CMMC on Campus: Preparing for Cybersecurity Certification
As academic institutions strengthen their ties to federal research funding and sensitive data collaborations, mature cybersecurity practices have never been more critical. To explore this growing need, Bobby Rogers, Jr., Virtual Chief Information Security Officer (vCISO), Edge, joined EdgeCon Autumn 2025 to share his insights and explore practical steps for meeting the Cybersecurity Maturity Model Certification (CMMC) standards.
The CMMC Framework
CMMC is a formalized cybersecurity framework required by the U.S. government for federal contractors, starting with the Department of Defense (DoD), and for any organization that stores, processes, receives, or transmits Controlled Unclassified Information (CUI). Developed for DoD by Carnegie Mellon University and The Johns Hopkins University Applied Physics Laboratory, CMMC was announced in July 2019, with the final rule published on September 8, and the first phase of implementation was rolled out on November 10, 2025, to be followed by subsequent phases in the coming years.
"For decades, the headlines have focused on breaches involving classified material," says Rogers. "But what people often overlook is that much of the compromised data isn't classified at all. It's simply sensitive information, often personal information or healthcare records. That's why CMMC was developed. For years the government imposed requirements only on its own agencies, but now those expectations are extending outward, starting with DoD contractors and eventually reaching almost everyone who handles government information."
CMMC provides a formal framework to ensure that organizations handling government data meet the standards required by federal acquisition regulations. "CMMC certifies that an organization—whether a DoD contractor, a higher education institution, or a private company—meets a rigorous set of requirements for protecting CUI," says Rogers. "Essentially, anyone who possesses, stores, processes, or transmits government information is expected to follow these rules."
Recently, the federal government published a final rule making CMMC requirements explicit in contract language. "Previously, the DoD could choose whether to include these requirements in contracts, but now they are mandatory," explains Rogers. "The certification itself is a formal, lengthy, and complex process, conducted by an approved independent third-party assessor."
"CMMC certifies that an organization—whether a DoD contractor, a higher education institution, or a private company—meets a rigorous set of requirements for protecting CUI. Essentially, anyone who possesses, stores, processes, or transmits government information is expected to follow these rules."
– Bobby Rogers Jr.
Virtual Chief Information Security Officer,
Edge
The CMMC Framework
CMMC is a formalized cybersecurity framework required by the U.S. government for federal contractors, starting with the Department of Defense (DoD), and for any organization that stores, processes, receives, or transmits Controlled Unclassified Information (CUI). Developed for DoD by Carnegie Mellon University and The Johns Hopkins University Applied Physics Laboratory, CMMC was announced in July 2019, with the final rule published on September 8, and the first phase of implementation was rolled out on November 10, 2025, to be followed by subsequent phases in the coming years.
"For decades, the headlines have focused on breaches involving classified material," says Rogers. "But what people often overlook is that much of the compromised data isn't classified at all. It's simply sensitive information, often personal information or healthcare records. That's why CMMC was developed. For years the government imposed requirements only on its own agencies, but now those expectations are extending outward, starting with DoD contractors and eventually reaching almost everyone who handles government information."
CMMC provides a formal framework to ensure that organizations handling government data meet the standards required by federal acquisition regulations. "CMMC certifies that an organization—whether a DoD contractor, a higher education institution, or a private company—meets a rigorous set of requirements for protecting CUI," says Rogers. "Essentially, anyone who possesses, stores, processes, or transmits government information is expected to follow these rules."
Recently, the federal government published a final rule making CMMC requirements explicit in contract language. "Previously, the DoD could choose whether to include these requirements in contracts, but now they are mandatory," explains Rogers. "The certification itself is a formal, lengthy, and complex process, conducted by an approved independent third-party assessor."
Why CMMC Matters for Higher Education
CMMC represents the beginning of a broader federal initiative that will eventually extend to all agencies. "CMMC is moving across the federal government," states Rogers. "Today it's the DoD, tomorrow it might be NASA, then the FDA, and eventually agencies like the Department of Commerce or the Department of Education. Academic programs often rely on federal data to advance teaching and research initiatives. Even if your institution isn't a DoD contractor, once you handle this type of data, CMMC compliance becomes relevant."
The Cyber AB, created by the Secretary of Defense for Acquisition and Sustainment, manages all aspects of CMMC. "The Cyber AB maintains the formal CMMC model, oversees the certification process, and provides consulting services and training," explains Rogers. "Within that ecosystem, there are two groups most organizations will interact with: the Third-Party Assessor Organizations, or C3PAOs, who conduct formal assessments and certify compliance; and the Registered Practitioner Organizations, or RPOs, which guide organizations through the certification process."
Organizations seeking CMMC compliance must address two key types of data: federal contract information (FCI) and CUI. "FCI is information provided by or generated for the Government under contract and is not intended for public release," says Rogers. "CUI is information that requires safeguarding using recommended minimum security controls. Understanding the type of information your organization handles is critical for CMMC compliance. The contract governs what data is considered sensitive and dictates the protections and certification level required."
