UW Research
Frequently-Asked Questions

Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) FAQs

FAQs for the DoD Cybersecurity Maturity model Certification (CMMC) requirements.


Where do I find out more about the DoD Cybersecurity Maturity Model Certification?

The Office of the Under Secretary of Defense for Acquisition & Sustainment has a very informative website on Cybersecurity Maturity Model Certification.

Who can help me to understand whether UW IT resources meet the standards imposed by the DoD CMMC?

If you need help understanding whether UW IT resources meet the standards imposed by the DoD CMMC, contact help@uw.edu

Can a UW central office assess and certify my Cybersecurity Measures?

Assessment and Certification of Cybersecurity Measures as required by the Department of Defense is not done centrally at the UW.

How come the UW is not certified at the enterprise level?

Only those parts of the institution conducting DoD-sponsored research under a contract either as prime or subcontractor, must obtain CMMC certification at the level appropriate to the work they are doing for DoD.

Is Fundamental Research exempt from CMMC?

There is no exemption from CMMC for fundamental research.

Will the University include the cost to comply with CMMC requirements as part of F&A?

At this time, there is not “enterprise level” CMMC certification and therefore, the cost to comply is not University-wide and not included in F&A.

The DoD will cover the cost of CMMC certification as a direct cost per project. These costs can be built into a budget, with proper justification/back-up documentation.

When will university-based labs and other research facilities conducting DoD-sponsored research need to be CMMC certified?

It is expected that CMMC 2.0 will be codified by the rulemaking process sometime within 9-24 months from November 2021.

Will CMMC 2.0 apply to DoD grants, in addition to contracts?

At this time, it is understood this will apply to DoD contract funding only.

I have experienced a cyber incident. How does this get reported?

Cyber incident reporting is according to UW Administrative Policy Statement (APS) 2.4. See CISO website for more information.