DoD Contractors Compliance

Connecting you with Compliance

Self Assessment Handbook

DoD Compliance Overview 

Department of Defense (DoD) contractors are now well aware of the cybersecurity mandates that have been sweeping across the defense industry over the past several years. In 2015, The U.S. Department of Defense published the Defense Acquisition Federal Regulation Supplement, known as DFARS, which mandates that private DoD Contractors adopt cybersecurity standards according to the NIST SP 800-171 cybersecurity framework. This is all part of a government-led effort to protect the U.S. defense supply chain from foreign and domestic cyber threats, and reduce the overall security risk of the sector.

Since the passing of DFARS, over 300,000 U.S. DoD contractors have been scrambling to understand DFARS and implement NIST SP 800-171 standards within their companies to become compliant with the regulation. Some have had the internal resources to become compliant themselves, while others have outsourced the task to Managed Service Providers who help DoD contractors comply with their cybersecurity mandates. Even though the DoD has given incentive to comply by making it a “competitive advantage” within the contract awards process, many contractors have chosen to put off compliance. There are even reported cases in which DoD contractors have made false claims, stating to be in compliance on DoD contracts, but have later been found to be non-compliant. Because of the slow adoption rate of the DFARS 252.204-7012 regulation, the Department of Defense has released the Cybersecurity Maturity Model Certification (CMMC) to ensure appropriate levels of cybersecurity controls and processes are adequate and in place to protect controlled unclassified information (CUI) on DoD contractor systems.

The CMMC will encompass multiple maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced”. The intent is to identify the required CMMC level in Request for Proposal sections L and M and use it as a “go / no go decision.”

In its final form, the CMMC will intend to combine various cybersecurity control standards such as NIST SP 800-171 (Rev. 1 & Rev. B), NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others into one unified standard for cybersecurity. In addition to cybersecurity control standards, the CMMC will also measure the maturity of a company’s institutionalization of cybersecurity practices and processes.


Important Dates and Milestones for DoD Contractors

  • January 2020: The official CMMC Levels and requirements will be released along with training materials for the independent CMMC Accreditation Board (CMMC AB) to use for training auditors and C3PAO’s.
  • February-May 2020: The initial round of assessors will be trained
  • June-September 2020: Initial round of audits will begin for a select number of DoD Programs/RFI’s with the required CMMC Levels identified and contractors wishing to bid on those Programs will need to be certified to the required Level in order to receive the RFP.
  • October 2020 and beyond: DoD contractors will need to get certified by an accredited Assessor/C3PAO in order to bid on new work


About CMMC Levels

The CMMC will review and combine various cybersecurity standards and best practices.  They will map these controls and processes across several maturity levels that range from "basic cyber hygiene" to "advanced".


  • Level 1 – “Basic Cyber Hygiene” – In order to pass an audit for this level, the DoD contractor will need to implement 17 controls of NIST 800-171 rev1.
  • Level 2 – “Intermediate Cyber Hygiene” – In order to pass an audit for this level, the DoD contractor will need to implement another 48 controls of NIST 800-171 rev1 plus 7 new “Other” controls.
  • Level 3 – “Good Cyber Hygiene” – In order to pass an audit for this level, the DoD contractor will need to implement the final 45 controls of NIST 800-171 rev1 plus 14 new “Other” controls.
  • Level 4 – “Proactive” – In order to pass an audit for this level, the DoD contractor will need to implement 13 controls of NIST 800-171 RevB plus 13 new “Other” controls
  • Level 5 – “Advanced / Progressive” – In order to pass an audit for this level, the DoD contractor will need to implement the final 5 controls in NIST 800-171 RevB. plus 11 new  “Other” controlscmmc-level-graph
Ready, Aim, Pass the Audit

DoD Contractor Readiness Assessment

The first step towards certification is for the DoD contractor to get a third-party Readiness Assessment completed to see how close, or how far away, the DoD contractor is from meeting the minimum requirements outlined in the appropriate CMMC Level. The Readiness Assessment is designed to discover inadequate system setups and processes that may not meet all of the required controls. Taking a close look at a company’s network and procedures is the first step to ensuring compliance.  The results of the CMMC Readiness Assessment may reveal issues such as:

  • How access to information systems is controlled
  • How managers and information system administrators are trained
  • How data records are stored
  • How security controls and measures are implemented
  • How incident response plans developed and implemented

Gap Analysis

Without a gap analysis, it’s impossible to know what changes an organization needs to make before it meets the required CMMC Level. The professionals use their findings to create remediation plans that will correct any problems and keep our clients in line with CMMC requirements.

The gap analysis will either aid a DoD contractor in performing their own remediation plan, or they may opt to have a third party perform the remediation for them.

Remediation Plan

A CMMC Readiness Consultant will develop a remediation plan based on the findings outlined in the Readiness Assessment. The plan may involve small, relatively inexpensive fixes to a network and/or its processes, or it may involve more extensive, from the ground up, development of compliant networks and processes that meet today’s cybersecurity standards.

Remediation plans provide detailed documentation of processes that don’t meet today’s standards. Having a well-researched plan also makes it easier for DoD Contractors to make necessary changes to their systems.


Ongoing Monitoring and Reporting

Once the remediation plan is complete and a DoD Contractor’s systems and procedures are compliant with the appropriate CMMC Level, a Managed Security Service Provider will have the tools and processes in place to monitor, detect, and report on cybersecurity breaches within the DoD Contractor’s systems. If the DoD Contractor is not outsourcing compliance to an MSSP, they have the option to report cyber incidents themselves, given they have tools to monitor and detect such incidents.

Pass the First CMMC Audit

For many companies, DoD contracts can make up a substantial percentage of their revenue, and because CMMC certification will now be a requirement for contract awards, it’s extremely important that contractors get prepared to pass the CMMC audit as soon as possible. If you are not prepared to pass your desired CMMC Level you run the risk of being unable to offer products and services to the DoD for an extended period due to:

  • The time it takes to implement all of the security controls required for the Program you desire to bid on if you have waited until the last minute
  • The potential backlog of audits could affect the time it takes to get an audit done.

Therefore, it is highly recommended that a contractor consult with an experienced CMMC Readiness Consultant who can ensure that the contractor meets the requirements of their specified CMMC Level and can pass a CMMC Audit on the first try.