Skip to main content

BRIEFING: CMMC 2.0: Proposed Expansion of Cybersecurity Requirements for the Research Enterprise

In the last few days of 2023, the Department of Defense published a proposed rule of note for research institutions. The rule proposes to establish the assessment mechanism of the Cybersecurity Maturity Model Certification (CMMC) Program (incorporating the cybersecurity requirements of NIST Special Publication (SP) 800–171 Rev 2 and advancing the cybersecurity principles of NSPM-33) and to institute new security requirements for Controlled Unclassified Information (CUI).

Notably, the rule would expand the scope and level of required attestations and submissions by universities who are DOD contractors or subcontractors. In practice, the new regulatory requirements would demand the attention of counsel and research administrators in marshalling additional compliance resources and managing the expanded False Claims Act risk to be borne by the university research enterprise.

Hear from Daniel Shapiro, Associate Vice President, Research Compliance at the University of Southern California and Michael Vernick, Partner at Akin, as they explain the proposed requirements and their potential impact on colleges and universities. This free 30-minute audio briefing is open to all NACUA members who register.