Industry Solutions

CMMC Compliance for Regulated Research

Regulated Research

Universities and research institutes working with the Department of War (DoW) must now navigate the complex intersection of CMMC, International Traffic in Arms Regulation (ITAR), Export Administration Regulations (EAR), and federal contracting requirements without derailing collaboration or academic freedom.

Top CMMC Pain Points in Regulated Research

Non-U.S. Persons

Grad students, staff, and collaborators may lack clearance for ITAR/EAR-controlled data.

Blurry Boundaries

It’s often unclear when fundamental research becomes Controlled Unclassified Information (CUI) or export controlled.

Shared IT Services

University-wide support teams may use non-compliant tools or staff, making isolation critical.

Cloud + On-Prem Needs

Research networks and labs can’t operate cloud-only; they require hybrid solutions.

High Stakes

False Claims Act risk is real (e.g., Georgia Tech, Penn State) compliance must be airtight.

Speak with an Expert

Only one or two plants might need compliance: how do you isolate without disrupting the rest?

All-In
Enclave

All-In Approach (Rare but Strategic)

Bring your full research org into a compliant environment which is ideal for Federal Acquisition (FAR)/CUI clause readiness.

Full-scale Gov Cloud migration
Protects all federal agency data, not just DoW
Future-proofs for NASA, DOT, and State Department contracts
Supports crawl → walk → run adoption path

Ideal for: Institutions with large federal portfolios or long-term compliance strategies

Hybrid Enclave (Most Common)

Segment research environments without disrupting the broader university IT ecosystem.

Microsoft Gov Cloud for secure collaboration
Connects to on-prem research networks and labs
Supports virtual/physical desktops, lab devices, data flows
Includes managed security, IT, and compliance services

Ideal for: R1s, research centers, and grant-backed projects

Frequently Asked Questions

How does CMMC apply to academic research involving DoW grants?

CMMC applies to any institution that receives funding from the DoW and handles CUI, including technical research data, export-controlled content, or contract deliverables. This means universities must implement CMMC Level 2 controls (based on NIST SP 800-171) for any systems that process, store, or transmit such data. The rules apply regardless of whether the research is conducted in a central lab, department, or individual Principal Investigator’s (PI’s) office. Many institutions mistakenly think their academic status exempts them, but CMMC applies to all DoW contractors.

Are non-U.S. persons allowed in research environments handling CUI?

Only under strict conditions. If the research data is governed by ITAR or EAR (export control regulations), non-U.S. persons are restricted from access without special licensing. Many universities face compliance risks because research teams often include international students or visiting scholars. Without proper access control, this becomes a violation. Universities must segregate sensitive environments and enforce governance policies to prevent unlicensed access. Even viewing controlled data without touching it can trigger an ITAR violation.

What governance structure is needed to manage multiple research enclaves?

A centralized governance body is essential. Many universities struggle because individual departments or researchers operate independently. A proper governance structure ensures consistent enforcement of access controls, cloud usage policies, and scoping across departments. Summit 7 recommends forming a CUI oversight committee that includes IT, legal, export control, and research administration. This group can define policy, track enclave boundaries, approve access, and maintain compliance documentation.

What cloud services are acceptable for storing regulated research data?

Only FedRAMP Moderate or High-authorized cloud environments are acceptable for storing CUI. For most academic institutions, this means using Microsoft Government Community Cloud (GCC) High, Azure Government, or Amazon Web Services (AWS) GovCloud. Commercial platforms like Google Drive, Box, Dropbox, and standard Office 365 are not compliant. Using them, even temporarily, can jeopardize both your compliance standing and future DoW research funding. Summit 7 helps universities migrate research workflows into compliant environments without disrupting collaboration.

What are the biggest risks to ITAR/EAR compliance in university environments?

