EDUCAUSE Comments: CMMC 2.0 Regulations
- Author(s) and Contributors:
-
- Source(s) and Collection(s):
-
Sources(s): EDUCAUSE Policy Office
- ParentTopics:
Abstract
EDUCAUSE joined COGR, the Association of American Universities (AAU), the Association of Public and Land-grant Universities (APLU), and the American Council on Education (ACE) in submitting comments to the U.S. Department of Defense (DoD) on February 26, 2024, regarding the DoD’s second-round of proposed regulations to implement its Cybersecurity Maturity Model Certification (CMMC) Program. The “CMMC 2.0” regulations are intended to supplant interim requirements issued toward the end of the Trump administration and refocus the program specifically on the cybersecurity guidelines for Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
EDUCAUSE and the other participating groups noted that the regulatory proposal effectively resolved a key concern that they raised during the Trump-era rulemaking process. In presenting the DoD’s analysis of prior comments on fundamental research in relation to CMMC, the rulemaking notice acknowledged that fundamental research projects in general do not involve FCI or CUI and therefore would not be covered by the CMMC Program. The notice did leave open the possibility, however, that edge cases could emerge in the fundamental research space that might necessitate the application of CMMC requirements. While thanking the DoD for recognizing that CMMC generally does not apply to fundamental research, EDUCAUSE and its fellow associations stressed that the DoD should provide a clear explanation of the edge cases that might fall under CMMC and take steps to ensure that they are explicitly identified upfront in relevant project solicitations.
EDUCAUSE and the other joint respondents also argued against the regulations’ possible treatment of Security Protection Data (SPD) as CUI, for the ability of covered entities to include a broad array of CMMC assessment objectives in a Plan of Action and Milestones (POA&M), and for a requirement that the lead assessors of CMMC assessments must have knowledge and experience in the industry of the organization that is being assessed, among other issues.