Cybersecurity Maturity Model Certification

US Department of Defense (DoD) established Cybersecurity Maturity Model Certification (CMMC). It is a unifying standard for the implementation of cybersecurity and to provide increased assurance that an entity can adequately protect Controlled Unclassified Information (CUI) as well as Federal Contract Information (FCI). In relation to Higher Education, this directly relates to research activities that either currently participate or plan to participate in sponsored research by agencies, offices and commands under the DoD.

The CMMC Model possesses five levels.

  • CMMC Level 1 is the minimum maturity level for protecting FCI.
  • CMMC Level 2 is a progression level from Level 1 to Level 3 and contains subset of security requirements specified in NIST 800-171 for protection of CUI.
  • CMMC Level 3 is the minimum maturity level for protecting CUI and includes all of the security requirements outlined in NIST 800-171 as well as 20 additional practices to mitigate threats.
  • CMMC Level 4 and 5 include subset of enhanced security requirements from Draft NIST 800-171B as well as enhanced capabilities to protect against Advanced Persistent Threats (APTs)

Relevant Defense Federal Acquisition Regulations (DFARS) clauses:

  • DFARS 252.204-7012, ‘Safeguarding Covered Defense Information and Cyber Incident Reporting’
  • DFARS 252.204-7019, ‘Notice of NIST SP 800-171 DoD Assessment Requirements’
  • DFARS 252.204-7020, ‘NIST SP 800-171 DoD Assessment Requirements’
  • DFARS 252.204-7021, ‘Cybersecurity Maturity Model Certification Requirements’ (through 9/30/2025)

Applying for DoD Grant?

If you plan to apply for a DoD Grant that contains any of the four relevant DFARS mentioned above, please contact LSU IT Security Team (security@lsu.edu) so that ITSP can collaboratively work with you to ensure appropriate measures, policies, processes, and procedures are in place to comply with the relevant requirements.

It should be noted that for CMMC compliance, the implementation of security measures will need to be certified by an accredited third party that is external to the University.

Reference - CMMC Official Website