In the United States, the Department of Defense (DoD) is increasing the security measures required to participate in their research funding programs. This comes in the form of the Cybersecurity Maturity Model Certification (CMMC). Cisco’s Advisory CISO and former Chief Information Security Officer at The Ohio State University, Helen Patton, explained CMMC to Forbes as “A high-level security protocol established by and for the Department of Defense (DoD) intended to harden critical or vulnerable digital assets”. (The Big, Unexpected Cybersecurity Threat Coming For Our Colleges)

Previously, organizations could self-certify their cybersecurity maturity before applying for a grant or bidding on a contract with the DoD. There was no requirement for a third party to inspect them. But under CMMC, and now CMMC 2.0, most institutions will now need to pass a third-party audit first. But this raised several questions:

  • How will CMMC effect U.S. research universities looking to work with the DoD?
  • How might certification affect those organizations?
  • How will this affect the global network of research universities?

To better understand the impacts, I met with Helen Patton. Helen is an author, teacher, and advisory CISO at Cisco. This makes her the perfect person to discuss the intersection of CMMC and higher education. Here are five important things that I learned from our chat.

CMMC is relevant to U.S. research universities now more than ever

Higher education has a lot of downward pressure on it in terms of income streams. We’re seeing consolidation of higher education because the demand is now less in certain areas than it used to be. Also, when the downturn of 2008 happened, state and local funding for higher education got cut, and it never recovered. Now that COVID-19 has hit, it’s getting cut again.

That’s why university leadership is prioritizing the academic mission and research at the expense of IT and security (I would argue at the expense of security and then IT). Meanwhile, CMMC is appearing on the horizon. All of this is converging at the same time.

Since state and local funding sources in the U.S. are less reliable than they used to be, research universities are looking to research funding sources as a way to recover that revenue and continue growth. They’ve got to stand up in their security posture (and be confident of having good security) if they’re going to have a reliable income stream that can offset education costs.

Research universities are a prime target for digital attackers

Higher education is already a target for cybersecurity threats. Theft of personal data is the obvious target, but there’s also the threat to intellectual property, often by nation-states. Research data is a key target across universities.

This is known to university leadership around the world. They’re aware of it. But they don’t really understand security. They still think of it as an IT, rather than business, problem. Until now, the implementation of security controls and the remediation of security weaknesses has been left in the hands of security teams at research universities. Those teams may be part of central IT or part of the office of research. But they’ve lacked a coordinated security effort across the university due to senior leadership not fully understanding the nature of the threat.

There’s also the cultural aspect. Indeed, the culture of universities is to assume openness, to trust and share. This is the direct opposite of every other private industry vertical that we serve.

CMMC will positively change how U.S. research universities approach security

With CMMC 2.0, external assessors will now push research universities to validate the effectiveness of controls, over time, for most research grants. They must achieve compliance everywhere before they can make a bid for a research grant. This proactive and continuous compliance is new, and it’s not easy to meet without the support of the rest of the institution.

It also raises additional questions:

  • Are these things documented?
  • Is there the right governance at your institution?
  • Is it at the right level?
  • Do the people who are responsible for this risk know what the risks are and how they’re being managed?

CMMC will add a significant administrative burden for research universities. But it will also be a positive strategic differentiator for early adopters.

CMMC will be good for research universities

CMMC requirements in terms of the basic controls are things institutions have been self-certifying to in the past so they should already be doing them. But it’s important to understand how to implement CMMC while making it part of a strategic plan and opportunity generator.

There are also many other requirements that most institutions will need to meet. Most are based on NIST Standards. And since CMMC is as well, you have a head start.

Globally, we see a similar pattern occurring with groups like the National Research Fund (NRF) or the National Institute of Science (NIS) likely to increase their security standards. Other countries are also evaluating their security protocols for research dollars as well.

CMMC is jumpstarting conversations with university leadership. Whether it’s the President’s Office, the Board, or other leadership, it requires those individuals to engage and better understand the security landscape of the moment.

Cisco can help research universities achieve CMMC certification and other security goals

As an IT leader at your institution, you understand the broad technology footprint you must deal with. That’s why you need a partner who also understands and can help with the heavy lift of CMMC requirements.

Cisco’s large ecosystem of partners, and broad portfolio of soutions and services, can help you automate and visualize what’s really going on in your network. Together, we can help make your limited resources more productive so you can discover and respond to threats faster.

Begin your CMMC conversation

For more on this topic, please visit our CMMC information site: https://www.cisco.com/c/en/us/products/security/what-is-cmmc.html.  Please contact your Cisco account manager for help on your CMMC journey.

To learn more about Cisco’s support in higher education, check out our on-demand sessions and other resources from our presence at EDUCAUSE earlier this Fall.


Peter Romness

Cybersecurity Principal, US Public Sector CTO Office