Toggle individual findings on/off for presentation mode.
Current Score Display: 38%
Summit Research Institute occupies a high-risk compliance intersection: it performs cutting-edge defense research attracting some of the nation's most talented scientists — including foreign nationals — while operating under the legal and cultural norms of a university that prizes openness and collaboration. DFARS 252.204-7012, CMMC 2.0 Level 2, and ITAR/EAR create a strict access-controlled environment that is structurally at odds with academic culture. Eight compliance findings expose the institute — and its parent university — to contract termination, False Claims Act liability, and federal export control enforcement.
Three active DoD-sponsored grants totaling $8.2M/year in direct funding. All three involve CUI-designated technical data and are subject to DFARS 252.204-7012. Export-controlled technical data is present under all three awards.
Machine learning algorithms for GPS-denied autonomous navigation; adversarial robustness testing; terrain-relative navigation using computer vision and inertial navigation fusion.
Fatigue crack initiation and propagation mechanisms in novel high-entropy alloys for shipboard structural components; synchrotron X-ray diffraction; multi-physics simulation.
Adaptive AI systems monitoring human operator cognitive load in real time; dynamic autonomy adjustment in human-machine teams; physiological sensing and unmanned system simulations.
Assessment conducted by CMMC Registered Practitioner Organization (RPO). All findings mapped to NIST SP 800-171 Rev. 2 and CMMC 2.0 Level 2 practices. Three findings classified as Critical.
Access Control (AC)
3.1.1 / 3.1.2
120–160 hours
$12,000–$18,000
30–45 days
Graduate students rotating through the autonomous systems lab are granted broad access to shared network drives containing CUI technical data as a matter of operational convenience. No formal need-to-know determination is documented before access is provisioned. Access accounts frequently persist beyond a student's involvement on a specific project. A single shared credential exists for the CUI file share among several graduate students — eliminating all audit trail capability.
Unauthorized disclosure of DARPA-funded CUI could trigger DFARS 252.204-7012 breach notification. Shared credentials prevent forensic attribution. CUI spillage to a student's thesis repository (e.g., university GitLab) constitutes a reportable unauthorized disclosure to the DoD CIO.
Implement role-based access control (RBAC). Require formal need-to-know determination signed by PI before any graduate student account is provisioned. Enforce individual (non-shared) accounts. Deploy automated account deprovisioning tied to project end dates in the Sponsored Research Office system. Integrate with university identity management for automatic revocation within 24 hours of student separation.
Access Control / Personnel Security
3.1.1 / 3.9.1
200–300 hours
$35,000–$75,000
60–90 days (+ ongoing)
Three foreign national researchers (two visiting scholars from a non-Five Eyes country; one PhD candidate who is a citizen of an EAR Country Group D:5 nation) are actively conducting research under the DARPA grant involving controlled autonomous systems algorithms. No Technology Control Plan (TCP) is in place. No "deemed export" analysis was conducted. One researcher has direct access to CUI-flagged simulation code for autonomous vehicle navigation.
Releasing export-controlled technology to a foreign national in the U.S. is deemed an export to their country of nationality under EAR (15 CFR 734.13) and ITAR. ITAR violations: civil penalties up to $1.3M per violation; criminal up to $1M and 20 years per violation. Three simultaneous exposure events identified. Voluntary disclosure may be required.
Immediately suspend foreign national access to export-controlled data pending deemed export review. Develop Technology Control Plans for each active grant. Engage university legal counsel for potential voluntary self-disclosure to BIS/DDTC. For future hires, mandate Export Control Officer clearance before any foreign national is added to a restricted project.
Configuration Mgmt / Sys. & Comm. Protection
3.4.1 / 3.13.1 / 3.13.8
180–240 hours
$28,000–$45,000
60–90 days
Researchers and graduate students connect personal laptops, tablets, and phones to the institute's internal "SRI-Research" Wi-Fi network, which also accesses CUI data stores and the DARPA simulation cluster. No NAC solution enforces endpoint compliance. Personal devices have no guaranteed patch level, no required disk encryption, no EDR agent, and are not enrolled in MDM. The "SRI-Research" SSID is not segregated from the CUI processing environment by VLAN or firewall policy.
