An interesting thing about the Cybersecurity Maturity Model Certification (CMMC) is that organizations could previously self-certify their cybersecurity maturity before applying for a grant or bidding on a contract with the US Department of Defense (DoD). Under the CMMC, organizations now need to pass a third-party audit — a requirement that didn’t exist before — before they can do any of those things.
This change raises several questions for me: How will CMMC impact research universities looking to work with the DoD? How will certification change the business models of these universities?
CMMC and the University Business Model
Higher education has a lot of downward pressure on it in terms of income streams. We’re seeing consolidation of higher education because the demand for it is less than it used to be in certain areas. Also, when the downturn of 2008 happened, state and local funding for higher education was cut and never recovered. Now with COVID-19, and it's getting cut again.
So university leadership is prioritizing the academic mission and research at the expense of IT and security. (I would argue at the expense of security and then IT.) And there is CMMC, coming around the corner … everything converging at the same time.
Since state and local funding sources are less reliable than they used to be, research universities are looking to research funding sources as the way to recover that revenue and continue to grow. They will need to manage their security posture (and be confident of having good security) if they're going to have a reliable income stream that can carry other education costs.
Research Universities as a Prime Attack Target
Higher education is already a target for cybersecurity threats. Theft of personal data is the obvious target, but there’s also the threat to intellectual property, often by nation-state attackers. And research data is the primary target across universities.
University leaders are aware of this, but they don't really understand security. They still think of security as an IT problem and not a business problem. Up until this point, the implementation of security controls and the remediation of security weaknesses has been left in the hands of the security teams at research universities. Those teams may be part of central IT or part of the office of research. But there isn't a coordinated security effort across the university because senior leadership hasn't really grasped the nature of the threat.
In general, higher education is not particularly mature from a security perspective, so they are an easy target. It's not just targeted attacks they have to worry about — universities are subject to opportunistic attacks in degrees that other industries tend not to be. This is directly related to academia’s highly collaborative culture, where the default is to assume openness, trust, and share. This is the direct opposite of every other industry vertical that we serve.
CMMC Will Change How Research Universities Approach Security
Under the older DoD standards, an institution like a research university wouldn't have to submit themselves to a third-party assessment. And they also didn't have to proactively monitor their controls. So they just had to attest that they had controls and hope that nothing would go wrong.
But with CMMC, external assessors will now come in and put research universities in a position where they must validate the effectiveness of controls over time. Not only that, but they must achieve compliance everywhere before they can make a bid for a research grant. This proactive and continuous compliance is new, and it's not easy to meet without the support of the entire institution.
Ultimately, the controls aren't new in CMMC, but the oversight governance and monitoring component is. Are these things documented? Is there the right governance at the institution? Is it at the right level? Do the people who are responsible for this risk know what the risks are and how they’re being managed? This implies quite a heavy oversight function. It is going to be a significant administrative burden for research universities to comply with CMMC. It will also be a strategic differentiator for universities that are early adopters of it.
CMMC Will Be a Good Thing for Research Universities
… and I dare say other companies, as well.
If universities can embrace security as a differentiator and as an accelerator of innovation and research, they will be much better off than fighting it.
As mentioned above, CMMC requirements in terms of the basic controls are things institutions have been self-certifying to in the past, so they should already be doing them. They likely aren’t always doing all of those things, though. So it’s important to understand not only how to implement CMMC, but also how to make it part of the strategic plan and an opportunity generator.
There are also many other regulatory requirements that most institutions should meet, such as PCI, HIPAA, etc. Almost all of them are based on the NIST standards. The same goes for CMMC. So once you meet the CMMC standard, you are on your way to meeting these other standards as well.
Finally, CMMC is starting to require conversations with university leadership. Whether it’s the president's office, the board, or other leadership, it requires those individuals to engage in the security landscape of the moment. This is helping to shape research universities' approach to security.
Companies Can Help Research Universities Achieve CMMC Certification
Colleges and universities have broad technology footprints. So they need a partner who understands the scope of their technology footprint and can help with the heavy lift of meeting all the requirements of CMMC.
Perhaps most intriguingly, this has broader ramifications beyond research university business models because it influences everyone in the supply chain for not only DOD research contacts, but also potentially other federal agencies, and other current private investors and financier’s underfunding of research at these hospitals. Many private companies are also using pieces of the CMMC standards as the de-facto requirement for sharing sensitive data they may come across in their research efforts. Therefore, it pays for all to begin to better understand these requirements and make a distinct effort to help research universities — an important source of innovation in this country — better understand and prepare for these ongoing requirements moving forward.