The collective comments submitted by the American Council on Education (ACE), Association of American Universities (AAU), Association of Public and Land-Grant Universities (APLU), COGR, and EDUCAUSE address the Department of Defense’s proposed updates to the Cybersecurity Maturity Model Certification (CMMC) Program. The associations commend the DoD for recognizing that fundamental research generally falls outside CMMC’s scope, given its exclusion of Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) per established policy. However, they urge the DoD to offer clear guidance and frameworks for identifying the limited scenarios wherein fundamental research could nonetheless involve CUI or FCI, thus triggering CMMC requirements—stressing that ambiguity in this area could lead to unnecessary compliance burdens, over-application of security requirements, and diversion of academic resources.
The comments raise several implementation concerns, including the broad and undefined inclusion of “Security Protection Data” (SPD) within the CMMC scope—arguing that SPD does not align with the regulatory definition of CUI and that its inclusion could impose unjustified obligations on institutions and external service providers. The associations recommend that the DoD properly define SPD, account for compliance costs if included, and refrain from equating SPD with CUI. They also call for the integration of DoD’s existing guidance on CUI designation and marking into CMMC regulations to prevent inadvertent application of requirements to research projects. Additional recommendations include revising Plan of Action and Milestones (POA&M) guidance to allow more flexibility in remediation timelines and eligible objectives, harmonizing regulatory standards across CMMC and DFARS as NIST releases updates, and extending the phase-in period for Level 2 certification due to current shortages of qualified assessors. The associations further propose that lead CMMC assessors possess industry-specific expertise, particularly to address the unique circumstances of higher education environments. The document concludes with requests for further clarification on several aspects of the proposed rule and highlights the need for continued collaboration between the DoD and the higher education research community to ensure effective, appropriately tailored cybersecurity compliance.
