Abstract
On October 15, 2024, EDUCAUSE submitted comments to the U.S. Department of Defense (DOD) regarding its proposed changes to the department’s contracting regulations (i.e., the Defense Federal Acquisition Regulation Supplement, or DFARS) to incorporate Cybersecurity Maturity Model Certification (CMMC) requirements into the defense contracting process. Based on member input, EDUCAUSE reiterated its call for the DOD to work with the research administration and cybersecurity communities to establish guiding principles and a governing framework to address the unusual situations in which fundamental research projects, which are generally not covered by CMMC, become entangled with the types of data that trigger CMMC requirements. EDUCAUSE also recommended that the DOD (a) further clarify the text of the proposed regulations in a number of instances to facilitate institutional understanding and compliance, and (b) upgrade the capabilities of the DOD information systems relevant to CMMC to avoid imposing redundant reporting responsibilities on institutions and researchers.