One interesting thing about Cyber Security Maturity Model (CMMC) certification is that organizations could previously self-certify their cybersecurity maturity before applying for a grant or bidding for a contract with the US Department of Security. Defense (DoD). As part of CMMC, organizations now have to go through a third-party audit – a requirement that didn’t exist before – before they can do any of these things.
This change raises several questions for me: What will be the impact of CMMC on research universities that wish to work with DoD? How will the certification change the business models of these universities?
CMMC and the university business model
Higher education is under strong downward pressure in terms of income streams. We are witnessing a consolidation of higher education because the demand is lower than before in certain fields. In addition, when the 2008 downturn occurred, public and local funding for higher education was cut and never recovered. Now with COVID-19, and it’s shutting down again.
Thus, university leadership prioritizes academic mission and research to the detriment of IT and security. (I’d say at the expense of security, then IT.) And there’s CMMC, which comes around the corner… everything converges at the same time.
Since state and local funding sources are less reliable than before, research universities are looking to seek funding sources as a way to recoup this income and continue to grow. They will need to manage their security posture (and be sure they have good security) if they are to have a reliable income stream that can support other education costs.
Research universities as the main attack target
Higher education is already a target for cybersecurity threats. The theft of personal data is the obvious target, but there is also the threat to intellectual property, often by attackers from nation states. And research data is the primary target in all universities.
University leaders know this, but they don’t really understand security. They still see security as an IT issue, not a business issue. Until now, the implementation of security controls and the remediation of security vulnerabilities have been entrusted to the security teams of research universities. These teams can be part of central IT or the research office. But there is no coordinated security effort across the university because senior management has not fully grasped the nature of the threat.
In general, higher education is not particularly mature from a security perspective, so it is an easy target. It’s not just targeted attacks they need to worry about – universities are subject to opportunistic attacks to degrees that other industries tend not to be. This is directly related to the highly collaborative culture of academia, where the default is to assume openness, trust and sharing. It’s the direct opposite of all the other vertical industries we serve.
CMMC will change the way research universities approach security
By old DoD standards, an institution such as a research university would not have to submit to a third-party review. And they didn’t have to proactively monitor their controls, either. So all they had to do was certify that they had controls and hope that nothing would go wrong.
But with the CMMC, external reviewers are now going to come in and put research universities in a position where they need to validate the effectiveness of controls over time. Not only that, but they must achieve compliance everywhere before they can bid for a research grant. This proactive and ongoing compliance is new, and it is not easy to meet it without the support of the whole institution.
Ultimately, controls are not new to CMMC, but the governance and oversight component of oversight is. Are these things documented? Is there good governance within the institution? Is it at the right level? Do the people responsible for this risk know what the risks are and how they are managed? This implies a rather heavy control function. It will be a significant administrative burden for research universities to comply with the CMMC. It will also be a strategic differentiator for the universities which are the first to adopt it.
CMMC will be good for research universities
… And I dare say other companies too.
If universities can embrace security as a differentiator and accelerator of innovation and research, they will be far better off than fighting it.
As mentioned above, the CMMC’s requirements for basic checks are things that institutions have self-certified in the past, so they should already be doing them. However, they probably don’t always do all of these things. It is therefore important to understand not only how to implement CMMC, but also how to integrate it into the strategic plan and as a generator of opportunities.
There are also many other regulatory requirements that most institutions must meet such as PCI, HIPAA, etc. Almost all of them are based on NIST standards. The same goes for CMMC. So once you meet the CMMC standard, you are well on your way to meeting those other standards as well.
Finally, the CMMC is starting to demand conversations with university leaders. Whether it’s the president’s office, board of directors, or other leaders, it demands that these people engage in the security landscape of the moment. This is helping to shape the research universities’ approach to security.
Businesses Can Help Research Universities Achieve CMMC Certification
Colleges and universities have a large technological footprint. So they need a partner who understands the breadth of their technology footprint and can help them meet all CMMC requirements.
Perhaps most intriguing, it has wider ramifications beyond research university business models, as it influences everyone in the supply chain not just for DOD research contacts, but also potentially for other federal agencies, and other current private investors and the underfunding of research in these hospitals. Many private companies also use elements of the CMMC standards as a de facto requirement for sharing sensitive data that they may encounter in their research efforts. Therefore, it pays off for all to begin to better understand these requirements and to make a special effort to help research universities – an important source of innovation in this country – to better understand and prepare for these continuing demands in the world. ‘to come up.
