How Research Universities Can Prepare for CMMC Level 2 Compliance

The Cybersecurity Maturity Model Certification (CMMC) is a Department of Defense (DoD) framework made to ensure organizations handling federal information maintain adequate cybersecurity controls. While CMMC is often associated with government agencies and defense contractors, research universities involved in DoD-funded projects may also need to protect Controlled Unclassified Information (CUI) like research data and technical specifications. As universities pursue government-funded research and federal grants, they must comply with the latest requirements to maintain eligibility and protect sensitive data. Research universities can prepare for CMMC Level 2 compliance by identifying where CUI resides, enhancing access controls and implementing the security measures needed to protect sensitive data.

Continue reading to learn more about CMMC Level 2, why it’s important for research universities and how Keeper supports CMMC compliance.

What is CMMC Level 2?

CMMC includes multiple certification levels; however, institutions involved in DoD-funded research are most likely to encounter CMMC Level 2 requirements. CMMC Level 2 applies to organizations that store, process or share CUI to ensure that sensitive government information is protected from potential cyber threats and unauthorized access. CMMC Level 2 aligns with the security controls outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-171, a framework designed to help nonfederal organizations protect CUI. Its 110 security controls cover an array of cybersecurity practices, including access control, authentication, incident response and data integrity.

Why CMMC Level 2 is important for research universities

Government agencies are adopting zero-trust security principles as cyber threats targeting them continue to rise, but CMMC requirements are not solely reserved for traditional defense contractors. For research universities, CMMC Level 2 is especially important because many government-funded research projects involve sensitive data, research findings, testing results and other forms of CUI. Achieving CMMC Level 2 requires institutions to demonstrate that adequate security controls are in place to protect CUI throughout its lifecycle.

The enforcement rule that requires CMMC in DoD contracts (48 CFR) took effect on November 10, 2025, and DoD contracts now carry CMMC requirements on a phased schedule. During the first phase, most requirements take the form of a Level 1 or Level 2 self-assessment, though some contracts already require Level 2 certification through a Certified Third-Party Assessment Organization (C3PAO). Beginning November 10, 2026, broad Level 2 C3PAO certification requirements take effect. The specific requirements depend on the contract details and information being handled. Research universities involved in current or future DoD-funded projects should assess their security posture now to prepare.

What research universities should do for CMMC compliance

Preparing for CMMC Level 2 compliance requires research universities to understand where CUI exists within their environments, evaluate current security controls and support ongoing compliance efforts. Being proactive about CMMC Level 2 compliance can help institutions identify security gaps early and develop a stronger foundation for protecting sensitive data.

Identify where CUI resides

Before implementing security controls, research universities must understand where CUI is stored and processed throughout the organization. CUI can exist in research databases, laboratory systems, cloud platforms and devices used by faculty and researchers. Since universities often operate across multiple departments and programs, it may be challenging to maintain full visibility into sensitive information. In many cases, CUI may exist beyond dedicated research environments, including email messages, shared drives or faculty-owned devices. Identifying these data sources is an important first step in determining which users and systems should be subject to additional security controls.

Conduct a thorough security gap assessment

Once CUI has been identified, research universities should evaluate how their current security practices compare to the requirements outlined in NIST SP 800-171. This should include reviewing existing access controls, monitoring capabilities, incident response plans and auditing processes. Universities should also inventory privileged accounts and review their permissions to determine whether access extends beyond what is necessary for users’ roles. Although many institutions already have security measures in place, those controls may not be implemented consistently across departments and programs.

Implement secure research environments

Research environments should be built to limit access to CUI to authorized users and systems only. Restricting access reduces data exposure and helps prevent the unauthorized disclosure of sensitive information. Identity and Access Management (IAM) solutions can help universities enforce least-privilege access by ensuring users have only the permissions necessary to perform their jobs. Institutions should also mandate Multi-Factor Authentication (MFA) for all accounts accessing systems that contain CUI, including remote-access environments. Strong identity and access controls help minimize insider threats and support CMMC Level 2 requirements pertaining to identification and authentication.

Document SSPs and POAMs

Maintaining accurate System Security Plans (SSPs) and Plans of Action and Milestones (POAMs) can simplify future assessments and demonstrate compliance with CMMC Level 2 requirements. An SSP documents an organization’s security controls and defines how they are implemented and managed. A POAM identifies security gaps and the actions needed to address them. Universities should treat this documentation as an ongoing process instead of a one-time exercise to ensure information remains accurate as systems and research environments change over time.

Prepare for audits by C3PAOs

Research universities seeking CMMC Level 2 certification may be required to undergo assessments conducted by C3PAOs. Preparing for these assessments requires not only implementing security controls but also demonstrating that those controls are functioning properly. Institutions should maintain evidence validating their security practices, including detailed audit trails, access records, security policies and training records. Collecting this information in advance can help streamline the assessment process and reduce the burden of preparing for formal reviews.

How Keeper^® supports CMMC 2.0 readiness

Organizations handling CUI need strong access controls, full visibility into user activity and the ability to prove that security controls are working effectively. Achieving CMMC Level 2 compliance requires a combination of people, technology and processes, and Keeper Security Government Cloud (KSGC) helps organizations secure CUI and enhance several security controls that support CMMC readiness efforts. As a FedRAMP High Certified platform, Keeper provides research universities with the tools needed to protect sensitive information, control privileged access and maintain audit-ready visibility across environments.

KSGC helps research universities support CMMC 2.0 readiness by enabling them to:

Prepare for CMMC Level 2 compliance with Keeper

As research universities continue to become involved in DoD-funded research, CMMC compliance is an increasingly crucial part of protecting sensitive information and remaining eligible for future research opportunities. Since CMMC Level 2 specifically focuses on protecting CUI, institutions should begin assessing their security posture as soon as possible rather than waiting until compliance becomes mandatory. Request a demo today to learn how KSGC can help your institution strengthen access controls, secure CUI and support CMMC Level 2 readiness.