This webpage will be updated as CMMC 2.0 and the process for CMMC related projects at FIU are finalized.

Cybersecurity and Research

Cybersecurity is of utmost importance when handling sensitive data. Often overlooked as being sensitive data is research data. Although the research may not involve the usual pieces of information that is considered sensitive, identifiable, or personal, the very nature of the research itself may be deemed as sensitive. Accordingly, research, especially when associated with a grant, contract or data use agreement, must be safeguarded by implementing security requirements, often specified.

CMMC Overview

The Cybersecurity Maturity Model Certification (CMMC) is a program developed by the U.S. Department of Defense as a standard of cybersecurity practices and requirements to ensure the protection of sensitive unclassified information. CMMC specifically protects Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

CMMC is associated with the following guidelines and clauses, which are identified as compliance requirements in the contract:

  • NIST SP 800-171
  • Federal Acquisition Regulation (FAR) Clause 52.204-21
  • Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012

CMMC has 3 tiers: Level 1 - Foundational, Level 2 - Advanced, Level 3 - Expert. The type and sensitivity of data involved in the research will dictate the tier level and assessment requirements. The contract may also specify the CMMC level required to be achieved by a DoD contractor.


The CMMC level required will be the same if contractors and subcontractors are handling the same type of FCI and CUI data. If the prime contractor will only flow down select data to the subcontractor, a lower CMMC level may apply.

CMMC 2.0 is still being finalized. Once it is implemented, all organizations in contract with the DoD will be required to be certified at the appropriate CMMC tier/level.


To ensure eligibility for DoD research projects, FIU is in the process of obtaining certification. FIU plans to meet CMMC Level 2 - Advanced, which complies with NIST SP 800-171 and its 110 security requirements.

All research projects that involve Controlled Unclassified Information (CUI) will be stored within an enclave, specifically tailored to and governed by the requirements of CMMC Level 2 - Advanced. The enclave would also be the environment where project work would be performed.