The Application of CMMC, CompTIA, NIST, and Cybersecurity Standards in Schools and SMEs in the US and Canada

Details: By KEENCOMPUTER; Category: Enterprise Security; 23 July 2025; Hits: 53

CMMC Certifiction

Cybersecurity threats are escalating across educational and small and medium-sized enterprise (SME) sectors due to increased digital interconnectivity and reliance on cloud and internet-connected systems. In response, structured frameworks such as the Cybersecurity Maturity Model Certification (CMMC), the National Institute of Standards and Technology's Cybersecurity Framework (NIST CSF), and CompTIA's industry certifications and best practices are emerging as essential tools for risk mitigation and regulatory compliance. This research paper provides a comprehensive exploration of how these standards are applied within schools and SMEs in the United States and Canada, evaluating challenges, benefits, implementation strategies, and how external experts can assist in strengthening cybersecurity postures.

The Application of CMMC, CompTIA, NIST, and Cybersecurity Standards in Schools and SMEs in the US and Canada

Abstract Cybersecurity threats are escalating across educational and small and medium-sized enterprise (SME) sectors due to increased digital interconnectivity and reliance on cloud and internet-connected systems. In response, structured frameworks such as the Cybersecurity Maturity Model Certification (CMMC), the National Institute of Standards and Technology's Cybersecurity Framework (NIST CSF), and CompTIA's industry certifications and best practices are emerging as essential tools for risk mitigation and regulatory compliance. This research paper provides a comprehensive exploration of how these standards are applied within schools and SMEs in the United States and Canada, evaluating challenges, benefits, implementation strategies, and how external experts can assist in strengthening cybersecurity postures.

1. Introduction As digital transformation expands across various sectors, educational institutions and small and medium-sized businesses (SMEs) are increasingly becoming targets for cyber attackers. This increased vulnerability is largely due to the widespread adoption of cloud services, online learning platforms, digital records, and remote work arrangements, which introduce new security vulnerabilities. Cyber incidents are so prevalent in K-12 schools that, on average, there is more than one incident per school day. These attacks can disrupt daily operations by disabling integrated networks and endanger vast amounts of personal and financial data collected from students, families, and staff. Schools are often described as "target rich, cyber poor" because they hold extensive sensitive data but frequently lack the necessary resources for comprehensive cybersecurity programmes.

In both the United States and Canada, cybersecurity regulations are expanding, particularly for organisations involved in sensitive or federally funded work. Frameworks such as CMMC, NIST CSF, and CompTIA standards have emerged as dominant guidelines for compliance, capability development, and defence-in-depth strategies.

2. Frameworks and Standards Overview

2.1 Cybersecurity Maturity Model Certification (CMMC)

Origin and Purpose: The Cybersecurity Maturity Model Certification (CMMC) was designed by the U.S. Department of Defense (DoD) to strengthen the security protocols of the Defense Industrial Base (DIB). Its primary purpose is to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). CMMC was introduced to ensure contractors comply with cybersecurity standards like NIST SP 800-171, as many were not doing so previously.
Levels: The CMMC 2.0 framework, updated from the original CMMC 1.0 (established in 2020), simplifies compliance by reducing the levels from five to three:
- Level 1 (Foundational): Applies to organisations handling Federal Contract Information (FCI), which is information not intended for public release, provided by or generated for the government. It requires following 15 basic safeguarding practices outlined in FAR 52.2024-21 and can be met through annual self-assessments.
- Level 2 (Advanced): Applies to organisations handling Controlled Unclassified Information (CUI), defined as sensitive information requiring safeguarding or dissemination controls under U.S. laws, regulations, or policies. This level requires compliance with 110 security practices from NIST SP 800-171 Revision 2. For non-critical CUI, self-assessments are conducted every three years, while critical CUI requires third-party assessments by a Certified Third-Party Assessor Organization (C3PAO) every three years.
- Level 3 (Expert): Targets contractors working on high-priority or high-risk DoD programs involving advanced persistent threats (APTs). It adds 24 enhanced controls from NIST SP 800-172, bringing the total to 134 requirements. These assessments are conducted exclusively by the DCMA DIBCAC every three years.
Scope and Global Impact: CMMC is a condition for contract award for certain DoD contractors handling sensitive unclassified DoD information. It applies to DoD contractors and subcontractors, including Canadian entities engaged in collaborative research and defence supply chains with the US DoD.

2.2 CompTIA Cybersecurity Standards

Overview: CompTIA provides industry certifications and practical training designed to develop skilled cybersecurity personnel. These certifications are vendor-neutral, meaning the skills acquired are applicable across various technologies and platforms.
Key Certifications:
- Security+: Focuses on core principles of security and risk management, covering practical, hands-on skills in threat detection and response, risk management, and network security and compliance. It is ISO 17024 compliant and approved by the U.S. Department of Defense to meet directive 8140/8570.01-M requirements.
- CySA+ (Cybersecurity Analyst): Focuses on threat detection, response, and compliance, enabling IT professionals to recognise and respond to information security issues.
Application: CompTIA certifications are widely used by educational institutions for staff upskilling and IT workforce development.

