The program was established by the U.S. Department of Defense (DOD) in September 2020 to provide guidelines around security-critical data and digital assets for all entities that interact with the DOD.

CMMC recently launched its 2.0 model based off the well-known NIST cybersecurity framework. The DOD’s phased rollout plan requires all organizations engaging with the DoD to be CMMC 2.0-compliant by October 1, 2025. This presents a unique challenge for higher education institutions that depend on DoD contracts and funding for essential research programs.

Many CMMC security requirements and provisions will be instituted at higher education institutions that already receive funding from the U.S. Department of Health and Human Services (HHS) and others. This includes any system relying on federal funds, including student financial aid records – meaning nearly every college and university in the U.S. will be impacted.

CMMC will require schools to prove full compliance before they can apply for grant or research contracts. For many schools, this could be a huge hit financially.

Three things organizations can do to prepare:

1. Assess how CMMC affects your institution and improve accordingly

CMMC requirements vary based on the DOD entity you work with and the data you use. For example, universities conducting highly sensitive defense research will likely have more stringent requirements than those pursuing medical research.

To minimize CMMC remediation for your institution, start by analyzing your security program implementation and maturity of security processes and technologies in your environment by conducting a CMMC Readiness Assessment with Goliath Cyber.

You can identify:

  • Your current security process
  • Gaps in your cybersecurity program
  • Risk priorities, so you know where to focus first
  • External vendors/partners who will need to adopt more stringent security protocols
  • Opportunities for cost reduction, automation, and consolidation

Next, work with Goliath Cyber to build a roadmap of solutions (including managed services), processes, and technology. They can also work with you to obtain a CMMC audit validating your remediation efforts and identify any remaining gaps.

2. Alignment across your cybersecurity ecosystems

Additional challenges with CMMC compliance arise when research involves multiple organizations, even in the same institution.

How do you keep sensitive information safe, secure, and CMMC-compliant while allowing access to essential personnel from each entity? Very few universities are equipped to mitigate risk while providing access to the proper personnel.

Tools like these can help achieve alignment, ensuring CMMC compliance:

  • Identity and Access Management (IAM): Implementing the right identity and access management solutions will allow you to strike the right balance between usability and security maintaining greater control over how users interact with applications and data.
  • Unified Endpoint Management (UEM): Platform solutions with combined capabilities such as asset, vulnerability, and patch management, allow your IT teams to manage and secure devices across all platforms from a single source.
  • Governance, Risk, and Compliance (GRC): Incorporating IT into your institution’s GRC strategy bridges potential gaps and silos between technology risks, financial risks, and data compliance.
  • Managed Detection and Response (MDR): Leveraging a services solution that consolidates Security Information and Event Management (SIEM) capabilities with 24×7 managed services for security monitoring and alerting has become increasingly affordable, effective, and reliable. MDR further reduces your need for headcount while increasing visibility and flexibility.

 3. Choose the optimal technology partner

Don’t let CMMC take your institution by surprise or disrupt your research.

Connect with Goliath Cyber to learn more and address your CMMC cybersecurity needs.


Comments are closed