Cybersecurity Maturity Model Certification (CMMC)

Inform the Office of Research at or.researchsecurity@wsu.edu of your interest in pursuing a DoD solicitation that includes CMMC requirements. If you are unsure, we are here to help and provide guidance.

Inform your Associate Dean for Research (ADR) or Vice Chancellor for Research (VCR) of your proposal and work with your Area Technology Officer (ATO) so that they can assist you in identifying appropriate resources, including additional collaborations with Information Technology Services (ITS) and the Office of Research.

Collaborate with the ITS Cloud Architecture team during their open office hours on the implementation of a WSU maintained Amazon Web Services (AWS) regulated data environment (RDE) for your research project – Tuesdays 2:00-4:00PM. Please contact your ATO and collaborate on attending.

• DFARS 252.204-7012 (Safeguarding Covered Defense Information)
• DFARS 252.204-7019 (Notice of NIST SP 800-171 Assessment)
• DFARS 252.204-7020 (NIST SP 800-171 Assessment Requirements)
• DFARS 252.204-7021 (CMMC Program Requirements)
• DFARS 252.204-7025 (Notice of CMMC Requirements)

The DoD began to include CMMC requirements in some solicitations on November 10, 2025. Full implementation is expected by November 2028.

At what point is CMMC compliance required for my research project? A completed assessment and attestation of compliance must be in place by the contract award date. Because ensuring CMMC compliance requires significant effort, you must notify the Office of Research (or.researchsecurity@wsu.edu), your Area Technology Officer (ATO), ADR/VCR and Chair as soon as you review the solicitation and determine that CMMC requirements apply. This notification is mandatory prior to any eREX submission and should occur at the earliest stage of proposal preparation.

At this time, CMMC is specific to DoD funded projects. No other Federal agencies require certification.

CMMC may not be immediately applicable to your research; however, it is at the discretion of the DoD contracting officer managing your contract when CMMC may be applied. If the contract is amended to include the requirement, we anticipate that there will be a grace period provided to meet CMMC compliance.

Contact or.researchsecurity@wsu.edu as soon as possible for assistance. 

Yes, CMMC requirements flow down to all sub-awardees. The requirement may not be immediately applied to your research; however, the DoD may amend the original award to include the requirement, or the contracting organization may amend their contract with WSU to include the requirement.

Contact or.researchsecurity@wsu.edu as soon as possible for assistance.

Compliance for CMMC for on-campus information systems is not currently applicable at WSU. Research teams must utilize a regulated data environment (RDE) within WSU’s Amazon Web Services (AWS) tenant for work involving regulated data.

Contact or.researchsecurity@wsu.edu for assistance or questions regarding this restriction.

RDE’s provide a structured and compliant environment for ensuring that technical controls and supporting documentation are appropriately configured for regulated data management and processing. General WSU information technology infrastructure does not meet the necessary configurations to attain CMMC compliance or for other regulated data types.

CMMC Level 1 is associated with “Federal Contract Information” (FCI), defined as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments” – (Basic Safeguarding of Covered Contractor Information Systems, https://www.acquisition.gov/far/52.204-21). Where applicable to projects involving FCI, Level 1 compliance will be self-assessed and attested to by WSU after assurances of compliance have been met.

CMMC Level 2 is associated with “Controlled Unclassified Information” (CUI), which is “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.” – (32 CFR Part 2022, https://www.ecfr.gov/current/title-32/subtitle-B/chapter-XX/part-2002). Level 2 compliance may either be self-assessed and attested to by WSU or require a certified third-party assessment organization (C3PAO) to perform the assessment and attestation, depending on the requirements of the DoD solicitation or contract.

CMMC Level 3 is also associated with CUI and will be applicable when enhanced protection is necessary beyond NIST 800-171r2 framework controls applicable to CMMC Level 2.

WSU’s Amazon Web Services (AWS) tenant hosted regulated data environments (RDEs) will soon be able to accommodate CMMC Level 1. Information Technology Services is currently engaged with the Office of Research and other administrative units in implementing technical controls and developing supporting documentation to meet CMMC Level 1 by mid-December 2025.

Solutions to accommodate CMMC Level 2 will be available no later than November 2026.

CMMC Level 3 compliance is not currently being pursued at WSU.

RDE costs will vary based on the specific requirements of your research project. These can be better understood through early collaborations with your college’s research administrator, ATO, and the ITS Cloud Architecture team.

CMMC-related costs, in addition to the cost of running your RDE, are still being evaluated. For CMMC Level 1 projects, additional compliance costs are not anticipated at this time as maintenance and supporting compliance documentation responsibilities will be shared across college IT units and Central ITS.

For CMMC Level 2 projects, which may require a third-party assessment, budgeting for that assessment should be considered at the proposal stage.  Industry data is still being gathered to assist you and your research support team with this estimate. A centralized CMMC RDE enclave architecture model to address CMMC Level 2 is being explored to help reduce or offset third-party assessment costs. Please contact or.researchsecurity@wsu.edu as soon as possible if pursuing a DoD solicitation requiring a CMMC Level 2 third-party assessment.

Self-assessments must be resubmitted annually.

Third-party assessments must be reassessed every three years, with annual affirmations of compliance.

Please contact or.researchsecurity@wsu.edu for information on your assessment and/or affirmation of compliance.

If your DoD funded project involves FCI or CUI, there is no CMMC compliance exception for Fundamental Research.

Visit https://dodcio.defense.gov/CMMC/.