A single compromised personal device could pivot into the CUI network segment. Stolen or lost personal laptops containing cached CUI require DFARS breach notification within 72 hours. Absence of MDM means the institute cannot remotely wipe CUI from a lost device — an immediate C3PAO assessment failure.
Create separate CUI enclave VLAN with firewall enforcement. Deploy NAC solution (e.g., Cisco ISE or Aruba ClearPass) enforcing endpoint compliance posture. Require full-disk encryption on all managed endpoints. Prohibit BYOD access to CUI segments via policy and technical enforcement. Provide loaner managed devices for researchers. Create a guest VLAN for personal devices with zero CUI access.
Risk Assessment (RA)
3.11.1 / 3.11.2
250–400 hours
$40,000–$80,000
90–180 days
Summit Research Institute lacks a comprehensive export control compliance program. No item-level ITAR/EAR jurisdiction reviews have been conducted for research outputs across the three active grants. No Technology Control Plans exist. The Export Control Officer allocates approximately 0.1 FTE to SRI. No export control training has been conducted in 24+ months. Personal cloud storage platforms (Dropbox, Google Drive) have not been assessed for EAR/ITAR cloud compliance and are actively in use for research data.
Unreviewed technical data shared at an international conference, uploaded to a non-compliant cloud, or emailed to a foreign collaborator could constitute multiple simultaneous export violations. BIS/DDTC enforcement actions against universities have resulted in multi-million dollar penalties. Personal cloud usage may constitute ongoing undetected violations.
Conduct immediate export control audit of all three grants. Develop Technology Control Plans. Increase Export Control Officer dedicated time to 0.5 FTE minimum. Deliver mandatory annual export control training. Implement pre-publication review process. Restrict use of non-compliant cloud storage. Subscribe to export control compliance management platform.
Risk Assessment / Configuration Mgmt
3.12.4 (derived)
300–500 hours
$55,000–$120,000
60–90 days (SSP) / 12 months (C3PAO)
Summit Research Institute has no System Security Plan (SSP) documenting the CUI environment. There is no defined system boundary, no documentation of which controls are implemented vs. planned, no Plan of Action & Milestones (POA&M), and no basis for the SPRS self-assessment score. The institute submitted an SPRS score of 110 (maximum) at contract award without a supporting assessment — actual assessed score is −47.
An inaccurate SPRS score constitutes a potential False Claims Act violation with treble damages exposure. DFARS 252.204-7012(d)(2) requires SSP availability within 30 days of request. Without an SSP, CMMC Level 2 certification is impossible — jeopardizing all contract renewals beginning in the 2025–2027 DoD CMMC phased rollout.
Retain CMMC RPO immediately for SSP development. Define and document authorization boundary. Assess all 110 NIST SP 800-171 controls. Develop POA&M. Correct SPRS self-assessment score. Engage university legal counsel regarding FCA exposure. Plan for C3PAO third-party assessment before next contract renewal.
Audit and Accountability (AU)
3.3.1 / 3.3.2
160–220 hours
$22,000–$40,000
60–90 days
CUI-scoped file servers, research workstations, and VPN gateway are not forwarding logs to a centralized SIEM. Local logs overwrite after 30 days. File access events on CUI shared drives are only logged at the folder level. VPN concentrator logs are reviewed only when a specific incident prompts manual inspection. No log review schedule, no anomaly alerts, and no designated individual responsible for log review.
Without centralized audit logs, the institute cannot detect insider threats, exfiltration, or unauthorized access. DFARS 252.204-7012 requires ability to conduct and report cyber incidents — inability to produce audit logs during a DoD-requested investigation is a serious compliance failure and could be viewed as obstruction.
Deploy centralized SIEM (e.g., Microsoft Sentinel, Splunk, or MSSP-provided). Configure all CUI-scoped systems with 90-day online / 1-year archive retention. Enable file-level audit logging on CUI repositories. Implement alert rules for high-risk events (bulk download, after-hours access, privilege escalation). Assign ISSO as log review owner with documented schedule.
