Groups Urge DoD to Exclude Fundamental Research From Cybersecurity Certification Program
Although full implementation is several years away, leaders of research institutions and organizations representing them are asking the Department of Defense to exempt fundamental research from requirements in DoD’s Cybersecurity Maturity Model Certification (CMMC) program. Contractors and possibly subcontractors would be required to obtain third-party CMMC depending on the type of information they hold and the level of security required. In a recent letter, the Council on Governmental Relations, the Association of American Universities, and others expressed concern that “without additional clarification, [there is] too much room for the inappropriate application of certification requirements that are not relevant to the fundamental research activities that a project may include.”
“The cost increases and revenue losses that universities face due to disruptions stemming from COVID-19 continue to grow, and it remains unclear when they will stabilize,” the letter stated. “As a result, institutional capacity to absorb potentially substantial, new requirements as a result of CMMC is likely to be constrained even after the pandemic ends. It is vital, therefore, that the DOD work with research universities to ensure that the steps we take together to advance information security are appropriately scoped to the research involved.” In addition to the exemption, the organizations asked DoD to “establish a dialogue with our member institutions to fully explore…the questions and concerns we have identified.”