CMMC Assessments in Higher Education: What Campus Leaders Are Saying

I just got back from the EDUCAUSE Cybersecurity and Privacy Professionals Conference in Anaheim last week, and I came home with a notebook full of conversations that I think a lot of provosts, CIOs, and CISOs need to hear. The hallway talk between sessions, the candid moments over coffee, the side conversations with peers from institutions of every size. It all painted a remarkably consistent picture of where colleges and universities are right now with the Cybersecurity Maturity Model Certification (CMMC).

If you are at an institution that touches Department of Defense research, federal contracts, or any program that handles Controlled Unclassified Information (CUI), the next 12 to 24 months are going to define your CMMC story. And based on what I heard, most institutions are not where they think they are.

Here is what higher ed leaders kept telling me, and what I would tell any campus thinking about its CMMC assessment strategy this year.

CMMC Is Not a Project. It Is an Ongoing Security Program.

The single most consistent theme I heard from every higher education leader I spoke with: CMMC compliance is not a one-and-done effort. Several institutions that thought they had "finished" their initial scoping work two years ago are now realizing the program never really ended. Researchers move. Contracts shift. New CUI flows in through a federal grant nobody flagged. A faculty member spins up a Google Drive folder for a DoD-adjacent project, and suddenly the institution has a brand new compliance footprint to manage.

The leaders who were furthest along were the ones who had stopped framing CMMC as a finite project with a finish line. Instead, they had built it into their information security program as a continuous obligation that includes quarterly scoping reviews, ongoing CUI compliance monitoring, and standing governance committees that include research administration, the registrar, contracts, and the CISO's office. The institutions still treating CMMC like a one-time CMMC certification sprint were the ones falling behind.

If you are evaluating where your campus stands today, the first question is not "Are we ready for our CMMC Level 2 assessment?" The first question is: "Do we have an operating model that keeps us ready year over year?"

The Data Identification Problem Is the Iceberg Under the Surface

The most painful conversation I had at the conference, and I had it more than once, was about data identification and data minimization. Higher ed institutions, more than almost any other vertical, struggle with the simple question of where their CUI actually lives.

Think about the data sprawl on a typical campus. Decentralized colleges and schools. Shared drives that go back 15 years. Faculty laptops. Departmental servers in basements that nobody has touched since the previous director retired. Legacy research data sitting in cloud storage that was provisioned by a postdoc who graduated in 2019. The institutional data perimeter is not really a perimeter at all. It is a constellation.

Several leaders told me, candidly, that their biggest blocker to a CMMC readiness assessment is not the controls themselves. It is the discovery problem. They cannot scope what they cannot see. And until they can identify CUI across their environment, every downstream decision (boundary definition, system security plan, CMMC gap assessment, control implementation) is built on sand.

If your institution has not done a serious data discovery exercise, that is the work that should be on the calendar this quarter. Not because the CMMC assessment demands it as a checkbox, but because you cannot make smart minimization decisions without it. And every piece of CUI you can responsibly retire, archive, or move out of scope is a piece of CUI you do not have to defend, audit, or pay to protect.

GRC Tool Budgets Are Getting Cut. Spreadsheets Are Quietly Coming Back.

This was one of the more surprising threads of the week, and one I think will catch a lot of people off guard. Several medium and large institutions that had invested in dedicated GRC platforms for CMMC compliance tracking told me their renewal conversations this year were brutal. Budget pressure, declining enrollment in some markets, and the broader squeeze on higher ed operating budgets are forcing security teams to defend tooling line items that, two years ago, were considered table stakes.

The result? Some institutions are not renewing. They are reverting to spreadsheets, SharePoint lists, and manually maintained control matrices. A few are consolidating multiple tools into a single, lower-cost platform. Almost none of them are happy about it.

