Affiliated Research Centers), all of which are subject to CMMC mandates.
1. Will fundamental research be exempted from CMMC?
At this point, there is no exemption from CMMC for fundamental research, as emphasized by Arrington during the Summit. That said, several higher education organizations—EDUCAUSE, AAU (Association of American Universities), APLU (Association of Public and Land-Grant Universities), and COGR (the Council on Governmental Relations)—recently submitted a letter to DoD expressing concerns about the potential negative impact of CMMC on fundamental research. The group plans to continue to press their case for a fundamental research exemption with DoD officials.
In the breakout session, Johnson made it clear that the CMMC-AB wants to learn more about the differences between how businesses within the DIB and higher education institutions do their work and conduct research. He indicated that CMMC-AB will form an academic advisory council to represent higher education’s interests, gather input from the community, and inform the CMMC-AB’s work. It is possible, Johnson noted, that assessors could be trained to specialize in higher education, which also would help to ensure consistency of findings throughout the sector.
2. Does my entire institution need to be CMMC certified?
No. Only those parts of the institution conducting DoD-sponsored research—either as primes or subcontractors—must obtain CMMC certification at the level appropriate to the work they are doing for DoD.
It appears that some major research institutions intend to pursue CMMC Level 1 certification for their entire institution, which entails 17 basic cyber hygiene practices—the equivalent of all the safeguarding requirements from FAR Clause 52.204-21. Again, though, entire institutions do not need to be CMMC certified.
An important first step in the CMMC compliance journey is to determine the scope of CMMC for your institution, including all DoD-sponsored research currently being done. A good place to start is with your grants and contracts office, to request information on all active DoD contracts the university has, including all research subject to FARS and DFARS Clause 252.204-7012. Ask for details about the amounts of the contracts, their timeframes, and renewal dates. The research office may not have this information already compiled; now is the time to do so.
3. How will primes flow down their CMMC level requirements to their subcontractors?
University research labs will not automatically need to achieve the same CMMC level as the prime their work is being done for. Instead, CMMC level requirements will be based entirely on the type of information shared by the prime with the university researchers. For example, if CUI (Controlled Unclassified Information) is not being shared by the prime with the sub, then for that contract the sub likely will need to achieve just Level 1, which is focused on safeguarding FCI (Federal Contract Information).
Given institutions’ concerns with the flow down of CMMC requirements, the proposed CMMC-AB academic advisory council described above will be an important vehicle by which to help ensure that appropriate CMMC level requirements are flowed down by primes to university researchers.
4. Who will pay for the costs to comply with CMMC?
Arrington noted during the keynote session that DoD will cover institutions’ costs of CMMC certification, including the time and effort to prepare for CMMC audits and the cost of the audits themselves. She recommended that institutions begin to assess those costs and build them into their rates. This is in keeping with what Arrington has emphasized in previous venues, that is, cybersecurity is mission critical for our nation’s defense and so DoD plans to pay for CMMC certification.
5. When will university-based labs and other research facilities conducting DoD-sponsored research need to be CMMC certified?
CMMC requirements will go into effect when changes to DFARS 252.204-7012 are finalized, As promised by Arrington, the long-anticipated interim DFARS rule shedding light on CMMC ‘s implementation was released soon after the Summit, on Sept. 29, 2020. The comment period will end and the rule will go into effect on Nov. 30, 2020. At that point, DoD intends to add CMMC certification requirements to its RFPs, starting with approximately 15 procurements for critical DoD programs and technologies, such as those associated with nuclear and missile defense. DoD estimates that each of the 15 primes will have an average of 100 subcontractors, and thus approximately 1,500 primes and subcontractors will be affected and, likewise, will need to be CMMC certified by Fall 2021.
The CMMC roll-out will continue over a five-year period, with the expectation that virtually all new DoD contracts will include CMMC requirements by Fall 2025. That said, according to the Sept. 29, 2020 DFARS ruling, some very small entities won’t be cycled in until years six and seven, at which point CMMC will be implemented across the entire DIB.
CMMC certifications will be valid for three years.
6. How can university-based labs and other research facilities subject to CMMC mandates communicate across boundaries to non-CMMC certified labs, enclaves, campus services, etc?
Labs and research facilities subject to CMMC mandates can communicate with colleagues in non-certified labs by taking advantage of modern email and file sharing tools based on end-to-end encryption. This answer assumes that the individual in the non-certified lab is permitted to handle CUI. If the individual is not permitted to do so, then it is illegal to exchange CUI with this person.
End-to-end encryption is uniquely able to serve as the basis for CMMC-compliant emailing and file sharing across entities. Currently available technical solutions overlay end-to-end encryption on top of such communications, ensuring that only the sender and the recipient can ever read the information being shared—and no one else.
PreVeil Drive (for file sharing) and PreVeil Email are tools already in use for securing the DoD supply chain by enabling CMMC-compliant communication between primes and their subs—a situation similar in some ways to the campus communication described above. Enabling such communication supports higher education’s culture of free and open exchange of information and ideas—a culture critical to the preeminence of American research institutions.
7. How can I find answers to additional questions?
Please submit your questions to PreVeil using the form below. We will work to get you answers in a timely manner.
How PreVeil can Help
PreVeil employs world class end-to-end encryption, and works with higher education’s open culture for creating knowledge—not against it. It supports compliance with DFARS 7012, NIST 800-171, ITAR, and virtually all of the CMMC Level 3 mandates related to the communication and storage of CUI.
PreVeil Drive and Email deploy easily as an overlay system, with no impact on existing file and email servers—making configuration and deployment simple and inexpensive. PreVeil is easy for researchers to adopt because it works with the tools they already use: PreVeil Drive’s file sharing works like OneDrive and is integrated with Windows File Explorer and Mac Finder. PreVeil Email seamlessly integrates with Outlook, Gmail, or Apple Mail clients.
PreVeil is cost effective. It need be deployed only to researchers handling CUI, whereas alternatives require deployment across entire labs and research organizations. Researchers can share PreVeil with their collaborators for free, securing their communications and facilitating their ongoing work. And PreVeil’s straightforward, light-touch solutions help avoid expensive CMMC consultant engagements, which are par for the course for some alternatives.
To learn more about how PreVeil helps universities balance research collaboration and CMMC compliance, visit our higher education page.