Financing Innovation and Hedging Against Technology Uncertainty in Higher Education

In the EDUCAUSE Top 10 IT (INFORMATION TECHNOLOGY) Issues for 2022, one leader stated, I believe that we have the opportunity to reconceptualize how it is that we are no longer going to be in front of the classroom but, instead, we’re going to be facilitators of knowledge. 1

As your organization considers how to facilitate knowledge, I draw your attention to the article’s Point #5, The Digital versus Brick-and-Mortar Balancing GameCreating a blended campus to provide digital and physical work and learning spaces. 

The traditional classroom learning model is in flux. Administrators, facilitators, and students are all looking for more efficient and accommodating ways to transfer information. Classroom schedules are becoming less rigid as online and on-demand resources are emerging.

There will be a lot of trial and error as innovative thinkers try to create a balance between the digital and the physical learning spaces. Some ideas will work better than others. It will be a tremendous demand for both the technical and functional resources.

As always, we consider the cost. When innovative technology delivers on expectations, it is well worth the investment. But, too often, the technology is too new and does not deliver exactly as hoped and budget resources are wasted.

While businesses may have some of the same challenges as education, businesses innovate using a different acquisition model. Many businesses have gone to a “as a Service” for their technology. Instead of capital expenditure purchases (CapEx) for depreciating assets, businesses are opting for monthly service fee (OpEx)  for innovative technologyAs with most software licenses, institutions pay a monthly fee for equipment, Installation, warranty, and ongoing support. As technology changes, they simply roll out the old technology and replace it with new without the need for additional CapEx.

Higher Education can benefit from this model, too. Instead of making large acquisitions for depreciating technology like audio visual and classroom education technology, many institutions are moving to “Audio Visual as a Service (AVaaS). 

AV as a Service: 

  • Provides budget predictability – no unforeseen costs 
  • Allows flexibility to scale up or down as needs change 
  • Makes it possible to standardize AV systems while taking advantage of manufacturer volume discounts 
  • Frees up IT resources with centralized systems monitoring to enable focus on other strategic initiatives 
  • Provides the benefit of an ongoing, consistent, reliable AV technology partnership with industry professionals  

As you think about how you will create the perfect blend of the physical and the digital for your organization, consider AV as a Service. If you want some ideas on how it might work best for your organization, we can help.

Columbia Advisory Group offers design, procurement, Logistics, installation, configuration, financing, and maintenance as a Service over 36- and 60-month periods.

1. Susan Grajek and the 2021–2022 EDUCAUSE IT Issues Panel, “Top 10 IT Issues, 2022: The Higher Education We Deserve,” EDUCAUSE Articles, November 1, 2021.

CMMC: What It Is and Why It Is Important

The Cybersecurity Maturity Model Certification (CMMC) is a security framework implemented by the US Department of Defense (DoD) to improve protection of the defense industrial base. Like other security frameworks, the CMMC has a collection of controls for processes and practices with the goal of achieving a certain level of cybersecurity maturity. The main purpose of the CMMC is to provide assurance to the DoD that a company holding federal contracts has the appropriate measures in place to safeguard Controlled Unclassified Information (CUI) and Federal Contract Information (FCI), and to account for how that information flows. It’s also a powerful framework that can apply to anyone looking to boost their security posture.

If the University uses Federal funds for research with the Department of Defense, you may want to consider CMMC certification. CAG can help with a pre-assessment to ensure the University passes the certification.

CMMC is a scalable framework, so dependent upon the sensitivity of data involved, a federal contract will require specific CMMC controls be in place. Currently, the CMMC has five levels. The higher the level, the more controls required. And because they are cumulative, CMMC Level 3 would demand implementing everything in the preceding two as well.

  • CMMC Level 1: Basic cyberhygiene—focused on safeguarding Federal Contract Information (FCI)
  • CMMC Level 2: Intermediate cyberhygiene—serve as a transition step in cybersecurity maturity
  • CMMC Level 3: Good cyberhygiene—protect Controlled Unclassified Information (CUI)
  • CMMC Level 4: Proactive—protect CUI and reduce risk of advanced persistent threats (APTs)
  • CMMC Level 5: Advanced/progressive—protect CUI and reduce risk of APTs

How Is CMMC different from other security frameworks?

The biggest difference is that it does away with self-attestation. With standards like NIST 800-171, you could self-attest you were following the appropriate controls and standards and win a federal contract. CMMC changes this by requiring that anyone seeking a federal contract with the DoD must receive certification from an approved CMMC third-party assessment organization (C3PAO).

You can easily perform self-assessments by leveraging resources made available by the Office of the Under Secretary of Defense for Acquisition & Sustainment. However, you will still need to engage a C3PAO to receive CMMC certification of the appropriate level to win a federal contract. During the audit by a C3PAO, they should be able to help identify any gaps that will prevent receiving certification. If you or your research entities are subject to CMMC, engaging with a C3PAO is going to be inescapable. The earlier you start, the more flexibility you will have in implementing any recommendations.

There is currently a grace period to allow CMMC to become fully implemented, but in the future federal DoD contracts will not be awarded without the appropriate certification.

Why is CMMC important to universities?

For Universities, CMMC is no different than any other set of standards or frameworks—it contains an established baseline of best practices, and controls and processes that must be implemented. In fact, most of the controls in CMMC are mapped directly to NIST 800-171. So, if you have already been building your cyber program around NIST 800-53 and NIST 800-171, you should look at CMMC as an opportunity to help you stand apart.

For Universities that have not traditionally implemented NIST or other security frameworks because it wasn’t a requirement for your stakeholders, this is an opportunity to own risk and reap the rewards. If you decided to implement the controls within CMMC Level 3—even if you don’t receive certification—you will have a more mature cybersecurity posture, a larger portfolio of services you can offer within your research, and improved scalability.

If you have made it this far and think CMMC doesn’t apply to you since you don’t support these types of projects, you may be interested to know that CMMC has the potential to work down the hierarchy from federal to state and local governments. When NIST 800-53 was originally released in 2005 as recommended security controls for federal information systems, it was intended for federal information systems. In August 2017, federal was removed to indicate that it may be applied to any organization. Many state governments, local municipalities, insurance providers, and public and private entities of all types have required NIST 800-53 controls and processes be followed for years.

One day, CMMC, or an evolution of it, may be just as prevalent as NIST 800-53. With the heightened public awareness concerning the risk cybersecurity threats pose, it’s likely we may eventually see self-attestation as a relic of the past.

CAG Performs Policy Assessments and Controls alignments according to the following standards

  • Gramm–Leach–Bliley Act (GLBA)
  • NIST 800-171
  • NIST 800-53
  • PCI Compliance
  • HIPAA
  • FERPA
  • TAC 202 or other state standards

If you would like to learn more about how CAG can advance your organization’s cyber security maturity, please contact info@columbiaadvisory.com.

ABOUT CAG:

CAG is a highly experienced IT consulting firm. With 100+ years of combined technology experience and business acumen, CAG’s team has assessed and helped improve the performance of more than 300 technology organizations and IT departments. By focusing on simple, meaningful, and practical solutions combined with straight-forward analysis and recommendations, CAG’s team has experience in many regulatory and economic environments with companies and organizations of all sizes. CAG not only offers a deep understanding of IT, but its solutions are software and hardware agnostic. Whether a client is high growth or economically challenged, CAG can adapt to the complexities and nuances of that business. Based in Dallas, Texas, CAG works extensively with clients throughout the U.S. For more information, visit columbiaadvisory.com