Cybersecurity Maturity Model Certification (CMMC)
The Department of Defense (DoD) is implementing the Cybersecurity Maturity Model Certification (CMMC), which will require DoD contractors to self-attest to Foundational compliance or obtain third-party certification for Advanced and Expert levels. This new CMMC mandate includes university-based research labs and facilities as well as FFDRCs (Federally Funded Research and Development Centers) and UARCs (University Affiliated Research Centers). The requirements are currently undergoing the mandated federal rulemaking process and the DoD anticipates implementing CMMC by May 2023.
What you need to know
- CMMC is a comprehensive Department of Defense information security framework designed to protect Defense Industrial Base contractors from increasingly frequent and complex cyberattacks. While CMMC isn't yet the law of the land, ASU is beginning see CMMC language in contracts. While CMMC only currently applies to Defense Contractors, it may apply to other non-DoD contracts at a future point. As Arizona State University performs both basic and applied research under DoD contracts, we are subject to CMMC compliance.
- CMMC Level 1, "Foundational", is the fundamental safeguards specified in 48 CFR 52.204-21, the Federal Acquisition Regulations (FAR).
- CMMC Level 2, "Advanced", is equivalent to NIST SP 800-171 and will be implemented in ASU Knowledge Enterprise's KE Secure Cloud (formerly ASRE) as a superset of CMMC Foundational regulations with additional controls defined under NIST SP 800-171.
- The controls and ASU policies, such as the ones asterisked in the tabled below, are an iterative work in progress and are reviewed as CMMC evolves or as conditions change.