The letter, jointly submitted by the Council on Governmental Relations (COGR), EDUCAUSE, the Association of American Universities (AAU), the Association of Public and Land-grant Universities (APLU), and the American Council on Education (ACE), articulates deep concerns regarding the Department of Defense’s (DOD) interim rule implementing the NIST Special Publication 800-171 Assessment Methodology and the Cybersecurity Maturity Model Certification (CMMC) Framework for DOD contracts. The associations emphasize their longstanding commitment to research and information security but caution that the interim rule, as currently written, fails to distinguish fundamental research—defined by its open dissemination and lack of sensitive federal contract information (FCI) and controlled unclassified information (CUI)—from other activities covered by the CMMC and NIST assessments. They argue that the requirements for CMMC Level 1 certification and NIST SP 800-171 assessments are largely inapplicable and unduly burdensome to fundamental research activities. The signatories contend that imposing these compliance obligations threatens to seriously hamper the ability of research institutions to conduct fundamental research for the DOD, which would undermine both national security and the nation’s economic competitiveness.
The associations urge the DOD to clarify, both in the rule text and implementation, that fundamental research is exempt from the CMMC and NIST SP 800-171 assessment provisions except in rare cases where sensitive information is directly provided as a research input. They highlight the inefficiencies and potential financial and operational burdens that such misapplied requirements could impose, including inhibiting university participation in DOD contracts and small business innovation initiatives. Furthermore, the letter requests ongoing dialogue with DOD officials to ensure that regulatory frameworks protect national security interests without compromising the open research environment essential to progress in science and education. The associations conclude by reiterating their commitment to cybersecurity while calling for regulatory distinctions that respect the nature of fundamental research, thereby avoiding unintended negative impacts on the nation’s research enterprise.
