What’s New in CMMC 2.0 for Higher Education Institutions?
The first version of CMMC could be described as a philosophical document. It explained why securing sensitive data is so important but didn’t provide much guidance about how to do that. That left many IT security practitioners struggling to figure out whether they would meet the requirements.
CMMC 2.0 has been designed to change that. There are numerous specific controls and practices for universities to follow in one of three increasingly stringent tiers. Higher education institutions — especially those trusted with any Controlled Unclassified Information (CUI) — will likely fall into the second of those tiers and be asked to comply with the 110 controls and practices that are included.
The new CMMC rules also take a more holistic approach to data security. The rules will include both technical and human requirements, such as required training for any user with access to CUI, and they will incorporate physical security for the premises where data is stored.
It’s also worth noting that CMMC 2.0 incorporates a bit more nuance and flexibility to achieve compliance. Government regulators will be able to work with institutions and approve contracts based on a strong system security plan or a Plan of Action and Milestones, complete with concrete steps in place to address security gaps. The added flexibility will also allow compliance personnel to consider how rules apply to each situation.
More good news: The CMMC rules are based on the existing National Institute of Standards and Technology Cybersecurity Framework. The rules also match much of what many institutions are already doing to comply with the Defense Federal Acquisition Regulations Supplement and the International Traffic in Arms Regulations. If an institution is conducting research subject to either of those regulations, or simply following a zero-trust framework, they’re probably well down the road toward complying with CMMC 2.0.
Meeting CMMC 2.0 Requirements Takes Collaboration Across Campus
To protect CUI, many institutions have created CUI enclaves — network areas where that kind of information can be freely distributed and discussed. Those enclaves have more stringent access controls in place and can be an effective strategy in a university environment where different colleges act independently and have an institutional bias toward data openness that is, in many ways, antithetical to data protection.
Just building the enclaves, however, isn’t enough to ensure data stays secure. Imagining real-life use cases can expose vulnerabilities that aren’t otherwise obvious. That includes things like what happens when institutions need to collaborate with each other. Even if the enclave is using a compliant platform such as the Government Community Cloud (GCC) High from Microsoft, what happens when someone outside — such as a third-party contractor — who is not a GCC High user needs to be part of those conversations?
The way to take a more comprehensive look at an institution’s security posture is to not simply treat compliance as a check-box exercise. The potential issues are too interwoven and too complex to simply tick off a list as each one is completed. Gaps in security may only appear once operationalized. If they appear when, say, the bidding process is ongoing, it might be too late. That could be an extremely costly mistake.
So, first and foremost, institutions need to come together at nearly every level to address compliance with a united front that bridges the multiple stakeholder communities involved. Legal departments, academic leadership, research teams, IT departments and more should all consider CMMC and begin to strategize.
Self-assessments, something that’s part of the CMMC certification process, are also now available and can be a helpful tool for identifying risk, discovering where security gaps exist and preparing for how they can be remediated. Conducting those assessments now, when the stakes are lower than they will be after Oct. 1, 2025, is a tangible way to measure your institution’s progress and establish compliance goals for the next two years.
Partnering with a Registered Provider Organization is another step universities can take to measure their security framework. CDW is an RPO, and our experience and expertise allow our team to assist institutions with assessments, gap analysis, remediation and certification, including full-service solutions to help accomplish all of that and more.
This article is part of EdTech: Focus on Higher Education’s UniversITy blog series.