CIO Perspectives on Research Data Security and CMMC Compliance 

The stakes around CMMC compliance are clear: institutions that cannot provide compliant environments will increasingly be passed over for opportunities, even if they present valuable faculty research. 

As one CIO said during the webinar, “[institutions risk] losing more finite grant dollars not because we don’t have the researchers, but because we don’t have the environments or the compliance in place.” 

Another CIO underscored the urgency, saying, “Compliance is really a competitive advantage. If you are compliant, it opens up the avenue for more researchers to bring in more contracts and keep dollars flowing into the university.”

This reality is accelerating campus-wide recognition that cybersecurity infrastructure directly underpins research growth, making CMMC a strategic imperative rather than merely a compliance obligation.

Universities face the reality that networks are complex beasts built over many years, making comprehensive compliance exceptionally difficult. 

In response, many institutions are adopting hybrid or cloud-first strategies to create secure research environments that meet CMMC requirements. There are advantages to having either: 

• Cloud-First Solutions can accelerate compliance by taking on some of the burden of meeting compliance standards, especially around physical controls. 
• Hybrid Environments leverage algorithms to place workloads optimally across cloud and on-premises resources while maintaining compliance, allowing researchers to focus on their work. 

When evaluating different cloud solutions, ask yourself the following questions:

• Which cloud platform is your campus community familiar with? 
• Will it hinder or enhance your research?
• Which provider has experience with an institution of your size?
• Is the provider CMMC accredited?
• Is the provider familiar with the technology platform you’re envisioning? 

Consider exploring Internet2’s Cloud Infrastructure Community Program (CICP) to connect with a community of your peers to share and  receive cloud expertise, capabilities, and capacities. 

Technology alone won’t make institutions CMMC compliant. Success requires a partnership between IT and research administration, with the most effective governance using a “triangle approach” involving IT leadership, compliance offices, and research administration.

These partnerships must be built on strong face-to-face relationships. One campus leader’s advice was direct: “Get your shoes on, walk down the hall, and meet somebody. Don’t just meet them over Zoom. Get on the phone, set up coffee, and ask them what their concerns are. Meet some of the researchers. Listen.” 

Institutions with meaningful cross-department relationships can navigate compliance more effectively and efficiently.

The financial reality of CMMC compliance can be daunting. 

This work is expensive, with costs surging as most institutions scale back. One CIO reported adding between three to four staff members specifically for controlled research work — a significant investment for some institutions.

An emerging consensus points to a three-pronged financial model that balances three specific expenses:

1. Central institutional investment
2. Access to additional facilities and administrative dollars
3. Direct funding from researchers through proposals

This approach requires institutions to increasingly insert themselves into proposal development, ensuring researchers budget realistically for secure environments. That is something many institutions have not done historically. 

At the same time, CIOs emphasized the risk of pricing themselves out of competitiveness. One said, “We don’t want to put our researchers out of business; we need to consistently benchmark everything, so our cost model doesn’t make us uncompetitive.”

If the financial hurdles are significant, the cultural barriers may be even more formidable. 

Nearly every CIO flagged culture as the biggest challenge they face. CMMC creates tension with researchers accustomed to academic research traditions who question why their long-standing methods must now change, requiring a paradigm shift from the senior level down. 

A part of that shift is the external audit, an entirely new territory for higher education research. 

As one leader noted, “This is the first time in my more than 20 years in higher education that we will undergo a third-party compliance assessment.” 

Until now, universities primarily relied on self-assessment. With external auditors now evaluating compliance, institutions must shift to continuous monitoring rather than periodic check-ins.

The urgency of addressing this cultural dimension cannot be overstated. Start messaging and communication now, letting people know something new is coming that will reshape how the work gets done. Leaders suggest clear communication that focuses on the “Why.”

To ensure compliance and increase institutional buy-in, campus IT leaders need to strategically position themselves and research administration as true collaborators, emphasizing three key messages:

1. The requirements come from federal agencies, not IT.
2. Compliance protects the institution’s grants and enables its research.
3. IT’s role is to enable innovation, not restrict it.

The external audit process itself demands careful preparation. While CMMC Level 2 institutions can self-assess, most are choosing external assessment due to the significant risk of getting it wrong. 

The audit structure is unforgiving, according to one CIO. “When that auditor shows up, if they find a control that is not meeting requirements, they pack up and walk out the door,” they said.  Institutions can “spend a significant five-figure sum on an audit and have a failed outcome and need to pay to do it again,” according to that CIO. 

The challenge of a proper, cost-effective audit is compounded by a key constraint: advisory and audit functions must be separate. 

“Whoever is your advisor as a Certified Third-Party Assessor Organization (C3PAO) can’t be your auditor, so you have to invest in separate relationships,” said one of the CIOs. 

This demands thorough preparation and strategic relationship-building well in advance. Leading institutions conduct gap analyses followed by mock assessments 12-18 months before formal audits. 

Regarding audits, the panel’s advice was consistent: build a relationship with a consulting C3PAO and a separate relationship with an auditing C3PAO as early as possible.

Strategic scope management emerged as a critical success factor. As one CIO emphasized: “Scope, scope, scope. Don’t boil the ocean.” 

The speakers noted the need to approach CMMC similarly to how Payment Card Industry (PCI) compliance was managed, as a formal project with defined milestones, accountability, and executive sponsorship spanning IT and research administration. 

Most institutions prioritize Level 2 compliance, which aligns with the majority of sponsored research activity. Level 3 requires hard conversations with the Office of Research to balance research with its financial implications. Most institutions treat Level 3 as entirely separate, with some creating dedicated research foundations to manage those projects.

“This is absolutely not something you can do in 30 or 60 days. This is a multi-year project,” one CIO said during the call. “If you haven’t started already, start now. Begin the conversation.” 

For institutions very early in their journey, cloud-based solutions were highlighted as a pragmatic short-term approach that can deliver compliance faster than on-premises alternatives.