The document presents a comprehensive overview of cybersecurity implementation and ongoing updates from the university perspective, focusing particularly on compliance with federal requirements such as the Cybersecurity Maturity Model Certification (CMMC) and NIST standards. Leaders from the University of Virginia (UVA), Johns Hopkins University (JHU), and the University of Pittsburgh shared their respective institutional strategies, challenges, and progress toward securing their research environments, particularly in response to Department of Defense (DoD) contracts requiring CMMC compliance. The institutions detailed the scope and complexity of their cybersecurity initiatives, highlighting the need to balance academic openness with stringent data security standards.
UVA outlined its multi-year efforts and investments in NIST 800-171 compliance and its preparation for CMMC Level 2, noting the institutional challenge in scoping, asset assessment, and program ownership across academic, clinical, and physical environments. JHU described its approach utilizing a centrally managed, secure research enclave for NIST and CMMC compliance, with localized, non-compliant environments remaining out of scope. It emphasized the strategic investment and organizational change required for CMMC Level 2, including governance, gap analysis, and stakeholder communication. The University of Pittsburgh outlined its recent decision to centralize CUI (Controlled Unclassified Information) activities within a secure Azure GCC High environment, detailing significant upfront and ongoing costs for CMMC Level 2 certification and environmental maintenance. All three institutions addressed the challenges of implementing robust cybersecurity frameworks, managing financial and operational impacts, ensuring regulatory compliance, and fostering institutional readiness for evolving federal research security mandates.
