Embedded Files
2025 Impact Summary is now live (12/16/25)
composed by: Tammie McClellan, Deputy CISO for Research Cyber Risk Management | March, 2026
Yesterday (3/17/26), I had the opportunity to participate in EDUCAUSE’s Regulated Information Security Compliance monthly meeting as part of a panel discussion on CMMC Level 1 challenges, scoping considerations, and implementation approaches.
During the conversation, I mentioned a document we use internally called the Cybersecurity Assurance Terms and Conditions (CATC). This document serves as a tool for our office to communicate cybersecurity regulatory requirements to PIs and, in turn, obtain their assurance that they understand the applicable rules and will avoid using unapproved systems. Several attendees asked for a copy, so I’ve attached it here for your reference.
I’ve also included a PDF outlining our general workflow for regulated research that was developed a couple years ago. It provides context for how the CATC fits into our overall process—both for CMMC Level 1 and CMMC Level 2—so you can see where and how it is applied.
Last, as shared yesterday, our CMMC Level 1 journey started with ensuring our campus IT community was aligned to our existing IT policies and security standards – which already encompass what CMMC Level 1 requires. To avoid getting hung up on regulatory names, we referred to this as the Minimum IT Safeguards Initiative. This Initiative was briefed top down and bottom up to spread the word across campus and has been executed in 3 phases. Phase 1 focused on units engaged with DoD research as well as our M365 environment and Research Administration ERP system, Phase 2 is units engaged with any other Federal agency, and Phase 3 is all other units. During each phase, units review and submit systems to the Security Office they believe are compliant (along with artifacts). Cross checks are performed and then the Information Security Office assigns a “tag” in Microsoft Defender to indicate the system was reviewed to be compliant. Using the CATC, we capture the machine name(s) that will be used for a restricted project and then we check to see if that system has been tagged as compliant or not.
Here is info from our Executive Summary slide for the Initiative that was launched in Nov 2024:
Purpose of the Minimum IT Safeguards Initiative:
The University of Central Florida (UCF) launched the Minimum IT Safeguards Initiative as a proactive measure to:
Affirm compliance with federal IT security requirements and UCF IT policies and standards
Identify and close gaps in current IT practices
Reinforce the protection of systems and sensitive data
Enhance reliability and security across UCF’s IT operations
Assessment Objective:
Evaluate foundational policies, procedures, and implemented technical measures required to protect restricted information, such as Federal Contract Information (FCI) or other university data. For research, these protections are mandated in federal awards that invoke:
FAR clause 52.204-21,
Department of Defense (DoD)’s Cybersecurity Maturity Model Certification (CMMC) Program Level 1, or
National Security Presidential Memorandum 33 (NSPM-33) with similar requirements in draft to apply to future federal projects.
Key Insights (after Phase 1):
Addressed drift in adherence with existing policies
Exposed Misaligned Assumptions
Identified systems meeting federal research requirements
Became a Catalyst for Standardization
Page updated
Google Sites
Report abuse