What’s at Stake for all Higher Education Institutions — Not Just R1s
To fall in line with the CMMC 2.0 framework, higher education institutions must prove they have the security tools in place, and configured correctly, to show regulators that DOD data can’t be extracted from an on-campus research team.
Speaking of that research team, failing to achieve CMMC compliance means more than not being able to do research. It also means those researchers are likely on their way out the door. And good luck replacing them, as researchers that R1 universities want to attract are going to be repelled either by the fact that the university is not CMMC-compliant or that it didn’t quickly get its act together for CMMC 2.0, since there’s certain to be a CMMC 3.0 sometime in the near future.
If that’s not enough, getting your security architecture in line with CMMC protocols is just good cyber hygiene. Yes, the rules can be restrictive, complicated and difficult to follow, but with universities seeking new streams of revenue, cutting yourself off from a potential line of grant funding is bad business. It’s also possible that the rules outlined in CMMC could be adopted by other federal agencies, such as the National Science Foundation and the Department of Health and Human Services, further restricting the grant pool for universities.
DIG DEEPER: Check out these key considerations for CMMC 2.0 compliance.
Then there are R2 institutions, many of whom aspire to one day join the ranks of the R1s. It’s a waste of time to try without already being CMMC-compliant and, as CMMC spreads beyond DOD within the federal government, the rules could also be extended to lower-tier research projects.
The Cloud and Trusted Partners Make CMMC Compliance Happen Sooner
It’s possible for universities to achieve CMMC compliance through on-premises data centers but at this late hour, that’s probably no longer an option. And even if it was, there’s still a case to be made for storing research data in the cloud.
For one thing, major cloud vendors are ready to submit full architecture to the federal government proving that their end of the security infrastructure is CMMC-compliant. There’s still work to do on the university side — such as securing the machines that are part of the research project — but anything that takes some burden off IT teams is a good idea. It also makes needed adjustments or recertification simpler than if it all fell on the shoulders of a single IT department.
It does mean that your cloud provider will become a partner in CMMC compliance, but the good news is it doesn’t have to be the only partner. Vendor-agnostic partners such as CDW have created, tested and managed low-cost, easy-to-maintain and easy-to-scale research systems at other institutions, and can provide the same services today through a shared responsibility model.
LEARN MORE: Here’s how major contractors are closing in on CMMC 2.0 readiness.
The shared responsibility includes the university, the cloud provider and, in this case, CDW, all of whom have a stake in getting CMMC compliance right. It lowers the responsibility that falls on the university by splitting it three ways, and it provides a floor of minimal compliance. It also means there are partners at the ready to fix any problems that may pop up, including CDW’s engineers, architects and security experts, who have worked with all sorts of vendors to gain compliance.
Most important, CDW also partners with third-party assessment organizations that can test for CMMC compliance before the federal government does. These testers can’t guarantee compliance, but they do a good job of identifying potential problems that can be fixed through a shared partnership.
