Capital Hill

Concerns raised by US Universities, as they write to the OUSD A&S seeking clarity on the application of CMMC to academic and research institutions.

As the CMMC debate continues, it is raising some interesting, difficult and dare I say it academic questions.  Several representative bodies for research institutions in the US have written to the Under Secretary of Defense for Acquisition and Sustainment (USD[A&S]).  Raising concerns over the implementation of CMMC and its financial impact on academic institutions during COVID 19.  The representative bodies believe that research which falls into the fundamental research category, may not pose issues for defence focused programmes.  As research relevant to defence contracts does not involve CUI.  How CMMC maturity levels will be assessed and applied by prime contractors to their subcontractors which include Universities.  They want to start a dialog on the impact of CMMC and how to resolve their concerns.

There are many challenges with CMMC especially given the breadth and depth of US defence procurement value chains, from the development of new solutions through to the manufacture of existing systems.   I would argue that all research which relates to any defence related programme, fundamental research or otherwise, needs to be secured.  Fundamental research forms the building blocks for operational solutions, is often the most expensive to resolve, includes large amounts of Intellectual Property(IP) and provides the initial competitive advantage.  The more dispensations which are provided over an already complex procurement value chain, the more chances there are for sensitive data to be leaked, which is the reason why CMMC is being adopted in the first instance.  If FCI is considered in-scope, which is basic non – public contract information, why would fundamental research data be left out?

There may not be any easy answers here, but rightly there needs to be dialog so that issues can be raised and solutions found.  Whilst not compromising the programme.

About CMMC Europe

Experienced cyber security professional with 20 years experience as CISO and global head of cyber risk. Advising boards of Engineering and Manufacturing, Publish and Media and Financial Services meet and maintain cyber risk management and regulatory compliance.

Leave a Comment

Your email address will not be published.

I accept the Privacy Policy