Common examples of CUI include critical infrastructure data, financial and budgetary information, law enforcement data, personally identifiable information, healthcare records, and government contracting information. The National Archives CUI Registry provides guidance on categories, though the contract ultimately defines what counts as CUI in each specific case.
CMMC Certification Levels and Requirements
CMMC consists of three levels, each with increasing requirements:
- Level 1: Focused on basic cybersecurity controls to protect FCI, requiring 15 foundational practices. Organizations complete a self-assessment and submit results to the Supplier Performance Risk System (SPRS) database.
- Level 2: A bridge toward handling more sensitive CUI, Level 2 introduces additional controls from NIST SP 800-171 Revision 2, totaling 110 controls. Most require assessment by a C3PAO, though some contracts allow self-assessment.
- Level 3: The most comprehensive level enforces all Level 2 controls plus 24 additional controls from NIST SP 800-172, totaling 134 controls. This level addresses highly sensitive information and always requires third-party assessment.
"The model is cumulative," explains Rogers. "Level 1 requires 15 fundamental controls, things like controlling access and assigning individual user accounts. Level 2 builds on those 15 controls, incorporating all 110 from 800-171 Revision 2. Level 3 adds the additional 24 controls from 800-172. Each level builds on the previous one, and compliance is verified against these NIST-defined requirements."
The CMMC framework is organized into core domains covering essential aspects of information security, including Access Control, Awareness and Training, Audit & Accountability, Configuration Management, Identification & Authentication, Incident Response, and Maintenance.
"For decades, the headlines have focused on breaches involving classified material. But what people often overlook is that much of the compromised data isn't classified at all. It's simply sensitive information, often personal information or healthcare records. That's why CMMC was developed. For years the government imposed requirements only on its own agencies, but now those expectations are extending outward, starting with DoD contractors and eventually reaching almost everyone who handles government information."
– Bobby Rogers Jr.
Virtual Chief Information Security Officer,
Edge
Creating a Roadmap to CMMC Readiness
The organization seeking CMMC certification (OSC) begins by preparing through self-assessments or with the support of RPOs. "RPOs conduct assessments to tell you whether you're on track," explains Rogers. "They are familiar with the process and know what the C3PAO is going to look for. Once you feel ready, you engage a C3PAO, which can be found in the Cyber AB marketplace."
The C3PAO evaluates compliance and may report full certification or indicate gaps needing correction. After assessment, the C3PAO sends a recommendation to Cyber AB, which issues the official certification. Certification is valid for three years, and contractors must be fully certified at the required level at the time of contract award.
While some controls allow risk-based approaches, the process generally focuses on meeting specific requirements. Minor deficiencies can be addressed through a formal plan of actions and milestones (POA&M), which outlines steps, timeline, and resources to resolve gaps. However, Level 1 certification does not allow any deficiencies.
"Version 2 of CMMC introduced more flexibility in scoping assessments, allowing organizations to focus only on the assets that process sensitive or contract-specific information, rather than assessing the entire network," notes Rogers. "Organizations should designate a local CMMC expert, typically a senior IT or compliance professional, who serves as the focal point for all certification activities. Using a registered practitioner or RPO is strongly recommended."
Proper scoping and network segmentation are critical. "Only include assets that handle contract-defined information," explains Rogers. "Assessing your entire network unnecessarily increases complexity and workload. Logical and physical segmentation is critical; dedicate machines, users, and network segments to the specific information type."
By staying focused on compliance, planning carefully, and scoping efforts wisely, organizations can navigate the CMMC certification process effectively. "Take the time to understand what really matters, dedicate the right people to manage it, and tackle the assessment in manageable pieces," Rogers concludes. "With this approach, achieving certification becomes not just a requirement, but a process you can handle confidently and efficiently."
Strengthen your compliance posture and reduce cybersecurity risk with Edge’s Governance, Risk, and Compliance (GRC) Assessment. Our experts provide a detailed review against key regulatory and control frameworks, including CMMC. For more information, visit njedge.net/solutions/cybersecurity/edgesecure-privacy-and-compliances-services
CMMC Certification Tips & Tricks
➦ Assign a CMCC expert in your organization who is focal point for all CMMC-related matters
➦ Use a Registered Practitioner (RP) and/ or RPO to help prepare you for the certification process
➦ Scope the assessment properly and minimize the assessment footprint:
➦ Do not try to include the entire network in the assessment
➦ Only scope assets that specifically process, store, receive, and transmit the CUI defined by the contract
➦ Logical and physical separation/segmentation is your friend!
➦ Scope using dedicated segments, machines, boundaries, users, etc.
➦ If you have multiple contracts, you may be able to assess all under one CMMC level