Arctic Wolf - An HG cyber security partner January 7, 2020 11 min read

New Cybersecurity Mandate for DOD Contractors in 2020

2020 is here. And if you’re looking to do business with the Department of Defense, that means your organization will have new cybersecurity certification requirements you must comply with if you’re hoping to win a DOD contract. 

Wisconsin alone has over 3,600 companies that have been awarded DOD contracts in the past decade making everything from war machines to microscope motors.

Wisconsin companies will be impacted by these requirements.

What’s changing?

In January 2020, the Office of the Under Secretary of Defense for Acquisition & Sustainment will release version 1.0 of the Cybersecurity Maturity Model Certification (CMMC).

In June 2020, contractors can expect to see requests for certification appear in all DOD Requests for Proposal; certification will be used as a go/no-go for continued contractual discussions.

This means that the maturity of a contractor's cybersecurity program will be materially relevant to the awarding of DOD contracts.

What is CMMC?

CMMC is the standard by which the DOD will assess the cybersecurity of their contracted businesses. “All companies doing business with the Department of Defense will need to obtain CMMC.” Depending on the nature of the product/service, certification may require only Basic Cybersecurity Hygiene (Level 1) all the way up to Advanced (Level 5). The level required will be specified in the RFP.

Why is CMMC being implemented?

The DOD has a vested interest in ensuring the confidentiality, integrity, and availability of their contracted partners, the defense industrial base. Using the most comprehensive security frameworks, the CMMC will ensure that the components that make up our national security infrastructure are protected from intrusion & exploitation.

The cybersecurity of contractors will be materially relevant to the awarding of DOD contracts.

How can my company become certified?

Your company must contact a third-party assessor; after you specify the level required of your organization in the RFP, the assessor will determine whether or not you meet the requirements to be certified at that level. Self-certification is not an option. Your certification level will be public knowledge, but specific findings will not be publicly available.

How am I going to pay for this?

Costs of certification are going to be reimbursable under this program. Costs to implement cybersecurity systems & processes, though, will be borne by the company.

All companies doing business with the Department of Defense will need to obtain CMMC.

What should I do now?

If you haven’t yet begun formalizing an information security program, now is the time. Since certification will be a determining factor in whether or not you can proceed with a DOD contract, you need to start preparing now for the eventual certification. It remains to be seen exactly what elements the DOD will stress over others, but standing up a program now will put you in a much stronger position later.

Tetra Defense has extensive experience implementing proactive security programs in regulated industries and can help implement & improve an information security program that not only meets CMMC requirements, but more importantly, secures your business.

To learn more about the CMMC, visit DOD’s FAQ page here:; the information in the article is drawn directly from this source.

Register for our webinar: Doubling Down for the DOD - How New Cybersecurity Requirements Impact Defense Contractors to learn more about these upcoming requirements.

Register Now


Arctic Wolf - An HG cyber security partner

Arctic Wolf's mission is to end Cyber Risk through effective security operations.