I’m helping finalize a subcontract with a university, but there’s pushback on a clause about NIST SP 800-171 DoD NIST Assessment Requirements.

The university says this doesn’t apply and should be deleted from the subcontract because their effort is fundamental research. However, it’s my understanding that the institution should still have a current NIST assessment on file through the SPRS portal (they currently don’t have one in there). Example source that supports my interpretation: Federal Register - CMMC Program - Fundamental Research.

Am I misunderstanding the NIST assessment requirement? You need 110 score if the effort involves CUI, but you simply need a score - any score - logged in the assessment portal to be in compliance for fundamental research.