Department of Defense Cybersecurity Maturity Model Certification
The Department of Defense recently launched the Cybersecurity Maturity Model Certification (CMMC) program. This program outlines cybersecurity requirements for contractors, including universities like UNT. This new framework involves a tiered model, an assessment requirement, and will be implemented as a condition of contract award. The new model consists of three levels:
Level 1: Foundational |
17 Practices |
Annual self-assessment |
Level 2: Advanced |
110 Practices (NIST SP 800-171) |
Triennial 3rd party assessment or Annual self-assessment (select programs) |
Level 3: Expert |
110+ practices (NIST SP 800-172) |
Triennial government-led assessments |
In order for researchers to apply for funding opportunities, the required certification requirements (which will be incorporated into funding opportunity announcements) must be met. The goal of the DoD is to include CMMC requirements in all acquisitions by 2024.
Contractors, such as research universities, will be required to “document and submit their plans for securing systems that store, transmit, or process CUI data to DoD.” (https://research.unm.edu/research-data-security)
The UNT Division of Research and Innovation and UNT System ITSS will work together to meet CMMC requirements so that UNT researchers can continue to seek DoD funding opportunities. If you plan to submit a DoD proposal in the near future, check the solicitation or Requests for Information (RFIs) to determine if a CMMC certification level is required. Reach out to oric@unt.edu to let the UNT Office of Research Integrity and Compliance know that you are applying for DoD funding that requires a CMMC certification level.
The CMMC requirement applies to new contracts and it can be integrated into an active contact by amendment per the DoD Contracting Officer. Contracting Officers will work with Prime contractors to determine requirements for subcontractors.
Visit the National Archives website for further information about Controlled Unclassified Information (CUI).
If a company “does not process, store, or transmit Controlled Unclassified Information (CUI) on its unclassified network, but does process, store, or handle Federal Contract Information (FCI), then it must perform a CMMC Level 1 self-assessment.” (https://www.acq.osd.mil/cmmc/faq.html)