Cyber Security Desk

CMMC Compliance

Cybersecurity Maturity Model Certification (CMMC)

The Department of Defense (DoD) is implementing the Cybersecurity Maturity Model Certification (CMMC), which will require DoD contractors to self-attest to Foundational compliance or obtain third-party certification for Advanced and Expert levels. This new CMMC mandate includes university-based research labs and facilities as well as FFDRCs (Federally Funded Research and Development Centers) and UARCs (University Affiliated Research Centers). The requirements are currently undergoing the mandated federal rulemaking process and the DoD anticipates implementing CMMC by May 2023.

 

What you need to know

  • CMMC is a comprehensive Department of Defense information security framework designed to protect Defense Industrial Base contractors from increasingly frequent and complex cyberattacks. While CMMC isn't yet the law of the land, ASU is beginning see CMMC language in contracts. While CMMC only currently applies to Defense Contractors, it may apply to other non-DoD contracts at a future point. As Arizona State University performs both basic and applied research under DoD contracts, we are subject to CMMC compliance. 
  • CMMC Level 1, "Foundational", is the fundamental safeguards specified in 48 CFR 52.204-21, the Federal Acquisition Regulations (FAR).
  • CMMC Level 2, "Advanced", is equivalent to NIST SP 800-171 and will be implemented in ASU Knowledge Enterprise's KE Secure Cloud (formerly ASRE) as a superset of CMMC Foundational regulations with additional controls defined under NIST SP 800-171. 
  • The controls and ASU policies, such as the ones asterisked in the tabled below, are an iterative work in progress and are reviewed as CMMC evolves or as conditions change. 
Domain Control CMMC Practice ID ASU Policy
Access Control (AC)

Authorized Access Control
 

Transaction & Function Control
 

External Connections
 

Control Public Information

AC.L1-3.1.1
 

AC.L1-3.1.2
 

AC.L1-3.1.20
 


AC.L1-3.1.22

Access to Technology Resources Policy

 


Privileged Account Standard

 

*Access to Technology Resources Standard

*Access to Technology Resources Policy

 


*Access to Technology Resources Standard

*Access to Technology Resources Policy

 

ASU also confirms this control via language in our contracts and are actively reviewing this standard to support this control.

Identification and Authentication (IA)

Identification
 

Authentication

IA.L1-3.5.1

 

IA.L1-3.5.2

Data Handling Standard

 

Password Standard

Server Security Standard

Media Protection (MP) Media Disposal MP.L1-3.8.3 Research and sponsored projects manual
Protection (PE)

Limit Physical Access
 

Escort Visitors
 

Physical Access Logs
 

Manage Physical Access

PE.L1-3.10.1
 

 

PE.L1-3.10.3
 

PE.L1-3.10.4
 

 

 

PE.L1-3.10.5

EndPoint Security Guidelines

Data center access

 

Export Controls and Security

 

EndPoint Security Guidelines

Data center access

Export Controls and Security

 

Door Access Standard

System and Communications Protection (SC)

Boundary Protection
 

Public-Access System Separation

SC.L1-3.13.1
 

SC.L1-3.13.5

Data Handling Standard

ASU supports network segmentation and is currently developing a Standard to support this control formally.
System and Information Integrity (SI)

Flaw Remediation
 

Malicious Code Protection
 

Update Malicious Code Protection
 

System & File Scanning

SI.L1-3.14.1
 


SI.L1-3.14.2
 

SI.L1-3.14.4
 


SI.L1-3.14.5

Vulnerability Management Standard

Patch Management Standard

 

Server Security Standard

 

Endpoint Security Guidelines

Anti-Malware Standard

 

Endpoint Security Guidelines

Anti-Malware Standard

 

Related Defense Federal Acquisition Regulations (DFARS) clauses

  • DFARS 252.204-7012, ‘Safeguarding Covered Defense Information and Cyber Incident Reporting’
  • DFARS 252.204-7019, ‘Notice of NIST SP 800-171 DoD Assessment Requirements’
  • DFARS 252.204-7020, ‘NIST SP 800-171 DoD Assessment Requirements’
  • DFARS 252.204-7021, ‘Cybersecurity Maturity Model Certification Requirements’ (through 9/30/2025)

ASU Researchers

The University has controls in place to facilitate compliance with CMMC. If you plan to apply for a DoD Grant that contains any of the four DFARS mentioned above, or if you need consultation, please contact the Research Advancement Administrator (RA) for your department. Your RA can assist you in ensuring appropriate measures, policies, processes, and procedures are in place to comply with the relevant requirements. For questions regarding CMMC, ASU's implementation of CMMC, or how CMMC affects your research, please contact the CMMC Team.

ASU Researchers may include the following statement in their proposal materials regarding CMMC: The University has controls in place to facilitate compliance with CMMC Level 1 Foundational requirements and safeguards specified in CFR 52.204.21 of the Federal Acquisition Regulations (FAR). For additional information, please visit https://getprotected.asu.edu/compliance-regulations/cmmc

Incident Reporting

Arizona State University takes every security event and incident seriously. To report an event or incident, contact the ASU Help Desk at 1-855-278-5080. For events that do not require an immediate response, email infosec@asu.edu or visit our contact page.