CMMC is required for your project activity if (1) you are handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) and (2) your DOD contract includes any of the following Defense Federal Acquisition Regulations (DFARS) clauses:
DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting
DFARS 252.204-7019, Notice of NIST SP 800-171 DOD Assessment Requirements
DFARS 252.204-7020, NIST SP 800-171 DOD Assessment Requirements’
DFARS 252.204-7021, Cybersecurity Maturity Model Certification Requirements (through 9/30/2025)
Your Join Research Office for Contracts (JROC) team can assist in identifying whether these clauses are required and if the research contains FCI or CUI information.
If you plan to respond to a federal government RFP or RFI and anticipate that CUI may be involved then you must have adequate cybersecurity measures in place to accept said contract. Please contact the Joint Research Office for Contracts (JROC) to determine if the RFP/RFI will be subject to security requirements.
All faculty and staff who may come into contact with CUI data in their course of performing their job duties are required to take training. The training required depends upon your job, and the nature of your interaction with CUI data here at the university.