Protecting CUI and Simplifying Compliance with CMMC 2.0, NIST 800-171, and ITAR

The Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) framework has undergone significant changes, and CMMC’s implementation has been delayed until 2023. Until then, universities still need to comply with NIST 800-171, developed specifically to protect CUI. Further, university employees that exchange CUI with people in foreign countries (researchers, for example) need to comply with the State Department’s ITAR regulations governing such communications. One key change that simplifies CMMC compliance is that DoD has aligned the requirements for the new CMMC 2.0 Level 2 with NIST 800-171, which has been in effect since 2017. Level 2 will indicate that an organization is able to securely store and share CUI. Key changes to the State Department’s ITAR regulations that make them easier to comply with are that the exchange of CUI across borders is now permitted as long as the data is end-to-end encrypted, and no cloud services provider has access to keys, network access codes, or passwords that enable decryption. This panel will include a professor of computer science, a university CISO, and a cybersecurity industry expert. Their focus will be on how platforms built on modern cybersecurity principles can facilitate compliance with federal regulations governing CUI. The institutional use case will highlight practical steps to take toward compliance. The aim of the panel is to help your institution achieve CMMC Level 2 certification.