I want to be honest about what this means. A spreadsheet-based approach is workable for an institution with a tightly scoped enclave and a small number of CUI-handling systems. It is much less workable when you are trying to manage 110 controls across multiple business units, document evidence for an upcoming CMMC Level 2 assessment, and demonstrate continuous monitoring to a C3PAO. If you are heading down this path because of budget constraints, you need to compensate with rigorous process discipline and, often, with outside help from a CMMC consultant who can bring structure to what your tools used to do for you.

The leaders who were navigating this best were the ones being radically honest with their leadership about the operational risk of pulling back on tooling, and pairing that conversation with a clear ask for either restored budget or supplemental advisory support.

Federal Funding Is the Real Reason CMMC Matters on Campus

Cybersecurity is the headline. Federal funding is the actual stakes.

Every higher ed leader I talked to understood, at some level, that CMMC compliance helps secure federal research funding, and that the absence of it puts that funding at risk. But not every institution has effectively translated that into language their boards and presidents understand. Research dollars are not abstract. They fund faculty, graduate students, lab infrastructure, and entire centers. A university that cannot demonstrate CMMC readiness when a contract requires it is a university that watches that contract, along with the multi-year revenue attached to it, go to a peer institution that can.

That is the conversation I encouraged every leader I met to have with their cabinet. CMMC is not an IT problem. It is a research enterprise resilience problem. And the institutions that frame it that way internally are the ones getting the executive sponsorship, the budget, and the cross-functional cooperation that an actual CMMC assessment demands.

If you are wondering how to make the case for a CMMC gap assessment or a formal readiness engagement this fiscal year, start with the contracts at risk. Quantify the funding exposure. The math usually makes the case for itself.

CMMC Is a Shared Responsibility, Not Just an IT Problem

The institutions making real progress had one thing in common: they had stopped treating CMMC as the CISO's problem.

CMMC compliance touches the Office of Research, sponsored programs, contracts and procurement, HR (because access management is a personnel process), facilities (because physical security controls matter), faculty governance, and the registrar in some cases. The institutions trying to run CMMC out of central IT alone were burning out their security teams and missing entire categories of CUI that lived in business processes IT never sees.

The institutions that were thriving had built shared accountability models, sometimes formalized as a CMMC steering committee, sometimes embedded into the existing research compliance governance structure. They had executive sponsors above the CIO. They had legal counsel reviewing flow-down clauses in subcontracts. They had research administrators trained to flag CUI at the proposal stage, not at the closeout stage.

This is the operational shift that I think will separate the institutions that get certified efficiently from the ones that struggle through multiple cycles. CMMC is a shared responsibility across the institution, and the sooner your governance reflects that, the easier every subsequent step becomes.

What This Means for Your Next CMMC Assessment

If you walked into 2026 thinking your campus had a handle on CMMC, the conversations from this week probably should give you pause. Most higher ed institutions are dealing with some combination of unresolved data discovery, shrinking tooling budgets, fragmented governance, and a growing realization that the program is bigger than they originally scoped.

The good news is that none of this is unsolvable. The institutions making progress are doing a few specific things well. They are treating data identification as a foundational, ongoing exercise rather than a one-time scoping task. They are being honest with their leadership about tooling and resourcing tradeoffs. They are building cross-institutional governance that makes CMMC a shared lift. And they are engaging external partners (whether for a CMMC readiness assessment, a CMMC gap assessment, or full advisory support through their CMMC Level 2 assessment) early enough to actually benefit from the guidance.

If your institution is anywhere on this journey and you are not sure what your next move should be, talk to someone. Talk to peers. Talk to your sponsored programs office. And if it would help to talk to a vCISO who has been in these conversations all week and works with higher education clients on CMMC for universities, that is exactly the conversation we are happy to have.

The federal funding is too important. The research is too important. And the path forward is far more achievable than most campuses realize, once they see the work clearly.

How Compass Can Help

At Compass IT Compliance, we work alongside colleges and universities at every stage of their CMMC journey, bringing the kind of structure, experience, and steady hand that complex compliance programs require. Our higher education clients rely on us as a long-term partner for everything from program strategy to day-to-day execution. If you would like to talk through where your institution stands today, we are always happy to start that conversation.