University researchers request exemption from new federal cybersecurity standards
Higher education research and information security leaders sent a joint letter to the Department of Defense asking they exclude fundamental research conducted at universities from its new information security requirements, Educause announced Thursday.
The security requirements, released in January, are part of the Cybersecurity Maturity Model Certification program, the DOD’s new set of cyber standards for all of its 300,000 contractors, from weapons manufacturers to universities doing basic research with defense-dollars. The requirements established a five-tier system of controls that range from basic practices like using strong passwords at level 1, to advanced protocols, like optimizing protection of information from advanced persistent threats, at level 5. But higher education researchers expressed concern that such regulations would stifle information sharing in the research community and dissuade universities from participating in defense-related research projects.
Research conducted at higher education institutions as part of DOD contracts would fall under CMMC Level 1, according to the DOD Office of Acquisition and Sustainment, and would require research universities to apply significant security standards and controls to their research activities.
However, university research is generally made publicly available, and by requiring strict security standards to secure information would frustrate researchers’ efforts to share results with each other and build off of each others’ work, according to Educause. In addition, the compliance costs associated with meeting the proposed security requirements could dissuade some higher education researchers and their institutions from participating in defense-related projects, to the detriment of national defense and higher education research, the group wrote.
Because of these concerns expressed by researchers and their institutions, Educause, as well as the Council on Governmental Relations, the Association of American Universities and the Association of Public and Land-grant Universities, submitted comments to the DOD addressing concerns over the CMMC program and its potential consequences it would have on university research.
Specifically, the associations requested that the DOD exclude higher education research from the scope of CMMC and asked the federal agency to engage the higher education research and information security communities in a constructive dialogue so the program’s requirements are not improperly imposed on research programs and projects.