Blog - nysernet

5 Things to Look for in Your Contract to Prepare for CMMC Compliance 

Written by nysernet | Aug 11, 2025 3:42:09 PM

If your institution has Department of Defense (DoD) contracts, you’ve likely heard the term Cybersecurity Maturity Model Certification (CMMC). But understanding what that really means for your university or research center can be a challenge. 

CMMC is a cybersecurity framework that sets the standard for how contractors and subcontractors protect sensitive government information. More importantly, it's not optional. Starting Oct. 1, 2025, CMMC compliance will be required for nearly all new DoD contracts. That includes higher education institutions working on federally funded research.  

What is CMMC? 

CMMC is designed to help the DoD ensure its contractors are following cybersecurity best practices, especially when dealing with sensitive but unclassified data, called CUI (Controlled Unclassified Information). Depending on the type of data your institution works with, your contract may fall into one of three CMMC levels. 

Level 1: Basic Cyber Hygiene for Federal Contract Information 

  • Applies to institutions handling Federal Contract Information (FCI), information not intended for public release but not considered CUI. 
  • Requires self-assessment and annual affirmation. 
  • Based on 15 security practices from FAR 52.204-21. 

Level 2: Protecting Controlled Unclassified Information 

  • For institutions working with CUI, sensitive information that requires more safeguards than FCI. 
  • Requires compliance with 110 security controls from NIST SP 800-171. 
  • Depending on the contract, assessments may be self-performed or conducted by a certified third party (C3PAO) every three years. 
  • Annual affirmation is still required. 

Level 3: Advanced Protection for High-Risk CUI 

  • Reserved for organizations managing highly sensitive CUI that may be targeted by advanced cyber threats. 
  • Requires all Level 2 controls plus 24 additional practices from NIST SP 800-172. 
  • Assessments are performed by the Defense Contract Management Agency (DCMA) every three years. 
5 Key Clues in Your Contract That May Signal CMMC Requirements 

Even if your contract doesn’t explicitly mention "CMMC," it may already include cybersecurity obligations that point to a required compliance level. Here's what to check for: 

1. DFARS Clauses 

If your contract includes any of the following, you are currently required to comply with CMMC: 

  • DFARS 252.204-7012 (since 2017) 
  • DFARS 252.204-7019 (since 2020) 
  • DFARS 252.204-7020 (since 2020) 

These clauses often apply to organizations handling CUI, meaning your institution is likely expected to meet CMMC Level 2 requirements. 

2. References to NIST SP 800-171 

If your contract mentions NIST SP 800-171, it’s a strong indicator that you're dealing with CUI, and you'll need to align with CMMC Level 2 at a minimum. 

3. CUI Markings 

Look for labels like: 

  • Controlled Unclassified Information 
  • CUI 
  • Controlled 
  • Older terms like FOUO (For Official Use Only) or SBU (Sensitive But Unclassified) 

These markings, often found on headers, footers and cover pages, signal that you're working with CUI, and CMMC Level 2 likely applies. 

Bonus tip: If your institution handles ITAR-related data, that’s also considered CUI, and you'll need to meet Level 2. 

4. FCI vs. CUI Distinction 

If your contract involves only FCI (as defined in FAR 52.204-21), you may fall under CMMC Level 1, which is simpler and allows for self-assessment. But once CUI is involved, the requirements become more stringent. 

5. Language About Future Compliance 

New DoD contracts will begin requiring CMMC certification starting Oct. 1, 2025. Look for language that discusses upcoming or ongoing certification requirements, CMMC is not a one-and-done process. It's a cycle of assessment, affirmation, and continuous improvement. 

Still Have Questions? 

Understanding your contract is just the beginning, but you're not in this alone. 

Join us for a live fireside chat where cybersecurity leaders will break down the CMMC framework, clarify what it means for your institution and share real-world insights from organizations that have already gone through the process. 

You’ll leave with: 

  • A clearer view of what level your institution needs to meet 
  • Practical steps to start preparing now 
  • Confidence in your next steps toward compliance 

Don’t wait until CMMC becomes a roadblock. Use this time to get ahead and ensure your institution stays eligible for the research opportunities it relies on. 

Register here and stay ahead: https://cvent.me/KM9wgW  
View full post