University of Wisconsin–Madison
Diverse community participating in research of young woman with laptop

Summary of Cybersecurity Maturity Model Certification (CMMC) workshop

Posted by

Whitney Jacobson

on

A research compliance scoping workshop was held on March 31, 2026 to gather input on enabling national security research while meeting new federal compliance requirements for the Cybersecurity Maturity Model Certification (CMMC) Level 2 controls and assessment objectives. Both introductory remarks and group discussions highlighted the need for campus-wide approach to this emerging compliance requirement. 

The workshop followed a world cafe format, facilitating small group discussions in 8 topics areas, including research needs; culture; shared responsibility; and requirements for on-premise and cloud components, and controls required for CUI, Security Protection, Specialized, and Out of Scope CMMC Level 2 assets.

Workshop participants gather around tables with different colored papers and converse.

More than 50 individuals participated, including PIs, researchers, IT leaders, and subject matter experts in cybersecurity and research administration.

View the UW-Madison Spring 2026 CMMC Scoping Workshop Report.

What we heard

  • Researchers attending or providing input asynchronously shared descriptions of research systems and tools they currently use, which could potentially fall under CMMC requirements with future DoD funding. Some researchers indicated it would be difficult to replicate the specialized computational resources they currently use within a cloud enclave. Researchers shared details about software, computing systems, and instruments that might need to be in scope as Specialized Assets. A number of ideas were raised about controls to ensure physical boundaries between the enclave and Specialized Assets and challenges of managing instruments used for CUI and non-CUI data/research were discussed.
Four people gather in front of a projection screen and next to a table with blue sticky notes.
  • Cybersecurity experts provided input on security assets and controls needed to secure CUI within and in transit in/out of an enclave. While much of the infrastructure would be built from cloud infrastructure services, participants suggested that UW-Madison has some existing Security Protection Assets that might be leveraged, including firewall, vulnerability management, and SIEM (Security Incident and Event Management) tooling. Virtual Desktop infrastructure was identified as a critical component to enable access to the enclave through a managed interface and keeping laptops and endpoints out of scope.
  • Participants agreed that building a culture of compliance for CMMC will need to include communications to raise awareness and training. Participants from across schools and colleges expressed willingness to contribute to culture and shared operational responsibilities for CMMC and suggested a need for coordination and governance of these efforts.

What’s next?

Since the workshop, a number of steps have taken shape to drive the CMMC enclave and shared responsibility efforts. These include planning for a CMMC program to bring together units across campus to address the non-IT operational and cultural components of CMMC and the establishment of a Regulated Research operational area within the DoIT Research Cyberinfrastructure unit to begin work on the CMMC Level 2 enclave.

The Cybersecurity Maturity Model Certification (CMMC) project is intended to enable the University’s ability to conduct regulated research for the Department of Defense (DoD) by developing a secure research computing environment that meets CMMC compliance requirements for U.S. Federal Government Controlled Unclassified Information (CUI) Defense Categories. The effort is in support of an Office of the Vice Chancellor for Research (OVCR)’s strategic priority to increase DoD research funding and expand the university’s national security-oriented research and education opportunities.