BU Information Security Update on Federal Research Requirements: Shared Computing Cluster now meets CMMC Level 1

Federal sponsors are increasingly requiring researchers to comply with stringent cybersecurity standards like the National Institute of Standards and Technology (NIST) Special Publications 800-171 or 800-53. Additionally, the Department of Defense (DOD) now requires some research to comply with its Cybersecurity Maturity Model Certification (CMMC) program.

Boston University provides infrastructure to help meet some of these requirements. We are pleased to announce that BU’s Shared Computing Cluster now meets CMMC Level 1 compliance! CMMC Level 1 requires adherence to 15 controls outlined in Federal Acquisition Regulation (FAR) 52.204-21. BU Information Services and Technology (IS&T) has implemented additional security controls and conducts annual assessments to ensure compliance. Note that CMMC Level 2 requires compliance with NIST 800-171 plus an external audit, and is not satisfied by the Shared Computing Cluster.

How to Tell If These Requirements Apply to You
Solicitations, proposals, and awards may explicitly require compliance with NIST 800-171 or CMMC, or they may reference Defense Federal Acquisition Regulation Supplement (DFARS) or Federal Risk and Authorization Management Program (FedRAMP) instead. If unclear, consult BU Sponsored Programs SP Pre-Award Officer or BU Information Security at buinfosec@bu.edu.

What to Do If CMMC Level 2, NIST 800-171 or 800-53 Requirements Apply
BU’s general computing environment is not fully compliant with these stricter requirements. BU partners with Sherlock Cloud Solutions & Services (San Diego Supercomputer Center) to provide compliant environments. Using Sherlock may involve additional costs. For cost estimates or assistance, contact BU Information Security at buinfosec@bu.edu.