Cybersecurity Maturity Model Certification (CMMC) at USU
Utah State University is committed to supporting research efforts that align with federal cybersecurity requirements. As part of this commitment, USU is actively implementing processes and controls aligned with the Cybersecurity Maturity Model Certification (CMMC), a framework developed by the U.S. Department of Defense (DoD) to safeguard sensitive federal information in the hands of contractors and research institutions.
CMMC is especially relevant for research projects that involve Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). The framework defines three maturity levels of cybersecurity practices, with increasing levels of security and oversight.
USU's Current Readiness
USU is currently implementing procedures to support CMMC Level 1, which applies to projects involving Federal Contract Information (FCI) but not Controlled Unclassified Information (CUI). Learn more about CUI at USU here.
What is CMMC Level 1?
CMMC Level 1 focuses on safeguarding Federal Contract Information (FCI) and includes 15 foundational cybersecurity practices across key domains (see table). These practices are drawn directly from NIST SP 800-171 Rev. 2, specifically the subset that applies to basic cyber hygiene.
| Domain | Control | CMMC Practice ID |
|---|---|---|
| Access Control (AC) | Authorized Access Control | AC.L1-B.1.I |
| Transaction & Function Control | AC.L1-B.1.II | |
| External Connections | AC.L1-B.1.III | |
| Control Public Information | AC.L1-B.1.IV | |
| Identification and Authentication (IA) | Identification | IA.L1-B.1.V |
| Authentication | IA.L1-B.1.VI | |
| Media Protection (MP) | Media Disposal | MP.L1-B.1.VII |
| Protection (PE) | Limit Physical Access | PE.L1-B.1.VIII |
| Manage Visitors & Physical Access | PE.L1-B.1.IX | |
| System and Communications Protection (SC) | Boundary Protection | SC.L1-B.1.X |
| Public-Access System Separation | SC.L1-B.1.XI | |
| System and Information Integrity (SI) | Flaw Remediation | SI.L1-B.1.XII |
| Malicious Code Protection | SI.L1-B.1.XIII | |
| Update Malicious Code Protection | SI.L1-B.1.XIV | |
| System & File Scanning | SI.L1-B.1.XV |
What USU Researchers Need to Know
- Do you handle federal contract data? If yes, CMMC may apply to your research.
- Not sure if your project involves FCI? Talk to Sponsored Programs or your contract officer.
- Already working on a DoD-funded project? Let’s ensure the data protections align with CMMC requirements.
USU's Path Forward
USU is committed to supporting federally funded research by maintaining CMMC-aligned mechanisms and procedures that principal investigators (PIs) can utilize to meet compliance requirements. Our current focus is on:
- Developing simple pathways for PIs to complete required documentation and self-assessments for CMMC Level 1
- Providing clear guidance on how to handle Federal Contract Information (FCI) in accordance with CMMC Level 1
- Exploring options for future secure enclaves or external partnerships for projects requiring CMMC Level 2 or 3 protections
- Offering consultation and technical support through the Research Security Office and Information Technology