A critical milestone has arrived. As of November 10, research universities working with the U.S. Department of Defense (DoD) face a critical compliance milestone. By this date, all institutions handling Controlled Unclassified Information (CUI) must demonstrate conformance with the Cybersecurity Maturity Model Certification (CMMC) framework, which incorporates NIST SP 800-171 security requirements.
For research universities, this means reviewing how they protect CUI within their research systems — or risk losing eligibility for DoD-funded projects.
NIST SP 800-171: Protecting CUI in Non-Federal Systems - NIST Special Publication 800-171 specifies security requirements across 14 control families. These requirements define how non-federal entities (like universities and contractors) must protect CUI within their information system. Key elements include access controls, audit and accountability, incident response, and securing information flows.
NIST SP 800-207: Zero Trust Architecture - Where 800-171 defines what to protect, NIST SP 800-207 defines how to protect it—using a Zero Trust Architecture (ZTA) approach. As described in the publication, an Enhanced Identity Governance (EIG) approach to ZTA shifts cybersecurity from perimeter-based defenses to continuous identity verification, dynamic access decisions, and real-time monitoring. In this model, every request for access is authenticated and authorized in a context-aware manner. Once access is granted, trust is not persistent. Instead, it must be continuously re-evaluated. This paradigm naturally aligns within academic research networks where collaboration and computing environments create complex, evolving access patterns.
CMMC: The Certification Framework - The Cybersecurity Maturity Model Certification (CMMC) translates the NIST 800-171 requirements into an auditable maturity model:
Most universities handling CUI in conjunction with DoD contracts will need to achieve at least CMMC Level 2, which requires full compliance with NIST SP 800-171.
Universities conducting DoD-funded research that handle Controlled Unclassified Information (CUI) must ensure they meet several key requirements by November 10. First, they need to maintain document compliance by keeping a current System Security Plan (SSP) that aligns with NIST SP 800-171 controls. They must also implement robust access governance by enforcing least-privilege principles (PoLP) and multifactor authentication across all systems containing CUI. To facilitate secure collaboration, universities should extend protections to cloud and federated research environments
through trusted standards such as SAML, InCommon, OIDC, and others. Continuous monitoring is essential, requiring the deployment of monitoring and alerting systems capable of detecting anomalous access or credential misuse. Finally, universities must fulfill their obligation to report incidents within 72 hours of detection.
The Enhanced Identity Governance (EIG) approach to Zero Trust Architecture (ZTA) enables universities to achieve and maintain compliance across their various environments. It emphasizes continuous verification, ensuring that every access request—whether from local, cloud, or remote sources—is authenticated and authorized in real time. Through dynamic policy enforcement, access decisions dynamically adapt based on user attributes, device posture, geolocation, time-of-day, risk, and other factors. Lifecycle management automates onboarding and de-provisioning processes, ensuring that only active project members retain access to Controlled Unclassified Information (CUI). Additionally, sponsored identities and federation supports secure collaboration with external researchers while maintaining strict compliance boundaries.
| Security Objective (NIST / CMMC) | ZTA Concept | RapidIdentity Enablement |
|
Restrict system access to authorized users |
Continuous authentication |
Attribute-based access enforcement Sponsored identities ensure that external collaborators are managed and authorized Request / approval workflows ensure only validated, approved users receive access to systems |
|
Enforce MFA and adaptive login controls |
Risk-based authentication | Multi-factor & contextual verification |
|
Prevent privilege creep and standing elevated access |
Continuous evaluation | Just-in-Time (JIT) access combined with automatic deactivation, preventing dormant or overextended privileges. |
|
Employ the principle of least privilege (PoLP) |
Enforcement via PDPs/PEPs | Time-Bound Privilege Escalation grants temporary elevated rights, automatically revoking them upon expiration. |
|
Maintain account lifecycle oversight |
Automated trust evaluation | Automated provisioning & de-provisioning |
|
Monitor and audit access behavior |
Continuous diagnostics & monitoring | Behavior analytics and alerting |
|
Secure remote research environments |
Zero-Trust Network Access (ZTNA) | Policy-based, identity-centric connectivity |
|
Rapid response to security incidents |
Risk-based enforcement | Delegated Administration can disable users on integrated systems |
By deploying RapidIdentity, research universities can achieve and sustain compliance using an Enhanced Identity Governance approach to ZTA while increasing operational security across complex research ecosystems.