2.3 NIST Cybersecurity Framework (CSF)

Developed by: The National Institute of Standards and Technology (NIST).
Structure: The NIST Cybersecurity Framework is flexible and consists of three main components:
- Core Functions: Organises cybersecurity activities into five main functions: Identify, Protect, Detect, Respond, and Recover.
- Tiers: Measure the sophistication of an organisation's cybersecurity practices.
- Profiles: Customise the framework to an organisation’s specific needs.
Relevance: NIST CSF is scalable and voluntary, making it suitable for a broad range of organisations, including schools, SMEs, and critical infrastructure operators. It does not require an outside audit; organisations can self-report compliance by creating a security plan, documenting exceptions, and giving themselves a score that is stored in a federal database.

3. Application in Educational Institutions

3.1 United States

K-12 and Higher Education: These institutions are increasingly adopting NIST CSF to manage student data and comply with privacy regulations such as the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA). FERPA is the foundation of student privacy rights for schools receiving U.S. Department of Education funding. The Children’s Online Privacy Protection Act (COPPA) is crucial for protecting children under 13 online, requiring parental consent for data collection by online services aimed at children. The Children’s Internet Protection Act (CIPA) mandates internet filters and safety policies in schools and libraries to shield minors from harmful content.
Research Institutions: Those managing DoD grants must meet CMMC Level 2 or 3 requirements.
Staff Development: IT departments in educational institutions use CompTIA certifications to train staff in essential security protocols, contributing to workforce development. The Cybersecurity and Infrastructure Security Agency (CISA) focuses on working with the K-12 education sector to raise awareness, understand risks, and change behaviours to protect against phishing and other online attacks. CISA provides tools, information, and resources to help this critical infrastructure component protect itself from malicious actors.

3.2 Canada

CMMC Influence: CMMC applies to Canadian universities involved in joint defence research with the US DoD. Basic CMMC awareness is also required for entities within the supply chain.
CyberSecure Canada: This national programme, based on NIST and ISO 27001, is tailored for smaller organisations and provides templates, training, and implementation tools. It aims to advise and guide small and medium organisations on how to maximise the effectiveness of their cybersecurity investments, believing that most cyber threats can be mitigated through awareness and best practices.
CompTIA Certifications: These are used in Canada to align staff capabilities with Cybersecurity Skills Frameworks. The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada’s federal privacy law for private sector organisations, playing a key role in protecting student confidentiality, especially for private schools and educational service providers.

4. Application in Small and Medium-Sized Enterprises (SMEs)

4.1 United States

Defense Contractors: SMEs that are part of defense supply chains are required to certify under CMMC. This includes organisations providing generic parts or services that touch Controlled Unclassified Information (CUI), even indirectly.
Broader SME Sector: For other SMEs, the NIST CSF offers adaptable cybersecurity guidance. However, adoption barriers exist, including budget constraints, limited staff, and a lack of awareness regarding cybersecurity risks. CompTIA certifications provide vendor-neutral guidance for foundational security measures.

4.2 Canada

Non-Defense SMEs: These organisations are strongly encouraged to adopt CyberSecure Canada. While CMMC primarily applies to firms interacting with US federal contracts, Canadian companies can position themselves favourably for swift compliance with the Canadian Program for Cyber Security Certification (CPCSC) once fully implemented by achieving CMMC Level 1.
Support Structures: Public-private partnerships in Canada promote the adoption of cybersecurity standards, and SMEs leverage CompTIA training for in-house and consultant validation. Canadian SMEs, like their US counterparts, are actively targeted by cybercriminals who believe their systems are vulnerable. In 2012, 69% of Canadian businesses reported some form of cyber attack, costing them approximately $15,000 per attack.

5. Challenges and Best Practices

Challenge	Schools	SMEs	Recommended Solutions
Budget Limitations	Minimal IT funding, small teams	Lean staffing, multitasking	Outsourced IT services, phased implementation, grant use, and selecting the most cost-effective proposals for eligible products and services.
Skills Gap	Teachers and administrators lack IT training	Non-specialist staff	Implementing CompTIA pathways for staff upskilling, utilising managed cybersecurity providers, and promoting continuous education and training.
Regulatory Complexity	FERPA, HIPAA, DoD, provincial laws	Sector-specific rules, international templates	Utilising compliance mapping tools, adopting streamlined frameworks like NIST CSF with simplified profiles, adhering to specific FCC orders (e.g., FCC 19-121 prohibiting equipment from Huawei, ZTE, and Kaspersky Lab), and understanding regulations for sensitive data.
Implementation Burden	Difficulty adopting CMMC/NIST standards	Cost and time-consuming assessments	Developing clear roadmaps, implementing simplified controls (like those in CyberSecure Canada), using compliance software to automate key tasks, and limiting the scope of CUI handling to reduce complexity and costs.
Threat Evolution	Ransomware, phishing, malware	Supply chain attacks, remote access	Implementing continuous security monitoring, conducting regular incident response drills, adopting effective security practices like firewalls, threat management tools, antivirus, and controlling user access. Training employees to recognise phishing and social engineering attempts is crucial.

