University researchers request exemption from new federal cybersecurity standards

The DOD's new set of cyber standards could dissuade university researchers from participating in defense research, according to Educause.
cybersecurity padlock
(Getty Images)

Higher education research and information security leaders sent a joint letter to the Department of Defense asking they exclude fundamental research conducted at universities from its new information security requirements, Educause announced Thursday.

The security requirements, released in January, are part of the Cybersecurity Maturity Model Certification program, the DOD’s new set of cyber standards for all of its 300,000 contractors, from weapons manufacturers to universities doing basic research with defense-dollars. The requirements established a five-tier system of controls that range from basic practices like using strong passwords at level 1, to advanced protocols, like optimizing protection of information from advanced persistent threats, at level 5. But higher education researchers expressed concern that such regulations would stifle information sharing in the research community and dissuade universities from participating in defense-related research projects.

Research conducted at higher education institutions as part of DOD contracts would fall under CMMC Level 1, according to the DOD Office of Acquisition and Sustainment, and would require research universities to apply significant security standards and controls to their research activities.

However, university research is generally made publicly available, and by requiring strict security standards to secure information would frustrate researchers’ efforts to share results with each other and build off of each others’ work, according to Educause. In addition, the compliance costs associated with meeting the proposed security requirements could dissuade some higher education researchers and their institutions from participating in defense-related projects, to the detriment of national defense and higher education research, the group wrote.


Because of these concerns expressed by researchers and their institutions, Educause, as well as the Council on Governmental Relations, the Association of American Universities and the Association of Public and Land-grant Universities, submitted comments to the DOD addressing concerns over the CMMC program and its potential consequences it would have on university research.

Specifically, the associations requested that the DOD exclude higher education research from the scope of CMMC and asked the federal agency to engage the higher education research and information security communities in a constructive dialogue so the program’s requirements are not improperly imposed on research programs and projects.

Betsy Foresman

Written by Betsy Foresman

Betsy Foresman was an education reporter for EdScoop from 2018 through early 2021, where she wrote about the virtues and challenges of innovative technology solutions used in higher education and K-12 spaces. Foresman also covered local government IT for StateScoop, on occasion. Foresman graduated from Texas Christian University in 2018 — go Frogs! — with a BA in journalism and psychology. During her senior year, she worked as an intern at the Center for Strategic and International Studies in Washington, D.C., and moved back to the capital after completing her degree because, like Shrek, she feels most at home in the swamp. Foresman previously worked at Scoop News Group as an editorial fellow.

Latest Podcasts