Universities across the United States are increasingly invested in providing support to the Defense Industrial Base. With close government partnerships, though, comes an increased risk of cyber threats targeting sensitive information related to national defense and America’s allies abroad. Cybersecurity in higher education is now a paramount concern, and maintaining high standards to protect sensitive data is crucial for universities today to earn funding for research opportunities from the Department of Defense. Cask Government Services is committed to helping universities maintain these high standards.
With the new CMMC 2.0 framework rolling out for defense contractors and subcontractors across 2025, universities are under pressure to meet these cybersecurity standards and ensure compliance—and not just ones in partnership with the DoD. Join Cask in exploring cybersecurity for universities and the increasing importance of CMMC L2 certification to secure and protect your research and your funding.
The higher education community is a critical partner in the defense sector. We need them to adopt and maintain cybersecurity best practices to protect the innovations they are developing for our warfighters.” – Elizabeth Guezzale, Cask Government Services
Understanding the Risks of University Data Breaches and Other Cybersecurity Incidents
According to EDUCAUSE, a nonprofit dedicated to IT best practices and cybersecurity in higher education, data breaches cost higher education over $3 million each year. But there is more than a monetary cost to data breaches and other cybersecurity incidents.
Universities that receive DoD funding often partner with defense agencies on sensitive research related to national security and defense technologies. For these universities, data breaches can expose classified information or Controlled Unclassified Information (CUI) relating to military capabilities or IP relating to defense research and threaten the United States’ economic and technological advantages.
And it isn’t just the DoD—any source of government funding can be jeopardized by insufficient cybersecurity practices. This includes universities with connections to the US Department of Health and Human Services and the National Science Foundation—nearly every university in the country.
As a result, data breaches can jeopardize your university’s relationship with state and federal agencies, rendering you vulnerable to loss of funding, legal liabilities, penalties or lawsuits from affected parties (including researchers, students, or government personnel), or restrictions on future contracts.
In the long term, insufficient cybersecurity for higher education facilities can lead to severe reputational damage and loss of trust in your capabilities by not only defense agencies, contractors, and subcontractors but also potential students, faculty, and donors.
Ensuring Best-Practice Cybersecurity in Higher Education with CMMC 2.0
The Cybersecurity Maturity Model Certification isn’t just for defense contractors anymore, and the federal government is working hard to make sure everybody knows it. With the new CMMC 2.0 framework going into effect, most universities—including those not part of the Defense Industrial Base—will have to specifically meet the requirements of Level 2 of the CMMC 2.0 framework.
In one of our recent blogs, we examined in detail the new CMMC 2.0 framework, which divides cybersecurity best practices into three tiers based on the type of sensitive government data an organization handles as per its contractual obligations with the US government.
Higher education cybersecurity standards will need to start aligning with CMMC L2, which entails:
- Compliance with 110 cybersecurity best practices, as described in NIST 800-171.
- Documentation of all security policies and continuous monitoring to demonstrate compliance.
- Regular self-assessments and independent assessments from third-party assessors to verify compliance.
How to Adapt Cybersecurity for Universities to CMMC 2.0 Standards
Your university may already meet all of the highest standards for cybersecurity in higher education. However, cybersecurity and cyber compliance are not one and the same. Cyber compliance entails more than just the practices and tools you use to protect your organization from cyber threats—it includes meeting the specific regulatory and organizational standards your organization is obligated to meet.
For those new to CMMC standards, here is how to get up to speed with best practices in cybersecurity for universities so you can be ready when your government partnerships begin requiring CMMC 2.0 compliance:
- Familiarize yourself with the 110 security practices based on NIST SP 800-171 and take an inventory of all systems, networks, and devices that store, process, or transmit CUI.
- Evaluate your current cybersecurity practices, identify if there are any new security controls required to meet your CMMC obligations, and apply the necessary security measures.
- Document all control implementations to show how they meet CMMC requirements. Ensure procedures for handling cybersecurity incidents, monitoring, and auditing are established and documented.
- Conduct regular training for all personnel who interact with CUI on cybersecurity best practices, compliance obligations, and recognizing threats.
- Conduct self-assessments and pre-assessments. Cyber compliance consulting services can help you evaluate your university’s cybersecurity practices, assess your readiness for upcoming assessments, and even hold mock assessments.
- Schedule and undergo your formal CMMC L2 assessment. A government-authorized C3PAO (Certified Third-Party Assessment Organization) like Cask is a CMMC accreditation body responsible for conducting formal CMMC assessments.
The road to CMMC compliance can seem daunting for your university at first glance, but adhering to the US government’s standards for higher education cybersecurity and compliance best practices is essential to protecting your ongoing research and funding. Wherever you are in your CMMC journey, Cask Government Services is here to help you take the next step. Contact us today for a consultation.