Close this search box.

Department of Defense Contractor Cybersecurity Brief

Originally posted on December 14, 2020 2:03 pm
by Robert Gillen

What is happening with Department of Defense Cybersecurity Regulations?

Navigating the policy landscape of Department of Defense (DoD) contracting can be a frustrating experience.  Cybersecurity regulations are certainly no exception as the past few years have seen major changes in expectations that are seemingly revamped every year.  This post will walk you through the latest from the perspective of a small business that just wants to continue doing business with DoD.


What is the goal?

DoD wants to protect “controlled unclassified information” (CUI) – information that is sensitive enough to require protection, but not sensitive enough to require security classification.  The goal is protection of information using technology, policy, and education in your company.


What is the latest?

As of right now, if you have a contract with DoD, it likely includes DFARS clause 252.204-7012 requiring you to work toward compliance with cybersecurity regulations listed in NIST Special Publication 800-171 as well as report cyber incidents to DoD within 72 hours of discovery.  If you have this clause and are not doing these things, you are not in compliance with your contract.


What is coming?

The DoD has begun requiring contractors to go through an assessment and scoring process that will measure compliance with NIST SP 800-171.  For most, this will consist of a self-assessment reported to the DoD Supplier Performance Risk System (SPRS).

Over the next five years, DoD will transition from the NIST SP 800-171 system to the Cybersecurity Maturity Model Certification (CMMC) system.  This system will establish an expanded set of requirements and third-party assessors to certify companies.  Proper certification will eventually be required for responding to proposals as well as executing contracts.

What do I do?

1.     Comply with your contract – NIST SP 800-171 and self-assessment

If you have the applicable DFARS clause and handle DoD CUI, you must work toward NIST SP 800-171 compliance.  As of today, that includes maintaining documentation like a System Security Plan (SSP) and a Plan of Action and Milestones (POAM) showing your progress.  As of November 30, 2020, this includes uploading your self-assessment per the process outlined by DCMA’s cybersecurity group.


2.     Learn about CMMC – see links below

While the CMMC assessment methodology and infrastructure has not yet been established, the requirements for the various certification levels have been published.  Read up on the levels and consider which certificate your company will likely need. NIST SP 800-171 is entirely contained within CMMC Level 3 – that is, any work you are doing toward NIST SP 800-171 compliance will be applicable to a future CMMC Level 3 certificate.


3.     Get some help

This can be a frustrating and overwhelming process, especially when you don’t have what you need.  FastLane (937.229.1368) advisors get you to solutions faster to make your life easier.


What is…


The Defense Federal Acquisition Regulation Supplement is the version of the Federal Acquisition Regulation (FAR) used by DoD to list requirements for being a supplier/contractor. DFARS clauses appear in contracts with DoD and are often flowed down through the supply chain meaning your company may have to comply with them even if you are not contracting directly with DoD.



Controlled Unclassified Information is what these policies are trying to protect.  What constitutes CUI and how it is identified is evolving – for the latest, go to  Contractors are expected to work with their supply chain to determine where they have CUI.


NIST SP 800-171 (currently revision 2)

The National Institute of Standards and Technology publishes many security policies used across the DoD.  Special Publication 800-171, originally a set of “guidelines”, has been adopted by DoD as “requirements” for its contractors handling CUI.  These requirements will be incorporated into the CMMC system.


DCMA cybersecurity assessments

The Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) is responsible for auditing compliance with NIST SP 800-171.  Their assessment methodology has three levels – Basic, Medium, and High.  Basic assessments are self-conducted; medium and high assessments are conducted by DCMA personnel.  After November 30, 2020, all contractors with applicable DFARS clauses will need an assessment on file to be considered for DoD awards.



The Supplier Performance Risk System is DoD’s database of supplier performance and where all DCMA cybersecurity audit results will be stored.  Results will be available to DoD agencies to consider before awarding contracts and companies will be able to request copies of their own scores via SPRS.


CMMC levels

CMMC is administered by an accreditation body which is in the process of designing the infrastructure for certifying contractors.  The CMMC levels are officially defined by the maturity of “cyber hygiene” within the company, but DoD will be requiring certain levels of certification to apply for and win awards.  Level 1 covers safeguarding Federal Contracting Information, implying that any company with information leading to knowledge that they are working with DoD will need to be certified at Level 1.  Level 2 has been referred to as a “transition level” toward Level 3 as a goal for handling actual CUI.  We will learn more about these levels as the program is rolled out over the next five years.  As of today, a pilot program is being run with a limited number of contracts to test and gain feedback on the certification process.

Have questions about cybersecurity for your business?