The world of government secrets used to be binary: classified or not. ISI has now earned certification to handle a new third category that’s reshaping defense research.

The USC Viterbi Information Sciences Institute, a unit of the USC Viterbi School of Engineering and a key research partner with the USC School of Advanced Computing, has achieved Cybersecurity Maturity Model Certification (CMMC) Level 2, joining a select group of research institutes certified to work with Controlled Unclassified Information (CUI), sensitive data that falls between publicly accessible information and classified materials. The Department of War has begun requiring this certification for contractors handling such information, with a full mandate expected by November 2026 as part of a phased implementation process running from November 2025 through November 2026.

Opening Doors to New Research Opportunities

The certification enables ISI to respond to Department of War solicitations and collaborate seamlessly with prime defense contractors.

“The certification allows us to respond to DoW solicitations that require it, and bid as a subcontractor to major defense contractors ” says Terry Benzel, ISI’s Managing Director and an expert in networking and cybersecurity. “With the certification badge and score  on the Supplier Performance Risk System (SPRS), which serves as the primary, official repository for CMMC assessment results and certification government agencies and contractors can verify our credentials instantly through the official database.”

The need for such certification reflects growing federal government concerns about research security and foreign influence in  industry and academic settings.

A Comprehensive Transformation

Achieving CMMC Level 2 certification meant implementing 110 security controls across technology, processes, and personnel management.

ISI established a secure environment, creating an isolated digital space where CUI can be safely stored, accessed, and processed. At the Arlington Research Laboratory, ISI designated specialized CMMC facilities with badge-controlled access and visitor escort protocols.

Researchers working on projects having CMMC Level 2 contract clauses will now use new secure dedicated email addresses and employ updated multi-factor authentication and encryption. All personnel who may encounter CUI complete specialized training programs covering research security and CMMC-specific requirements.

Rather than opting for self-assessment, ISI chose to pursue certification through a C3PAO (Certified Third Party Assessor Organization), lending greater credibility to its security posture.

“We decided to take a much more aggressive approach,” says Stephen Kwok, IT Security Manager and project lead. “Having a C3PAO certify us gives us much more weight. It’s not just hearsay.”

Strategic Leadership Support

ISI’s journey toward CMMC certification began years before the framework became mandatory. Eileen Lu, ISI’s former Chief Information Officer, recognized early that this certification would become essential for maintaining the institute’s research portfolio.

“The team at ISI has been working on this transition for at least three years, even before it was officially published,” Kwok explains. “Eileen had the foresight to see that this is something we need to do. She worked with Terry [Benzel] and already got the ball rolling.”

That early action proved prescient. By late 2024, major defense contractors like Northrop Grumman, one of ISI’s key collaborative partners, announced they would require CMMC certification for all subcontractors. Without certification, research institutes like ISI would be shut out of critical collaboration opportunities.

As ISI moved forward with implementation, the project received critical support from Viterbi School of Engineering Dean Yannis Yortsos, who approved ISI’s access to the secure cloud infrastructure and helped navigate complex coordination with USC’s Office of Cybersecurity.

“There were some back-and-forth discussions, but about a year ago, the dean said, ‘Let’s move forward. We need to give ISI and Viterbi this edge,'” Kwok recalls.

Maintaining Compliance: The Work Ahead

While achieving initial certification represents a major milestone, maintaining CMMC compliance requires ongoing vigilance. ISI must continuously demonstrate adherence to all security controls.

“It’s not a one-and-done,” Benzel explains. “We have to maintain these controls continuously. If we have changes to our environment or processes, we need to ensure they still meet the requirements.”

ISI has established regular monitoring, formalized training schedules, and comprehensive security policies. The compliance team will conduct periodic assessments to ensure all controls remain effective as technology and threats evolve. The institute will also adapt as CMMC requirements expand or change.

A Model for Research Institutes

ISI’s multi-year CMMC journey offers a blueprint for other research organizations navigating the increasingly complex landscape of research security compliance. The effort required close collaboration across multiple departments.

The Department of War is implementing CMMC requirements in phases through 2027 and beyond. As more contracts incorporate this language, ISI is ready to compete for opportunities that other institutions may not yet be equipped to pursue.

“This positions us to continue the critical research that our sponsors depend on while demonstrating our commitment to protecting sensitive information,” Benzel notes.

The certification opens new possibilities for collaboration. As defense contractors and government agencies increasingly prioritize research security, ISI’s credential signals it’s ready to tackle the most sensitive national security challenges without the delays and compliance hurdles that often slow research progress.

Published on March 24th, 2026

Last updated on March 24th, 2026