Cybersecurity Maturity Model Certification


Much of the funding for Northeastern University comes from government contracts. In order to continue doing business with the government and to continue submitting proposals and conducting research for government projects, Northeastern must be able to show measurable compliance with certain security standards on a recurring basis.

These security standards are part of the Cybersecurity Maturity Model Certification (CMMC) program, which was established by the United States Department of Defense Office of the Under Secretary of Defense for Acquisition and Sustainment to create standard security practices and processes around protecting information and data associated with Department of Defense-funded research.

The information and data handled through CMMC practices in relation to government research projects at Northeastern is known as Controlled Unclassified Information (CUI). (To learn more about CUI at Northeastern, please refer to this page.) In order to safeguard CUI related to government projects, this material is handled through a certified research environment called Government Community Cloud (GCC High).

GCC High access is managed through user accounts. GCC High accounts allow users to operate managed devices in a secure computing environment that includes a secure version of the Microsoft O365 Suite, and they are specifically assigned to users who are working under active Technology Control Plans (TCP) or other projects that require GCC High. (A TCP outlines what materials or data need to be kept secure and describes how those items will be kept secure for government projects.)

CMMC Levels

CMMC measures three levels of cybersecurity maturity. Northeastern’s IT Services, Research Enterprise Services, and other key stakeholders and research partners are seeking level 2 of the Cybersecurity Maturity Model Certification 2.0 (released in late 2021) and putting the processes, governance, and training in place to meet these requirements. Level 2 is the minimum level for protecting CUI. Currently, some researchers and projects are also involved with level 1, which is the minimum level related to the foundational baseline of cybersecurity for all government contracts.

Defense Federal Acquisition Regulations (DFARS) clauses that implement CMMC

There are a handful of Defense Federal Acquisition Regulation Supplement (DFARS) clauses that implement CMMC. (DFARS is a set of cybersecurity regulations that the Department of Defense imposes on external contractors and suppliers, such as Northeastern University.)

One or more DFARS clauses may be included in a Department of Defense-related Request for Proposal (RFP) or Request for Information (RFI). (RFPs and RFIs are calls for proposals published by the government in order to gather information from organizations that are interested in conducting research or doing other work for specific government projects.)

For your reference, DFARS clauses that implement CMMC are listed below:

  • DFARS 252.204-7012, ‘Safeguarding Covered Defense Information and Cyber Incident Reporting’
  • DFARS 252.204-7019, ‘Notice of NIST SP 800-171 DoD Assessment Requirements’
  • DFARS 252.204-7020, ‘NIST SP 800-171 DoD Assessment Requirements’
  • DFARS 252.204-7021, ‘Cybersecurity Maturity Model Certification Requirements’ (through 9/30/2025)

How does CMMC impact me?

Cybersecurity Maturity Model Certification (CMMC 2.0) standards and guidelines will have a direct impact on certain Northeastern employees who are involved with government research projects that specifically require the protection of certain types of Controlled Unclassified Information (CUI) as identified by the inclusion of DFARS 252.204-7012 or NIST 800-171 in the contract terms. Users who need to use GCC High for managing and working with CUI and will have to adhere to the following CMMC 2.0 requirements.

  • You must be working on an active Technology Control Plan (TCP) and using your account to process, transmit, or store CUI designated as Covered Defense Information or Export Controlled Information.
  • You must take Northeastern University’s Security Awareness, Controlled Unclassified Information (CUI), and Insider Threat trainings annually.
    • The ITS CMMC Program will be enforcing a 90-day account recertification process, whereby accounts which are not active during a 90-day window, and which are not re-certified as required for an active project, will be disabled after 90 days of inactivity.
  • Active account users for CMMC must use a separate device imaged with GCC High standard requirements and managed by Information Technology Services to assure appropriate containment of CUI data within the Secure Enclave environments.
  • Limited loaner devices are available; however, contract proposals and associated budgets must account for this requirement (where Request for Proposals state that CMMC may or will apply to the resulting contract).
  • Loaner laptop requests are managed as part of the TCP review process, please reference this site for further details and contact information for the Research Compliance team.
  • Transfer of data to external storage devices (including USB) is restricted to only authorized devices which comply with the requirements outlined in the Northeastern University CUI Media Protection Standard. Most notably, the following requirements should be reviewed and adhered to:
    • Identification and marking of all media with CUI data (i.e., digital, non-digital)
    • All system media, digital and non-digital, containing federal contract information (FCI)* or CUI which are subject to disposal or reuse must be sanitized.
    • The CUI Policy on Media Protection prohibits storage of CUI on unencrypted portable storage devices (i.e., removable media).
    • Information System Security Officer (ISSO) or individuals (e.g., Lab Director) with assigned oversight responsibility for maintaining the appropriate operational security posture for an information system or enclave (e.g., lab). are responsible for identifying and documenting the specific CUI systems on which approved removable media devices may be used, if any. Please refer to the NU CMMC Media Protection Standard for removable media controls.
  • For further information on CMMC policies, visit the CMMC Published Policies Knowledge Base (ServiceNow login is required to view the policies)
  • For any questions regarding the CMMC Program please send an email
  • If you have any questions about the applicable data security requirements under your contract, including questions about how to comply with non-CMMC CUI standards, please contact Research Compliance at

*(Federal contract information (from 48 CFR 52.204-21) means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.)

Things to note about RFPs and RFIs

As Northeastern employees navigate the process to submit proposals to government RFPs or RFIs that include one or more of the DFARS clauses that implement CMMC, it may be helpful to note the following:

  • The RFP or RFI will specify the required CMMC level for that project.
  • A self-assessment of security implementation may be required by the time of the award of a contract as a result of a RFP or RFI proposal.
  • Proposal budgets may include the cost of implementing CMMC (such as the cost of a separate device to handle CUI) as direct costs.

Frequently Asked Questions

Where can I find more information about CMMC?

Visit the official government CMMC website.

What does CMMC apply to?

Currently, Northeastern’s implementation of CMMC applies to Department of Defense-related proposals, contracts, and projects.

I am conducting research at Northeastern, and I am not sure if my project requires adherence to CMMC requirements. Who should I contact to figure this out?

Great question! To get started, please feel free to contact the CMMC program office at

How long do I have to utilize my GCC High account before it is disabled?

You must utilize your account consistently as all accounts will be disabled after ninety (90) days of inactivity.

How to Contact Us

Do you have a question or need more information about CMMC, GCC High, CUI, or government research projects at Northeastern University? Please reach out. The staff at Northeastern looks forward to connecting with you.

CMMC Program

Research Compliance