The document summarizes a panel discussion on the institutional experiences of universities with the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC), highlighting perspectives from UC San Diego, Purdue University, and Indiana University. The discussion addresses recent DoD regulatory changes requiring contractors to achieve at least Level 1 CMMC certification, emphasizing compliance with federal cybersecurity requirements for handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Importantly, the evolving CMMC framework, while intended to secure sensitive data, does not always align with the nature of fundamental research, prompting calls for recognition and possible regulatory adjustments.
Panelists detail their institutions’ strategies for meeting CMMC and regulated research requirements, highlighting both challenges and proactive initiatives. UC San Diego views CMMC as an early indicator of broader federal cybersecurity expectations and is developing a Center of Excellence to support secure research environments, policy development, compliance enclaves, and self-certification baselines. Purdue emphasizes community building, shared resources, governance, and full cost modeling through workshops and a regulated research network. Indiana University outlines a history of aligning research systems with federal standards like NIST, focusing on scalable risk management and leveraging existing frameworks to prepare for evolving CMMC requirements. All institutions note the complexity of bridging research activity with compliance regimes, the need for ongoing adaptation, and the importance of collaboration and resource sharing within the academic research community.
