Cybersecurity Maturity Model Certification (CMMC) is a Department of Defense cybersecurity standard designed to protect sensitive unclassified information in contracts, requiring certification based on data type and project scope.
What is CMMC?
CMMC is a U.S. Department of Defense program that standardizes cybersecurity practices to protect sensitive unclassified information, including Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
CMMC compliance is tied to the following guidelines and clauses, which may be outlined in your contract:
- NIST SP 800-171
- Federal Acquisition Regulation (FAR) Clause 52.204-21
- Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012
CMMC includes three levels:
- Level 1 – Foundational
- Level 2 – Advanced
- Level 3 – Expert
The required level depends on the type and sensitivity of data in the research. Contracts will specify which level must be met. If subcontractors handle the same type of FCI or CUI as the prime contractor, they must meet the same CMMC level. If only a subset of data is shared, a lower level may apply.
CMMC 2.0 is still being finalized. Once implemented, all DoD contractors will be required to meet the appropriate CMMC level.
FIU and CMMC Compliance
FIU currently maintains CMMC Level 1 Basic Safeguards under the CMMC 1.0 model. To maintain eligibility for Department of Defense research, FIU is pursuing CMMC 2.0 certification and plans to meet Level 2 – Advanced, aligning with the 110 security requirements outlined in NIST SP 800-171.
All projects involving CUI will be stored and conducted within a secure enclave designed to meet CMMC Level 2 standards. This environment will serve as the primary workspace for those projects.
CMMC compliance at FIU is a shared responsibility between the Office of Research and Economic Development (ORED), the Division of Information Technology and the university research community.
For questions regarding CMMC compliance on a specific sponsored project, contact the ORED Research Information Systems team.
Cybersecurity and Research
Cybersecurity is critical when handling sensitive data. Research data is often overlooked as sensitive, but even when it does not contain personal or identifiable information, the nature of the research itself may be considered sensitive.
As a result, research, when tied to a grant, contract or data use agreement, must comply with specified security requirements.
Sponsors frequently impose restrictions on personnel, data access and information sharing. These limitations may result in classified or restricted research projects and have implications for project setup, including data management.
If awarded, federal regulations may require detailed plans and metrics for such projects, which can include compliance with DFARS Clause 252.204-7012, NIST 800-171, Homeland Security Presidential Directive 12 (HSPD-12), Federal Information Processing Standards (FIPS) and/or the Federal Information Security Management Act (FISMA).
These plans must be in place before accessing or generating restricted data, often within 30 days of receiving an award.