Incident Response (IR)
3.6.1 / 3.6.2
80–120 hours
$12,000–$22,000
45–60 days
Summit Research Institute has no written Incident Response Plan for CUI cyber incidents. The university's general IT procedure does not address the 72-hour DFARS reporting requirement to DIBNet, does not identify DARPA and ONR contracting officers as notification parties, and has never been exercised for CUI-specific scenarios. A 2023 phishing compromise of a researcher's email was handled entirely through the university helpdesk with no DFARS reporting consideration — and may require retroactive review for reportability.
DFARS 252.204-7012(c) requires cyber incident reporting within 72 hours via dibnet.dod.mil. Failure to report a qualifying incident constitutes breach of contract and can trigger FCA scrutiny. The 2023 phishing incident may require retroactive disclosure to DoD.
Develop standalone CUI Cyber Incident Response Plan aligned to DFARS 252.204-7012 and NIST SP 800-61. Register SRI on DIBNet portal. Define ISSO, RSO, ECO, PI, and legal counsel roles. Conduct annual tabletop exercise. Retroactively assess 2023 phishing incident for DFARS reporting obligations.
Awareness and Training (AT)
3.2.1 / 3.2.2
80–120 hours
$8,000–$18,000
45–60 days
Research staff, graduate students, and laboratory administrators receive only the university's standard 30-minute annual IT security awareness training covering phishing, passwords, and FERPA. No CUI handling, DFARS, ITAR/EAR, or DoD contractor obligation training exists. Graduate students are onboarded without information security elements. Users can access CUI systems without completing any relevant training. PIs have not received training on their responsibilities as CUI custodians.
Most CUI breaches in university research originate from unintentional insider actions — emailing CUI to personal accounts, posting controlled code to public GitHub, sharing controlled drafts via Google Docs with international collaborators. Without role-specific training, personnel cannot recognize controlled information or know when to escalate.
Develop tiered training curriculum: (1) General CUI awareness for all personnel; (2) ITAR/EAR responsibilities for researchers on restricted grants; (3) Role-specific training for ISSO, RSO, ECO; (4) PI-specific briefing on CUI custodian responsibilities. Require training completion before CUI access provisioning. Deploy on LMS with completion tracking. Use CDSE (Center for Development of Security Excellence) free resources as foundation.
NIST SP 800-171 self-assessment. 110 practices across 14 domains. SPRS submitted score: 110 (INACCURATE) — Actual assessed score: −47.
Governance structure showing regulatory environment, university administrative layer, SRI laboratory layer, and the CUI enclave — with policy flow and incident reporting pathways.
Three-phase remediation plan from immediate risk reduction through full CMMC Level 2 certification. Total estimated investment: $285,000–$470,000 over 12 months.
Four key stakeholders driving the compliance remediation effort across technical, legal, administrative, and research dimensions.
Five overlapping regulatory regimes govern Summit Research Institute's DoD-sponsored research. Understanding the interaction between these frameworks — particularly where they conflict with academic culture and the Fundamental Research Exclusion — is central to any compliance strategy.
Primary DoD cybersecurity clause. Requires NIST SP 800-171 implementation, 72-hour cyber incident reporting to DIBNet, malicious software submission to DC3, media preservation, subcontractor flow-down, FedRAMP-compliant cloud services, and current SPRS score submission. Non-compliance: contract termination for default, debarment, False Claims Act exposure.
CMMC 2.0 (32 CFR Part 170, finalized Dec. 2024) maps directly to NIST SP 800-171 Rev. 2. Level 2 = 110 security practices across 14 domains. Third-party C3PAO certification required for prioritized DoD acquisitions involving CUI. SRI's DARPA and ONR grants are prioritized — third-party certification will be required at next renewal cycle (est. 2025–2027).
DDTC-administered. Controls export of defense articles, services, and technical data on the U.S. Munitions List (USML). Relevant USML categories: VIII (Aircraft/UAV), XI (Military Electronics), XII (Fire Control/Guidance), XV (Spacecraft). Deemed export applies to foreign nationals. No FRE if publication restrictions or access controls exist. Civil: up to $1.3M/violation. Criminal: up to $1M and 20 years/violation.
BIS-administered. Controls dual-use items on the Commerce Control List (CCL). Relevant ECCNs: 7E994 (Autonomous navigation technology), 3E001 (Advanced materials technology), 4E001 (AI/computer technology). Military end-use rule (15 CFR 744.21) may apply even to EAR99 items in SRI's research context. FRE available but invalidated by DFARS access controls present in all SRI grants.
