R1 research institutions, recognized for their highest level of research activity, are powerhouses of innovation and cutting-edge exploration. Their close collaborations with government agencies not only amplify the impact of their research contributions but also necessitate rigorous cybersecurity standards. With the rise of the Cybersecurity Maturity Model Certification (CMMC) and its recent 2.0 amendments, there's a pressing need for these institutions to safeguard sensitive information related to government contracts.
While one might naturally assume that DoD contractors are bound by the requirements of CMMC, the instrumental role of R1 research institutions in crafting the original CMMC standards might come as a surprise. Katie Arrington, CISO A&S at the U.S. Department of Defense, credits institutions like Carnegie Mellon and the Johns Hopkins Applied Physics Lab as being integral in the formulation of CMMC's best practices, alongside other distinguished institutions. The DoD collaborated extensively with academic experts nationwide to establish a robust and sustainable cybersecurity framework.
What comes next is making the changes and investments necessary to comply with the recently updated CMMC 2.0 - and doing it in a way that’s affordable, reasonable, and doesn’t inhibit collaboration.
What’s New In CMMC 2.0?
Recognizing the challenges faced by small contractors and educational institutions, the Department of Defense revisited the CMMC guidelines and announced a revision, or CMMC 2.0, in November 2021.
The goal? Streamline the process, reduce overhead, and align more closely with established cybersecurity benchmarks like those in NIST. CMMC 2.0 reflects these considerations. Here's a closer look at the key changes:
1. Removed transitional stages 2 and 4 in CMMC 1.0, consolidating to benchmarks at levels 1, 2, and 3.
- Level 1: For all DoD contractors and those handling FCI.
- Level 2: For occasional CUI handlers or those transitioning to level 3, with 72 security practices.
- Level 3: For frequent CUI handlers, requiring 130 practices. Government assessments are mandatory before contract awarding, with potential future regulation expansions.
- Self-assessments at Levels 1 and 2: Levels 1 and 2 now permit self-assessments. This helps smaller DIB businesses by allowing self-verification or using cost-effective third-party services, all while adhering to CMMC standards.
2. Enhanced Third-party Assessor Scrutiny: The DoD and OUSD have increased oversight for third-party assessors to ensure genuine and ethical compliance evaluations.
3. Introduction of POA&M: Plans of Actions & Milestones enable entities to outline their path to CMMC 2.0 compliance, easing immediate costs and efforts.
4. Provision for Waivers: Waivers are available for mission-critical or urgent projects, subject to senior leadership approval.
5. Reduced Domain Count: Domains have been reduced from 17 to 14. Asset Management, Recovery, and Audit & Accountability are excluded, but some practices may be integrated into existing domains.
Understanding CMMC 2.0 Regulations for R1 Institutions
The CMMC standard stems from the U.S. Department of Defense's effort to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). R1 institutions, known for their robust research activities often funded by federal grants, directly interface with these categories of data for a range of projects that span from security to aerophysics, to public health, and more.
Being at the forefront of major research projects, R1 institutions are frequently the recipients of significant government contracts and grants. This funding often translates to handling sensitive data, from defense technologies to public health research.
Given the nature and scope of these projects, there's a heightened onus on R1 institutions to ensure this data is protected. Compliance with CMMC not only validates the research institution's commitment to data security but also fortifies its eligibility for future government collaborations. But all of these things could be true for any regular DoD contractor too - How are things different for an R1 university?
The Nature of DoD Collaboration in University Research Presents a Challenge
Unlike traditional DoD contractors that might operate in restricted environments, universities are hotbeds of collaboration, often intertwining multiple departments, projects, and even institutions. This interconnectedness means that many of these universities find themselves deeply enmeshed within the DoD supply chain, frequently operating as subcontractors rather than primary contractors. In the pre-CMMC era, the onus of self-assessing security practices fell mainly on the shoulders of prime contractors – those directly bidding for DoD's request for proposals (RFPs).
However, with the new directives of CMMC requirements, these prime contractors are now mandated to not only ensure their own compliance but also validate the compliance of every entity they collaborate with, including their academic subcontractors. This expanded scope of responsibility exponentially increases the number of higher education institutions, particularly collaboration-heavy R1 universities, that must navigate the complexities and intricacies of attaining CMMC certification.
Virtru: Pragmatic Data Security for R1 Research Institutions Navigating CMMC 2.0 Compliance
R1 research institutions, renowned for fostering innovation and collaboration, face unique challenges when it comes to cybersecurity compliance, especially with the rollout of CMMC 2.0. Among the perceived solutions, the Microsoft Office 365 Government Community Cloud High (GCC High) environment often emerges as the go-to for organizations engaged with the DoD. However, while GCC High might seem like the obvious choice, it comes with substantial costs and collaboration barriers. But there's an alternative that's equally robust in terms of encryption, without the hefty price tag and collaborative disruptions: Virtru.
A Costly Pivot to GCC High: The Hidden Implications
For institutions steeped in the Microsoft ecosystem, transitioning to GCC High seems logical. Yet, the hidden costs are numerous. Beyond the substantial financial burden, there's the mammoth task of migrating thousands of users. But perhaps the most significant drawback is the unintentional barrier it places on collaboration, especially between GCC High and Commercial Cloud users. For research institutions where collaboration is vital, this limitation can be stifling.
Virtru: Tailored for Seamless Collaboration and CMMC 2.0 Compliance
In searching for a solution that wouldn't compromise collaboration while ensuring top-tier encryption, the Virtru platform emerges as a formidable contender. Let's break down why:
Unified Experience with Microsoft and Google
Virtru seamlessly integrates with Outlook and Google Workspace, ensuring that research teams can continue collaborating without a hitch, even in hybrid environments using different tiers of Google Workspace or Microsoft 365. There's no need for users to adapt to an entirely new environment or change their workflow, as the encryption functions fluidly within the familiar interface.
User-Friendly Encryption
While other solutions like PreVeil might offer encryption, the recipient experience can be clunky or unintuitive. Virtru ensures that the sharing and receiving of encrypted emails and files are straightforward and professional. This is pivotal for research institutions, where data is often shared with various stakeholders, from collaborators to funders.
Customized Recipient Experience
First impressions matter. With Virtru's ability to customize the branding of the encrypted email experience, recipients aren't just assured of data security, but the professional presentation fosters trust.
Autonomous Encryption Control
Institutions can manage their encryption keys through the Virtru Private Keystore, giving them unparalleled control over their data. This autonomy not only supports CMMC compliance, but also ensures data remains in the institution's purview.
Automated Data Protection
With the Virtru Data Protection Gateway, institutions can set protocols to automatically encrypt emails containing specific types of sensitive information. This automation reduces the risk of human error, ensuring compliance without relying on users to remember encryption protocols.
Cost Savings
The financial argument is compelling. By adopting Virtru, institutions can potentially save millions annually when compared to costly platforms like GCC High —funds that can be redirected to further research, infrastructure, or other pivotal areas.
Skilled Deployment Support
Transitioning to a new encryption solution can be daunting. Virtru isn't just a tool; it's a partnership. With our team of adept engineers, the deployment process is smooth, ensuring institutions can swiftly move to a more secure environment.
For R1 research institutions, the choice between costly GCC High migration and a seamless, affordable alternative like Virtru seems clear. Virtru offers robust encryption aligned with CMMC 2.0 requirements, without the financial strain and collaboration barriers. It's a solution that understands the nuanced needs of research institutions, ensuring compliance doesn't come at the cost of innovation.
To learn more about how Virtru can help your organization meet CMMC 2.0 encryption requirements, contact our team today.