The top risks include:

– Allowing non-U.S. persons to access ITAR data (intentional or accidental)
– Using non-compliant cloud platforms for sensitive data
– Failing to segment or properly identify CUI across research projects
– Lack of documentation or signed export control acknowledgments

Summit 7 has observed that many universities unknowingly violate ITAR/EAR by allowing shared drives, open cloud folders, or uncontrolled collaboration platforms to host export-controlled content.

How do shared labs and High-Performance Computing (HPC) clusters affect compliance scoping?

Shared resources like HPC clusters and central labs can significantly complicate CMMC compliance. If CUI is processed on shared infrastructure, that entire system may fall in scope. Universities must either isolate CUI workloads to dedicated environments or apply full CMMC controls across the shared resource. This includes access restrictions, logging, encryption, and configuration management. Summit 7 helps institutions map these boundaries and decide whether to isolate or harden shared assets.

Can a university’s central IT team manage compliance on behalf of researchers?

Yes, and in many cases, it’s the best approach. Researchers often lack the security expertise or time to implement full compliance alone. Centralized IT can design, manage, and monitor enclave environments for multiple researchers or departments. This approach improves consistency, reduces cost, and eases audit readiness. Summit 7 works directly with central IT to build scalable, multi-tenant enclave models that support diverse research needs while staying compliant.

What happens if CUI is accessed through a commercial Office 365 account?

That constitutes a compliance violation. Commercial Office 365 does not meet the requirements for FedRAMP Moderate or ITAR, and it cannot be used to store or transmit CUI. If a researcher accesses or shares CUI via Outlook, OneDrive, or Teams on a commercial tenant, it may disqualify your institution from future funding, trigger a breach report, or even result in export control violations. Summit 7 assists in identifying and correcting these exposures before an incident occurs.

Are cloud collaboration tools like Microsoft Teams allowed for regulated research?

Only in GCC High or Azure Government. Microsoft Teams in commercial tenants is not suitable for CUI or export-controlled data. Even if Teams is used solely for messaging or planning, any sharing of sensitive data or links to research files could violate compliance. If collaboration is required, Summit 7 can enable secure Business-to-Business (B2B) guest access within GCC High, allowing controlled interaction between internal and external researchers while maintaining compliance.

How should universities train researchers on CMMC responsibilities?

Training should go beyond general cybersecurity awareness. Researchers must understand:

– What constitutes CUI or export-controlled data
– Which platforms are authorized for storing and sharing sensitive content
– The importance of personnel restrictions (e.g., U.S. persons)
– Responsibilities for documentation, system security plans, and physical access controls

Summit 7 recommends targeted, role-specific training supported by reference materials and annual acknowledgment forms. Integrating this into the research onboarding process helps avoid noncompliance from the start.

Case Study

Summit 7 Pioneers a Scalable MXDR Security Solution for Higher Ed Federal Research

“Summit 7 provides all the security capabilities we need on our behalf. We can sleep well at night knowing Summit 7’s MXDR service, Vigilance – built on the backbone of Microsoft Defender and Sentinel – has 24/7 monitoring and is a cost-effective model for us.”

– Chief Research Security Officer

Read the Story

Testimonials

When I tell big-name defense contractors we’re working with Summit 7, there’s a sigh of relief. That’s a huge advantage.

Matt GustafsonPresident, Clinkenbeard

I have been working with these guys for years now! With lots of hard work and timely communication they made sure they delivered the best to me. Highly recommended!

John DoeCompany Name

“This year, we’re going to pass $400 million. We’re making headway in regulated research. Microsoft and Summit 7 have been a significant contributor toward that growth.”

Reese DangerChief Research Security Officer

Talk to an Expert

Our team of compliance and cybersecurity experts are on standby and ready to help.

This field is for validation purposes and should be left unchanged.

I'm Interested In…(Required)

Check all that apply

Microsoft Licensing

Migration

CMMC Compliance Project

Managed IT Service

Managed Security Service

Managed Compliance Advisory Service

Other

Your Name(Required)

Your Work Email Address(Required)

Phone Number(Required)

Don't Know Where to Start?

Join the Team