The Cybersecurity Maturity Model Certification (CMMC) program applies to those that intend to or currently participate in research sponsored by the U.S. Department of Defense.
Notice
This page is subject to ongoing updates and modifications. Information or presentation may be revised at any time. If you have any questions, please contact infosec@hawaii.edu
CMMC Has Arrived! What You Need to Know Webinar
This informational briefing is intended for principal investigators, researchers, administrators and support staff who work with research data. The session will focus on the new CMMC (Cybersecurity Maturity Model Certification) regulation which will take effect on November 10, 2025. CMMC Level 1 and Level 2 will be covered.
Date: Wednesday November 12, 2025
Time: 9:00am
Webinar Slides: CMMC Webinar Presentation Slides
Webinar Recording: CMMC Webinar Recording
Overview of CMMC
The Cybersecurity Maturity Model Certification (CMMC) Program is a framework established by the Department of Defense (DoD) to verify that contractors and subcontractors have implemented required security measures to safeguard sensitive unclassified information. The CMMC Program establishes requirements for defense contractors and subcontractors that process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) on non-Federal systems.
The program mandates that defense contractors and subcontractors demonstrate, through assessment, that they have implemented cybersecurity standards commensurate with the risk associated with the information they handle. Starting on November 10, 2025, the final CMMC acquisition rule (48 CFR) will take place initiating the three year phased rollout where CMMC where achieving the required CMMC status will be a condition of contract award for applicable DoD solicitations.
CMMC program requirements will apply to all DoD solicitations and contracts for which a defense contractor or subcontractor will process, store, or transmit FCI or CUI on its unclassified contractor information systems. This includes new DoD solicitations, New DoD procurement instruments including contracts, task orders, delivery orders, and their associated option periods, as a condition to exercise and option period, and subcontractors subject to flow-down requirements.
- Phase 1: Begins on November 10, 2025. Where applicable, solicitations will require level 1 or 2 self-assessments
- Phase 2: Begins on November 10, 2026. Where applicable, solicitations will require level 2 certification
- Phase 3: Begins on November 10, 2027. Where applicable, solicitations will require level 3 certification
- Phase 4: Begins on November 10, 2028. All solicitations and contracts will include applicable CMMC level requirements as a condition of contract award.
CMMC Model
CMMC utilizes a tiered model with three progressive certification levels that align with the type and sensitivity of information that must be protected.
| CMMC Level | Information Protected | Security Requirement Source | Assessment Type(s) | Assessment Frequency |
|---|---|---|---|---|
| Level 1 | Federal Contract Information (FCI) | 15 basic safeguarding practices from FAR clause 52.204-21 | Annual Self-Assessment entered into the Supplier Performance Risk System (SPRS) | Annually |
| Level 2 | Controlled Unclassified Information (CUI) | 110 requirements aligned with NIST 800-171 Revision 2 (R2) required by DFARS clause 252.204-7012 | Self-Assessment or Certified Third-Party Assessor Organization (C3PAO) entered into SPRS | Triennially (Every 3 years) |
| Level 3 | CUI with Enhanced Protection | 110 requirements from NIST 800-171 Revision 2 (R2) required by DFARS clause 252.204-7012 plus 24 selected requirements from NIST 800-172 Feb2021 | Government assessment by Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) entered into SPRS | Triennially (Every 3 years) |
Details by CMMC level
- Level 1 (Self): Focuses on the basic safeguarding requirements necessary to protect FCI. Organizations Seeking Assessment (OSAs) must successfully implement all 15 requirements. No Plans of Action and Milestones (POA&Ms) are permitted.
- Level 2 (Self or C3PAO): Focuses on the comprehensive protection of CUI. For contracts requiring this level, the assessment type depends on the criticality and sensitivity of the information. Some organizations may satisfy the requirement with an OSA-conducted self-assessment. For contracts requiring higher assurance, the Organization Seeking Certification (OSC) must hire an authorized or accredited CMMC third-party assessment organization or C3PAO to conduct the assessment.
- Level 3 (DIBCAC): Focuses on providing enhanced protection against Advanced Persistent Threats (APTs). This assessment is conducted by the government’s DCMA Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). A prerequisite for initiating this assessment is achieving a CMMC Status of Final Level 2 (C3PAO) for the systems in scope
Resources
Definitions
- Federal Contract Information (FCI): As defined in section 4.1901 of the Federal Acquisition Regulation (FAR), FCI is “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, excluding information provided by the Government to the public (such as that on public websites) or simple transactional information, such as that necessary to process payments.”
- Controlled Unclassified Information (CUI): As outlined in Title 32 CFR 2002.4(h), CUI is “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.” For more information regarding specific CUI categories and subcategories, see the DoD CUI Registry website.
Frequently Asked Questions (FAQs)
As of right now, CMMC only affects DoD grants. It has NOT YET made it over to other agencies. BUT NIH and NSF have their own cybersecurity requirements.
The best thing is to try to have your DoD point of contact (person) define the data categories (FCI or CUI) and then have them confirm the CMMC Level that needs to be applied.
The best thing to do is to scope the entire environment from a CMMC level 2 perspective and categorize those assets based on the categories in level 2. If properly segmented, the group that interacts with FCI can be considered out-of-scope assets or contractor risk-managed assets based on their interaction with CUI assets in the level 2 environment.
Scoping would depend on the CMMC level and the data they are storing/processing/transmitting. But in general, they and their environments are considered in-scope.
Without knowing how a mobile device is used specifically in a project, it would be considered a regular asset and would need to be secured as such or kept out-of-scope.
Please contact infosec@hawaii.edu
Links
- CMMC Website: Official CMMC Website Link
- About CMMC: CMMC Website About Page
- NIST 800-171 R2: NIST 800-171 Revision 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
- FAR 52.204-1: Basic Safeguarding of Covered Contractor Information Systems
- Relevant DFARS Clauses
- DFARS Clause 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting
- DFARS Provision 252.204-7019: Notice of NIST 800-171 DoD Assessment Requirements
- DFARS Clause 252.204-7020: NIST SP 800-171 DoD Assessment Requirements
- DFARS Clause 252.204-7021: Cybersecurity Maturity Model Certification Requirements