EDUCAUSE Comments: DOD Interim Rule on CMMC and 800-171 Assessment

Abstract

EDUCAUSE joined with the Council on Governmental Relations (COGR) (www.cogr.edu), the Association of American Universities (AAU) (www.aau.edu), the Association of Public and Land-grant Universities (APLU) (www.aplu.org), and the American Council on Education (ACE) (www.acenet.edu) in commenting on the U.S. Department of Defense (DOD) interim rule that seeks to formally incorporate the Cybersecurity Maturity Model Certification (CMMC) Framework and the DOD assessment methodology and requirements for NIST SP 800-171 compliance by defense contractors into the DOD contracting regulations.

EDUCAUSE and its partners stressed that neither the CMMC Framework nor the 800-171 assessment requirements should generally apply to fundamental research projects at higher education research institutions. Except in unique circumstances, such projects do not include the federal contract information (FCI) that is the basis for mandating that a contract activity be certified at the most basic CMMC level (CMMC Level 1). Likewise, the DOD contract clause that imposes 800-171 compliance on contractors self-cancels when a contract activity receives a fundamental research designation. Thus, our associations argue that the DOD should revise the interim rule to ensure that the 171 assessment requirement isn’t imposed on projects that fundamentally do not have to comply with the 171 contract requirement per the DOD’s own regulatory determination.