CMMC Compliance

Cybersecurity Maturity Model Certification (CMMC)

The United States Department of Defense (DoD) has implemented the Cybersecurity Maturity Model Certification (CMMC), which requires federal contractors to adhere to specific cybersecurity controls when working with Controlled Unclassified Information (CUI). At a minimum contracts may be required (at a university level) to self-attest to Foundational (Level 1) compliance and obtain third-party certification (C3PAO) for Advanced (Level 2) and Expert (Level 3). Many other Federal Agencies have adopted the CMMC framework as well. The Federal CMMC mandate includes university-based research labs and facilities as well as FFDRCs (Federally Funded Research and Development Centers) and UARCs (University Affiliated Research Centers). The requirements are subject to the mandated federal rulemaking process and the DoD published the most recent CMMC rules on October 15th 2024. The regulations are constantly under review by a request for comments process.

CMMC Model Levels

What you need to know

●    CMMC is a comprehensive Department of Defense information security framework designed to protect Defense Industrial Base contractors from increasingly frequent and complex cyberattacks, specifically targeting a large class of information known as Controlled Unclassified Information (CUI) Many other Federal Agencies are adopting CMMC as well. ASU is now seeing CMMC language in contracts from multiple agencies. As Arizona State University performs both basic and applied research under DoD and other Federal agencies under contract, ASU is subject to CMMC compliance.
●    CMMC Level 1, "Foundational", are the fundamental safeguards specified in 48 CFR 52.204-21, the Federal Acquisition Regulations (FAR).
●    CMMC Level 2, "Advanced", is equivalent to NIST SP 800-171 Revision 2 and is implemented in ASU Knowledge Enterprise's KE Secure Cloud as a superset of CMMC Foundational regulations with additional controls defined under NIST SP 800-171 Revision 2. Other areas of ASU must comply with NIST 800-171 Revision 2 as required by sponsored research projects.
●    The controls and ASU policies and standards, such as the ones asterisked in the table below, are an iterative work in progress by ASU Information Security, and will be reviewed as conditions change.

Domain	Control	CMMC Practice ID	ASU Policy
Access Control (AC)	Authorized Access Control Transaction & Function Control External Connections Control Public Information	AC.L1-3.1.1 AC.L1-3.1.2 AC.L1-3.1.20 AC.L1-3.1.22	Access to Technology Resources Policy Privileged Account Standard Access to Technology Resources Standard Access to Technology Resources Policy Access to Technology Resources Standard Access to Technology Resources Policy ASU also confirms this control via language in our contracts and are actively reviewing this standard to support this control.
Identification and Authentication (IA)	Identification Authentication	IA.L1-3.5.1 IA.L1-3.5.2	Data Handling Standard Password Standard Server Security Standard
Media Protection (MP)	Media Disposal	MP.L1-3.8.3	Research and sponsored projects manual
Protection (PE)	Limit Physical Access Escort Visitors Physical Access Logs Manage Physical Access	PE.L1-3.10.1 PE.L1-3.10.3 PE.L1-3.10.4 PE.L1-3.10.5	EndPoint Security Guidelines Data center access Export Controls and Security EndPoint Security Guidelines Data center access Export Controls and Security Door Access Standard
System and Communications Protection (SC)	Boundary Protection Public-Access System Separation	SC.L1-3.13.1 SC.L1-3.13.5	Data Handling Standard ASU supports network segmentation and is currently developing a Standard to support this control formally.
System and Information Integrity (SI)	Flaw Remediation Malicious Code Protection Update Malicious Code Protection System & File Scanning	SI.L1-3.14.1 SI.L1-3.14.2 SI.L1-3.14.4 SI.L1-3.14.5	Vulnerability Management Standard Patch Management Standard Server Security Standard Endpoint Security Guidelines Anti-Malware Standard Endpoint Security Guidelines Anti-Malware Standard

Related Defense Federal Acquisition Regulations (DFARS) clauses

DFARS 252.204-7012, ‘Safeguarding Covered Defense Information and Cyber Incident Reporting’
DFARS 252.204-7019, ‘Notice of NIST SP 800-171 DoD Assessment Requirements’
DFARS 252.204-7020, ‘NIST SP 800-171 DoD Assessment Requirements’
DFARS 252.204-7021, ‘Cybersecurity Maturity Model Certification Requirements’ (through 9/30/2025)

ASU Researchers

The University has controls in place to facilitate compliance with CMMC where applicable. If you plan to apply for Sponsored Research that contains any of the four DFARS mentioned above, or if you need consultation, please contact the Research Advancement Administrator (RA) for your department. Your RA can assist you in ensuring appropriate measures, policies, processes, and procedures are in place to comply with the relevant requirements. For questions regarding CMMC, ASU's implementation of CMMC, or how CMMC affects your research, please contact the Knowledge Enterprise Research Compliance team at export.control@asu.edu

If you have questions concerning if your research is considered Controlled Unclassified Information, please refer to this CUI FAQ produced by Knowledge Enterprise Research Compliance:

https://researchcompliance.asu.edu/wp-content/uploads/sites/50/2024/12/CUI-FAQs-v12052024.pdf

ASU Researchers may include the following statement in their proposal materials regarding CMMC: The University has controls in place to facilitate compliance with CMMC Level 1 Foundational requirements and safeguards specified in CFR 52.204.21 of the Federal Acquisition Regulations (FAR). For additional information, please visit https://getprotected.asu.edu/compliance-regulations/cmmc

Incident Reporting

Arizona State University takes every security event and incident seriously. To report an event or incident, contact the ASU Help Desk at 1-855-278-5080. For events that do not require an immediate response, email infosec@asu.edu or visit our contact page.