DFARS and the CMMC: DoD’s Next Step to Protect Defense Data

Government Contracts Newsletter

Client Alert


The DoD’s new “Cybersecurity Maturity Model Certification” signals the next steps for government contractor’s cybersecurity

In 2016 the U.S. Department of Defense (DoD) issued a Defense Federal Acquisition Regulation Supplement (DFARS) intended to better protect controlled data and national security networks from cybersecurity threats. DFARS expanded the government’s efforts to protect national security data and networks by setting cyber requirements for all DoD contractors who have access to controlled information.

The Cybersecurity Maturity Model Certification (CMMC) appears to be the DoD’s next step to assess and enhance the cybersecurity of national security data and networks.   

The DOD announced its intent to implement the new CMMC framework to better assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). The CMMC will create a verification program to ensure that adequate cybersecurity controls and processes are in place to protect controlled unclassified information (CUI) that resides on DoD and DoD contractors’ networks.

In its announcement, the DoD advised that the CMMC will:

  • Review and combine various cybersecurity standards and best practices.
  • Build upon existing DFARs cyber regulations (DFARS 252.204-7012) by adding a verification component.
  • Create a cost-effective and affordable means for small businesses to implement CMMC.
  • Establish differing levels of CMMC controls and processes to reduce risk against specific forms of cyber threats.
  • Ultimately require all DoD contractors to have cyber audits and risk assessments by independent third-party certified organizations.
  • Provide for “higher level assessments” to be conducted by U.S. government agencies, such as the Defense Contract Management Agency (DCMA) and Defense Counterintelligence and Security Agency (DCSA).

The initial CMMC framework will be available in January 2020 for training purposes, with additional requirements information becoming available to DoD contractors in June 2020.

The DoD is planning a series of meetings to solicit comments and questions from DoD contractors. Additional information on the CMMC meetings and the CMMC is available on the Office of the Under Secretary of Defense website.

Ultimately, anyone doing business with the DoD, whether as a prime or subcontractor, will need to obtain CMMC.

As with the rollout of DFARs, it’s best to start compliance planning early and stay informed  to assure full compliance when required.