Universities Starting Their CMMC Journey
Yesterday during our weekly Coffee, Me, and CMMC SME breakfast meeting we discussed how University CIO’s need to create an SSP that meets the unique cultural institution.
A private school? A public school? Do your access control policies live further upstream in State Government? What do you do if state law’s and regulations fall out of compliance?
Like every Defense Contractor all answers come with bespoke solutions and caveats yet we came up with three major areas of difficulty a University CIO must navigate:
- Extensive and Mature Policies
- Multiple Stakeholders
- Budgetary Constraints
Carving out Policy
Currently we have faculty and staff from multiple universities enrolled in our class. Most of these schools have extensive policy and it can take over a year to change. For some schools this can involve Shared Goverrnance, meaning faculty must approve the IT policy.
This timeframe will not work for CMMC as policies will have to change with an evolving model. So we suggested working now to add a subsection to a University policy about having a malleable polcy for the protection of Controlled Unclassified Information and Federal Contract Information.
If you work at a university where the Faculty Senate approves IT policy you need to start now. You also need to decide who has ultimate resposnbility of compliance.
Afterall NIST SP-800-18 Guide for Developing Security Plans for Federal Information Systems states you must have a system authorizer to have an SSP. The guidelines state, “Management authorization should be based on an assessment of management, operational, and technical controls.”
Three Pathways for Awareness and Training
We also realized that multiple stakeholders will make the CMMC journey and universities will need to develop different pathways for awareness and training.
According to CMMC:
AT.4.059 Provide awareness training focused on recognizing and responding to threats from social engineering, advances persistent threat actors, breaches, and suspicious behaviors; update the training at least annually or when there are significant changes to the threat
So we see three avenues to training. First think about your IT staff and a technical training. Then your Sponors Research office. Finally you will need a training path for Professors who serve as Principal Investigators.
Each audience has unique training needs. Professors, who may feel their ability to bring in multimillion dollar awards voids their compliance responsibility need to understand teh difference between a grant and a contract. They need to know the workflow for protecting coltrolled unclassified information. You will need their input when considering if a Professor’s home or office fall in scope.
Budgeting Concerns
Every principal investigator seems flush with cash when it comes time to present research. Yet when it will come time to offset the compliance cost of CMMC the books will run dry. We suggested the idea of working your research process to set a direct cost percentage charged to the award.The rules around directs and indirects, the cost of fringe, and in-kind matching change all the time. The importance of protecting Controlled Unclassified Information will not. This does cost money.
Universities Should Prepare.
Featured Image Get Ready a remix of Threat Intelligence flickr photo by BhaduriAbhijit shared under a Creative Commons (BY) license and Georgetown University flickr photo by kevin dooley shared under a Creative Commons (BY) license by jgmac1106 shared under a Creative Commons (BY) license.