Higher education institutions that have a signed agreement with the Department of Defense (DoD), or whose labs are engaged in defense work for another defense contractor, are most likely obligated to follow DFARS 252.204-7012. This Defense Federal Acquisition Regulation Supplement (DFARS) is often referred to as the “cyber DFARS” because, among other things, it requires DoD contract recipients to meet the NIST SP 800-171 Rev. 2 cyber framework. In a university setting, that could either obligate particular labs or research programs or broadly obligate the IT environment of the entire institution. 

The cyber DFARS has evolved over the last decade. Though historically permitted, self-attestation to this cybersecurity requirement will be replaced at the end of 2024 by a stringent external certification imposed by the DoD called the Cybersecurity Maturity Model Certification (CMMC). This certification process requires intensive preparation and contracting with one of a limited number of assessors, so it’s important to not underestimate the compliance timeframe.

The standard underlying CMMC

At its heart, the CMMC regulation means that Certified Third-Party Assessor Organizations (C3PAOs) must independently certify that your institution meets NIST SP 800-171 Rev. 2 across the environments engaged in defense-related work. Currently, in most institutions, this would only apply to the specific program(s) that accepted the defense contract, and not the entire school. However, in a separate development, the Department of Education (ED) has announced that “Protecting Student Information – Compliance with CUI and GLBA” is a must for institutions involved with Federal Student Aid (FSA). This means that you should expect that the need to meet NIST SP 800-171 Rev. 2 will expand from just the aforementioned DoD program(s) to the entire institution in the future.

Key concerns: Compliance time is short and enforcement imminent

It’s important to reiterate that the CMMC will become effective on Dec. 16, and is expected to become a defense contract requirement starting about April 2025.

1. The CMMC regulation has been in the works for several years and is poised to become law in Q4 2024 and Q1 of 2025. 
2. It is the industry’s expectation that CMMC requirements will begin showing up in defense contracts – and contract flow-downs from prime defense contractors to their subcontractors – beginning in and around April 2025 for new and renewal defense contracts.
3. Both the DoD and Department of Justice have notified the defense supply chain that they will begin taking regulatory compliance and enforcement action thereafter. 

For this reason, CohnReznick strongly encourages colleges and universities involved in defense work to research this new regulation, determine if your institution is implicated by virtue of defense sector research, and consider immediate steps to independently assess your compliance – or absence of compliance – so you can begin any necessary remediation.

How CohnReznick can help 

CohnReznick is a DoD-designated Registered Provider Organization (RPO) and a C3PAO empowered to help institutions assess their compliance posture, make improvements, and become formally certified as compliant. 

We can help you prepare for the DoD requirements that will begin in 2025. 

• As one of only 58 C3PAOs worldwide designated by the DoD (as of Dec. 2024), we know this regulation intimately and can help your institution meet any certification requirements your compliance office determines it must address.
• If the ED’s newly proposed rule requiring higher education institutions to meet the cybersecurity requirements of NIST SP 800-171 Rev. 2 across their entire IT environment applies to you, we can also help you prepare to meet that expected rule.

Your advantage under the AXIA Cooperative Purchasing Agreement

CohnReznick is a signatory to the AXIA Cooperative, a purchasing agreement that enables member institutions to engage our firm (and others) for CMMC work without having to invest the months of time that typical Requests for Proposals (RFP) require.