General Best Practices:

Develop an Incident Response Plan: Organisations should assume that cyber security incidents will occur and have a plan on how to respond and recover.
Automatic Patching: Enable automatic patching for all software and hardware or establish full vulnerability and patch management solutions.
Back up and Encrypt Data: Regularly back up and encrypt sensitive data.
Establish Basic Perimeter Defences: Implement firewalls, DNS firewalls, and email filtering. Isolate point-of-sale (PoS) systems with a firewall and consider following Payment Card Industry Data Security Standard (PCI DSS).
Secure Cloud and Outsourced IT Services: Evaluate outsourced IT providers' handling of sensitive information and ensure secure communication with all cloud services.
Security Awareness Training: Implement security awareness programmes for staff, including basic training, updates on policies, standards, and best practices.
Policies and Standards: Develop sound cybersecurity policies and standards, such as Internet use, social media, and acceptable use policies, to guide employee conduct.

6. Role of External Support

External support, such as that offered by IAS-Research.com and KeenComputer.com, can significantly enhance an organisation's cybersecurity posture.

IAS-Research.com: Provides cyber risk assessments based on NIST CSF and CMMC guidelines, policy and compliance advisory for cross-border institutions, support for CyberSecure Canada implementation, and custom security architecture design for research institutions and regulated sectors.
KeenComputer.com: Offers managed cybersecurity and compliance services, as demonstrated by their implementations for K-12 schools in Ontario. Their services include:
- CompTIA-Aligned Workforce Development: Delivering CompTIA Security+ and CySA+ training for regional colleges and IT firms.
- Managed Cybersecurity Services: Endpoint protection, patching, firewall, and backup solutions.
- IT Compliance Consulting: Covering FERPA, HIPAA, GDPR, and CMMC.
- Turnkey Framework Implementation: For SMEs and schools, assisting Canadian SMEs in passing CyberSecure Canada audits using templated risk registers, asset inventories, and patching policies.
- Technical Content Creation and CISO-as-a-Service support: For small institutions.
- Use Cases: Developed secure WordPress and eCommerce platforms with multi-factor authentication and real-time threat detection systems.

7. Recommendations

To strengthen cybersecurity postures and build a foundation for safe digital growth, organisations should consider the following recommendations:

K-12 Schools:
- Utilise NIST CSF Tier 1/2 with simplified profiles to manage student data and comply with privacy laws like FERPA and COPPA.
- Start with CompTIA Security+ for IT coordinators to enhance their foundational security knowledge.
- Implement regular privacy audits and strengthen data security measures, including encryption and strict access controls.
- Provide regular cybersecurity awareness training to all staff, fostering a privacy-conscious culture.
- Review privacy protections of third-party applications and collaborate with peers and education ministries to demand stronger vendor standards.
Universities:
- Implement departmental segmentation to apply CMMC selectively, particularly for departments handling DoD grants or research.
- Partner with external experts like IAS-Research.com for strategic planning and implementation of CMMC and NIST guidelines.
US SMEs:
- Evaluate contracts carefully to determine the necessity of CMMC Level 1 or 2 compliance, focusing on identifying and limiting the scope of CUI handling.
- Adopt the NIST CSF core functions (Identify, Protect, Detect, Respond, Recover) as a adaptable guide for overall cybersecurity strategy.
- Seek CompTIA-based training to build foundational security knowledge among staff.
Canadian SMEs:
- Enrol in the CyberSecure Canada programme and integrate its baseline controls to mitigate common cyber threats.
- Utilise experts like KeenComputer.com for scalable implementation support, managed cybersecurity services, and IT compliance consulting.
- Stay informed about the Canadian Program for Cyber Security Certification (CPCSC), which aligns with CMMC and NIST.

8. Conclusion

Cybersecurity frameworks such as CMMC, NIST CSF, and CompTIA certifications are not merely regulatory checkboxes but are essential tools for organisational resilience in an increasingly hostile digital landscape. Their effective adoption requires not only technical execution but also cultural and strategic alignment within an organisation. By investing in targeted training, smart resource allocation, and forging partnerships with implementation experts, both schools and SMEs can significantly strengthen their cybersecurity postures, reduce vulnerabilities to cyberattacks, and build a robust foundation for safe and continuous digital growth.