Join the CMMC Scoping Workshop to discuss the new Cybersecurity Maturity Model Certification (CMMC) 2.0 program and the impact on universities performing research under a Department of Defense (DoD) contract. The event will feature an overview of the new CMMC program requirements for federal Controlled Unclassified Information (CUI) followed by a collaborative World Cafe session with members of the UW research and IT communities focused on understanding the impact of CMMC on UW research.
Details
When: Tuesday, March 31, from 8am to 11:30am (Drop-Ins Welcome!)
Where: Morgridge Hall
Agenda
8am to 9am: Overview of CMMC 2.0 opportunities, challenges and a call to action
- Challenge: enabling research and innovation while meeting federal requirements for compliance
- Challenge: designing an appropriately-scoped research environment for CUI that can be certified for CMMC
- Introduction to CMMC scoping considerations: importance of scoping, asset types, risks, and certification criteria
- Introduction to World Cafe CMMC scoping activity
9:15am to 11am: CMMC Scoping World Cafe (Drop-Ins Welcome!)
Overview: Topics related to CMMC Level 2 scoping will be covered at different tables in the room. Participants will rotate through, spending about 20 mins at each table. A facilitator at each table will provide background context and prompt participants to share ideas, concerns, requirements, related to that topic and record those on a sheet of paper/whiteboard.
Table Topics:
- Research Requirements – What computing, data, facility, instrument, or software tools are needed to conduct research that is or will be funded by the DoD?
- Cloud Assets In Scope for CUI – What cloud-based infrastructure is needed to enable researchers to do their DoD-funded research in a CMMC Level 2 compliant environment?
- On-Premise Assets In Scope for CUI – What on-premise resources will need to be in scope to enable researchers to do their DoD-funded research in a NIST 800-171 compliant environment?
- Security Protection Assets In Scope for CUI – This asset category in the CMMC Level 2 scoping guide is described as “Assets that provide security functions or capabilities to the Organization Seeking Assessment’s (OSA) scope (i.e. the UW–Madison).”
- Specialized Assets in Scope for CUI – This asset category in the CMMC Level 2 scoping guide is described as “Assets that can process, store, or transmit CUI but are unable to be fully secured, including: Internet of Things (IoT) devices, Industrial Internet of Things (IIoT) devices, Operational Technology (OT), Government Furnished Equipment (GFE), Restricted Information Systems, and Test Equipment.”
- Assets Out of Scope for CUI – This asset category includes things that would not be within the boundaries of a CMMC Level 2 environment and therefore are not in scope for assessment/certification. This could include assets that cannot secure CUI assets, assets that are physically or logically separated from CUI assets, or VDIs that do not allow interaction with CUI beyond the keyboard/video/mouse.
- Culture – What are challenges and opportunities for creating a culture of compliance in our researcher and IT populations at UW?
- Shared Responsibility – What are opportunities and challenges for sharing responsibilities for CMMC Level 2 compliance across schools, colleges, departments, divisions?