Frequently misapplied at SRI. FRE exempts university basic/applied research intended for open publication — but only if NO publication restrictions, NO access controls, and NO proprietary constraints exist. Any grant including DFARS 252.204-7012 cannot simultaneously claim FRE, because DFARS itself imposes access controls. All three SRI grants include DFARS → FRE does not apply to any SRI grant.
Post-NSPM-33 and CHIPS Act requirements mandate university research security programs including: Foreign talent risk assessment, conflict of interest/commitment disclosure, cybersecurity programs for CUI, export control integration, research security training, and incident reporting procedures. DoD ONRI and NSF require research security programs for institutions receiving $50M+ in federal research funding — Penn State exceeds this threshold.
| Domain | Abbr. | Practices | Implemented | Partial | Not Implemented | Coverage % |
|---|---|---|---|---|---|---|
| Access Control | AC | 22 | 5 | 6 | 11 | 36% |
| Awareness & Training | AT | 3 | 0 | 1 | 2 | 17% |
| Audit & Accountability | AU | 9 | 2 | 2 | 5 | 33% |
| Configuration Management | CM | 9 | 3 | 2 | 4 | 44% |
| Identification & Authentication | IA | 11 | 5 | 3 | 3 | 64% |
| Incident Response | IR | 3 | 0 | 1 | 2 | 17% |
| Maintenance | MA | 6 | 3 | 1 | 2 | 58% |
| Media Protection | MP | 9 | 3 | 2 | 4 | 44% |
| Personnel Security | PS | 2 | 1 | 0 | 1 | 50% |
| Physical Protection | PE | 6 | 4 | 1 | 1 | 75% |
| Risk Assessment | RA | 3 | 0 | 1 | 2 | 17% |
| Security Assessment | CA | 4 | 0 | 1 | 3 | 13% |
| System & Comm. Protection | SC | 16 | 7 | 2 | 7 | 53% |
| System & Info. Integrity | SI | 7 | 4 | 1 | 2 | 71% |
| TOTAL | — | 110 | 37 | 24 | 49 | 38% |
A discussion forum for ISSO officers, export control professionals, research security officers, and DoD-affiliated laboratory staff. Share insights, ask questions, and collaborate on compliance challenges.
Key compliance resources for DoD-affiliated university research laboratories pursuing CMMC Level 2 certification and export control compliance.
Full text of the DoD cybersecurity safeguarding clause with CUI and incident reporting requirements
View ClauseOfficial DoD CMMC program documentation, rulemaking, and assessment resources
CMMC PortalProtecting Controlled Unclassified Information in Nonfederal Systems and Organizations
Download SPState Department Directorate of Defense Trade Controls — ITAR compliance, USML, licenses
DDTC PortalBureau of Industry and Security — Commerce Control List, license exceptions, deemed export
BIS PortalCenter for Development of Security Excellence — free DoD-approved security awareness training
CDSE PortalOfficial CUI categories, subcategories, markings, and handling requirements
CUI RegistryDoD Defense Industrial Base Network — cyber incident reporting, SPRS, contractor portal
DIBNetOSTP guidance on research security program requirements for federally funded institutions
NSPM-33CMMC Resources: https://sands-mvcc.github.io/CMMC/
Related Case Study: AI in Action: NSF ATE Grant Case Study
University-Affiliated DoD Research Laboratory
110 Technology Center
University Park, PA 16802
State College, Pennsylvania
Affiliation: Pennsylvania State University
Oversight: DARPA / ONR
ISSO: James Okafor, M.S.
Research IT Manager & ISSO
Export Control: Dr. Linda Szymanski, J.D., M.S.
Export Control Officer / Research Security Coordinator
Penn State Office of Research
For CMMC RPO engagement or research security collaboration inquiries.
SPRS Score (Actual): −47
SPRS Score (Filed): 110 ⚠
Active Findings: 8 (3 Critical, 3 High, 2 Medium)
Remediation Phase: Phase 1 (Active)
Next Milestone: SSP v1.0 Complete — Day 75
C3PAO Target: Q1 2027