FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatoryeducationFERPACMMC

Research University CMMC Programs and the Federal Research Compliance Picture

By Basel IsmailMay 30, 2026

Research University CMMC Programs and the Federal Research Compliance Picture

CMMC compliance is hard enough for defense contractors with relatively contained IT environments. Now apply those same requirements to a research university, where you have decentralized IT governance, faculty who view security controls as obstacles to academic freedom, thousands of transient users (students), and research data flowing across departments, cloud platforms, and international collaborations. The implementation reality on campus is genuinely messy, and it deserves a closer look than it usually gets.

Why Universities Are in Scope at All

The connection is straightforward. The Department of Defense funds a significant volume of university research. In FY2023, DoD obligated approximately $2.7 billion to universities through basic and applied research grants and contracts. When that research involves Controlled Unclassified Information (CUI), the university is subject to DFARS 252.204-7012, which requires compliance with NIST SP 800-171. CMMC 2.0, codified in the final rule published on October 15, 2024 (32 CFR Part 170), layers a certification and assessment framework on top of those existing NIST requirements.

Level 2 CMMC certification, which maps to all 110 controls in NIST SP 800-171 Rev 2, is where most university research programs handling CUI will land. Level 1 (the 17 practices for Federal Contract Information only) is less common in the research context because if DoD is funding the work, there is usually CUI involved. Level 3, incorporating controls from NIST SP 800-172, applies to the most sensitive programs and is assessed by DIBCAC directly.

The Structural Problem on Campus

Defense contractors typically have a CISO who can mandate security controls across the organization. Universities do not work this way. Research computing at a major university is often distributed across dozens of departments, each with its own IT staff, its own servers, and its own ideas about how data should be managed. The central IT organization may provide shared services, but it rarely has enforcement authority over a principal investigator's lab network.

This creates a fundamental architectural challenge. NIST SP 800-171 requires a defined system boundary, access controls, audit logging, incident response capabilities, and configuration management across the entire environment where CUI resides. On a university campus, CUI might touch a researcher's laptop, a departmental file share, a high-performance computing cluster, a collaboration platform, and a graduate student's personal device. Defining and defending that boundary is significantly harder than in a corporate environment.

Several universities have responded by building dedicated enclaves: isolated computing environments specifically designed to meet NIST SP 800-171 requirements. Indiana University's Carbonate Secure Research Environment, Purdue's REED (Research Environment for secure and Efficient Data), and Penn State's ICDS Roar Collab restricted environment are examples. These enclaves work, but they are expensive to build and maintain, and they introduce friction that researchers often resist.

The Faculty Problem

This is worth calling out specifically. Faculty researchers operate with a degree of autonomy that has no real parallel in the corporate world. A principal investigator running a $3 million DoD-funded project may view compliance requirements as bureaucratic interference with their scientific mission. They are accustomed to choosing their own tools, managing their own data, and collaborating freely with colleagues at other institutions, including foreign ones.

Getting faculty buy-in for CMMC controls requires a combination of education, institutional policy, and sometimes contractual enforcement through subaward terms. Some universities have started requiring CUI training as a condition of receiving DoD-funded awards, similar to how they require Responsible Conduct of Research training for NSF grants under 42 USC 1862o-1.

The Overlap with Other Federal Research Compliance Requirements

CMMC does not exist in isolation on campus. Universities are simultaneously navigating several other federal compliance frameworks that touch research security:

NSPM-33 (January 2021): The National Security Presidential Memorandum on U.S. Government-Supported Research and Development, which requires disclosure of all research support, including foreign funding. Implementation guidance was issued in January 2022, and federal agencies have been updating their grant terms accordingly.
CHIPS and Science Act, Section 10631 (August 2022): Requires research institutions to maintain research security programs as a condition of receiving federal funding above a threshold. The specific requirements are still being finalized by OSTP and individual agencies.
Export Controls (EAR/ITAR): University research involving controlled technology has long been subject to export control regulations. The fundamental research exclusion under EAR 15 CFR 734.8 and ITAR 22 CFR 120.11 provides some relief, but that exclusion evaporates when the research involves access restrictions, which CUI markings inherently create.
DFARS 252.204-7000 series clauses: Beyond 7012, universities must also contend with 7019 (NIST SP 800-171 self-assessment reporting to SPRS), 7020 (allowing DoD to assess compliance), and 7021 (the CMMC requirement itself).

The interaction between the fundamental research exclusion and CUI requirements is particularly thorny. If a DoD contract specifies that research results are CUI, the fundamental research exclusion no longer applies, which means the university may need export licenses for foreign national researchers working on the project. This can directly conflict with the university's mission of open inquiry and its practical reliance on international graduate students and postdocs. At many engineering and computer science departments, foreign nationals comprise 50% or more of the graduate research workforce.

Where Things Stand Right Now

The CMMC 2.0 final rule established a phased implementation beginning in 2025, with full enforcement expected by 2028. For universities, the timeline pressure is real but somewhat uneven. Not every DoD-funded project involves CUI, and the specific CMMC level required will be determined contract by contract.

The practical reality is that most universities are somewhere in the middle of their compliance journey. A 2023 survey by EDUCAUSE found that only 30% of responding institutions felt confident in their ability to meet NIST SP 800-171 requirements across all relevant research programs. The cost is significant; building and operating a compliant enclave can run $500,000 to $2 million annually depending on scale, and that does not include the personnel costs for compliance staff, which are often harder to fund than the technology.

Consortium approaches have emerged as a partial solution. The Big Ten Academic Alliance has been coordinating on research security and CMMC readiness. The University of Texas System has explored shared infrastructure models. These make sense economically, but they introduce their own governance complexities around shared responsibility and incident response.

The Subcontractor Wrinkle

Universities frequently act as both prime contractors and subcontractors on DoD research. When a university subcontracts part of a project to another institution or a small business, it inherits flow-down obligations under DFARS. This means the university's Office of Sponsored Programs needs to verify that subcontractors also meet applicable CMMC levels, adding another layer of due diligence to an already complex grants management process.

How FirmAdapt Addresses This

FirmAdapt's compliance-first architecture is built to handle exactly the kind of multi-framework, multi-stakeholder environment that universities face. The platform maps controls across NIST SP 800-171, CMMC 2.0 levels, export control requirements, and institutional policies simultaneously, which means a university compliance office can manage overlapping obligations without maintaining separate tracking systems for each framework. The system boundary documentation and POA&M management features are designed to accommodate the enclave-based approaches that most universities are adopting.

For institutions managing dozens or hundreds of DoD-funded projects at varying CMMC levels, FirmAdapt provides project-level compliance tracking that rolls up to an institutional view. This gives both the research security officer and the CISO visibility into where gaps exist, which projects are at risk, and where remediation resources should be directed. The platform handles the complexity so that compliance teams can focus on the genuinely hard problems of institutional change management and faculty engagement.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free