A Sea Change in Compliance for Research Institutions
In this Q&A, Neal Tilley, Cisco Higher Education Advisory Council Coordinator and Strategic Advisor, outlines what higher education technology leaders need to know to prepare for the new regulations.
A new cybersecurity standard created by the U.S. Department of Defense (DoD), Cybersecurity Maturity Model Certification (CMMC), could have wide-ranging implications for research universities. In this Q&A, Neal Tilley, Cisco Higher Education Advisory Council Coordinator and Strategic Advisor, outlines what higher education technology leaders need to know to prepare for the new regulations.
What is the potential impact of CMMC on universities?
It’s a change to a much more rigorous process of certification around people, processes and technology. Previously, contractors self-assessed to the National Institute of Standards and Technology (NIST) standards. There is now an expectation that they be assessed by a third party.
More than 50 percent of the DoD’s R&D budget is spent with research universities. It’s an important channel of research revenue for R1s and some R2s. Ultimately, some of the other large federal agencies that fund research universities may ask for the same levels of cyber hygiene.
Getting compliance at these new regulatory levels is something many research universities have not had to do before, and academic freedom and the ability to push the envelope when it comes to research is important to them. It’s a real conundrum, and only a small percentage of research universities have everything they need to truly offer that seamlessly.
CMMC doesn’t go into effect until 2025. Why is it important for universities to start addressing this now?
Contractors are already being asked how they are addressing the CMMC regulations. There is also the cost of bringing networks, people and processes up to speed ahead of 2025. Research universities are in the top 30 percent of federal contractors that are expected to get higher levels of certification. There’s also going to be a logjam for third-party certifiers over the next three to four years—if you get a red light, it could take a few years to recertify.
What should universities be doing to get up to speed?
It’s important to build a higher-level view to know where the potential threats are. Security and infrastructure teams must work together and look at the intelligence they’ve got and understand where gaps exist around networks, endpoints and cloud applications. That move to the cloud is a big part of understanding where your vulnerabilities are.
It’s really about understanding what you have in front of you and what sort of practices you can put in place. Encryption, zero trust, multi-factor authorization—all these different services that have slowly evolved are all part of the segmentation, automation and governance of data. Vendors like Cisco are going through CMMC as well, so you can lean on that and make sure they are giving you the support you need.
There is a steep learning curve and universities will feel the costs in the first stage. But the long-term opportunity is going to be very beneficial. If we do things right, it will better protect all research universities’ capabilities — more secure means more success, which is ultimately what they are trying to accomplish.