CMMC applies to any institution that receives funding from the Department of Defense and handles Controlled Unclassified Information (CUI), including technical research data, export-controlled content, or contract deliverables. This means universities must implement CMMC Level 2 controls (based on NIST SP 800-171) for any systems that process, store, or transmit such data. The rules apply regardless of whether the research is conducted in a central lab, department, or individual PI’s office. Many institutions mistakenly think their academic status exempts them—but CMMC applies to all DoD contractors.

Only under strict conditions. If the research data is governed by ITAR or EAR (export control regulations), non-U.S. persons are restricted from access without special licensing. Many universities face compliance risks because research teams often include international students or visiting scholars. Without proper access control, this becomes a violation. Universities must segregate sensitive environments and enforce governance policies to prevent unlicensed access. Even viewing controlled data without touching it can trigger an ITAR violation.

A centralized governance body is essential. Many universities struggle because individual departments or researchers operate independently.

Many senior officials hesitate to sign compliance documentation because of the required false claims activities.

A proper governance structure ensures consistent enforcement of access controls, cloud usage policies, and scoping across departments.

We recommend forming a CUI oversight committee that includes IT, legal, export control, and research administration. This group can define policy, track enclave boundaries, approve access, and maintain compliance documentation.

Only FedRAMP Moderate or High-authorized cloud environments are acceptable for storing CUI. For most academic institutions, this means using Microsoft GCC High, Azure Government, or AWS GovCloud. Commercial platforms like Google Drive, Box, Dropbox, and standard Office 365 are not compliant. Using them—even temporarily—can jeopardize both your compliance standing and future DoD research funding. Summit 7 helps universities migrate research workflows into compliant environments without disrupting collaboration.

The top risks include:

• Allowing non-U.S. persons to access ITAR data (intentional or accidental)
• Using non-compliant cloud platforms for sensitive data
• Failing to segment or properly identify CUI across research projects
• Lack of documentation or signed export control acknowledgments

Summit 7 has observed that many universities unknowingly violate ITAR/EAR by allowing shared drives, open cloud folders, or uncontrolled collaboration platforms to host export-controlled content.

Shared resources like high-performance computing clusters and central labs can significantly complicate CMMC compliance. If CUI is processed on shared infrastructure, that entire system may fall in scope. Universities must either isolate CUI workloads to dedicated environments or apply full CMMC controls across the shared resource. This includes access restrictions, logging, encryption, and configuration management. Summit 7 helps institutions map these boundaries and decide whether to isolate or harden shared assets.

Yes, and in many cases, it’s the best approach. Researchers often lack the security expertise or time to implement full compliance alone. Centralized IT can design, manage, and monitor enclave environments for multiple researchers or departments. This approach improves consistency, reduces cost, and eases audit readiness. Summit 7 works directly with central IT to build scalable, multi-tenant enclave models that support diverse research needs while staying compliant.

That constitutes a compliance violation. Commercial Office 365 does not meet the requirements for FedRAMP Moderate or ITAR, and it cannot be used to store or transmit CUI. If a researcher accesses or shares CUI via Outlook, OneDrive, or Teams on a commercial tenant, it may disqualify your institution from future funding, trigger a breach report, or even result in export control violations. Summit 7 assists in identifying and correcting these exposures before an incident occurs.

Yes, as long as you use the GovCloud (i.e., GCC High, Azure Government). Microsoft Teams in commercial tenants is not suitable for CUI or export-controlled data. Even if Teams is used solely for messaging or planning, any sharing of sensitive data or links to research files could violate compliance. If collaboration is required, Summit 7 can enable secure B2B guest access within GCC High, allowing controlled interaction between internal and external researchers while maintaining compliance.

Training should go beyond general cybersecurity awareness. Researchers must understand:

• What constitutes CUI or export-controlled data
• Which platforms are authorized for storing and sharing sensitive content
• The importance of personnel restrictions (e.g., U.S. persons)
• Responsibilities for documentation, system security plans, and physical access controls

We recommend targeted, role-specific training supported by reference materials and annual acknowledgment forms.

Integrating this into the research onboarding process helps avoid noncompliance from the start.

Note: One of the levels of due diligence that principle investigators (PI) must do is understand the cost allocation for building and operating within a compliant environment.

Through our enclave, we can build a pricing model for how much the compute is going to be based on the type of research done and the systems needed.