This Security Regulation Is Blindsiding the Education Sector

The higher education sector has not been a leader in cybersecurity in the past. Cybercrime is a fairly new threat to these institutions, leaving many unequipped and unaware of how to deal with the issue. As Cybersecurity Maturity Model Certification (CMMC) deadlines approach, that’s a problem.

Many universities and other educational institutions have only recently discovered that they must comply with this new regulation. Its tight deadlines and high standards now pose a challenge for many of these organizations.

What Is the CMMC?

The CMMC is a program meant to protect sensitive information from leaking from Department of Defense (DoD) contractors. The newest version consists of three levels, each requiring certified contractors to meet higher standards than the last. The higher level a contractor reaches, the more sensitive DoD contracts they can win.

Most of the standards in the CMMC reflect those from the National Institute of Standards and Technology (NIST). For example, Level 2 matches 110 security practices from NIST SP 800-171, and Level 3 mirrors some NIST SP 800-172 requirements.

The DoD will start implementing these requirements as their contracts renew over the next few years. All new or renewed contracts will likely require CMMC compliance, so organizations coming to the end of one need to prepare quickly.

How Does the CMMC Apply to Education?

When most people think of defense contractors, higher education likely doesn’t come to mind. However, many universities serve as important research centers for the DoD. Several universities, like the Massachusetts Institute of Technology (MIT) and the University of Washington, have long histories of partnering with the DoD.

These DoD contracts can be an important source of funding for these institutions. The University of Tennessee Space Institute (UTSI), for example, recently announced a half-million-dollar contract with the DoD. To keep that contract and receive similar ones in the future, UTSI will need to comply with the CMMC.

It’s important to note that compliance isn’t mandatory for the entire university, just the part conducting DoD research. In the UTSI example, the Space Institute must comply, but the rest of the University of Tennessee doesn’t have to.

Why the CMMC Poses a Challenge for Higher Education

As CMMC implementation inches closer, many higher education centers have found themselves unprepared. Generally speaking, universities have been far less aware of these requirements, likely due to miscommunication between departments. As a result, these institutions now face tightening deadlines with much work ahead of them.

Meeting CMMC standards may prove a challenge for schools, where cybersecurity has historically been lacking. Many schools do not consider themselves targets, and this, ironically, has made them ideal victims for hackers. The valuable information these institutions hold and their lackluster security put them at remarkable risk.

Coming from that background, it could take substantial investment to reach CMMC-compliant levels of security. It already takes organizations roughly six to nine months to meet these regulations, and schools may not have the headstart others do. Institutions that rely on DoD funding have a short timeframe to make significant security improvements.

What Schools Can Do

Thankfully, since the CMMC only applies to the department involved in DoD research, implementing these changes isn’t as challenging as it could be. Still, higher education facilities that rely on these contracts should start addressing their security now.

First, these institutions should determine which level of compliance they’ll need to reach. Since NIST assessments cover most requirements under the CMMC, they could then perform these audits to see where to improve. They may also want to seek out a DoD-accredited auditor to provide specific CMMC-related guidance.

Many of the required practices under this regulation involve addressing common privacy weak points. Practices like multi-factor authentication, network segmentation, and user identity management are crucial. Penetration testing could reveal where these facilities need to improve.

Transparency is another crucial factor. The more open about their security shortcomings and practices schools are, the more third-party security services and auditors can help them improve.

Higher Education Needs to Revisit Its Security

Even apart from DoD contracts, higher education could afford to improve its security practices. As these institutions become increasingly valuable targets, they need to do more to keep sensitive information secure. In that way, the CMMC could serve as a wake-up call.

While CMMC deadlines are growing tighter, schools have many resources available to reach compliance. If universities can start now and reach out to security experts, they can become compliant and maintain their valuable contracts.