David Kruse - Tetra Defense January 7, 2020 5 min read

New Cybersecurity Mandate for DOD Contractors in 2020

2020 is here. And if you’re looking to do business with the Department of Defense, that means your organization will have new cybersecurity certification requirements you must comply with if you’re hoping to win a DOD contract. 

Wisconsin alone has over 3,600 companies that have been awarded DOD contracts in the past decade making everything from war machines to microscope motors.

Wisconsin companies will be impacted by these requirements.

What’s changing?

In January 2020, the Office of the Under Secretary of Defense for Acquisition & Sustainment will release version 1.0 of the Cybersecurity Maturity Model Certification (CMMC).

In June 2020, contractors can expect to see requests for certification appear in all DOD Requests for Proposal; certification will be used as a go/no-go for continued contractual discussions.

This means that the maturity of a contractor's cybersecurity program will be materially relevant to the awarding of DOD contracts.

What is CMMC?

CMMC is the standard by which the DOD will assess the cybersecurity of their contracted businesses. “All companies doing business with the Department of Defense will need to obtain CMMC.” Depending on the nature of the product/service, certification may require only Basic Cybersecurity Hygiene (Level 1) all the way up to Advanced (Level 5). The level required will be specified in the RFP.

Why is CMMC being implemented?

The DOD has a vested interest in ensuring the confidentiality, integrity, and availability of their contracted partners, the defense industrial base. Using the most comprehensive security frameworks, the CMMC will ensure that the components that make up our national security infrastructure are protected from intrusion & exploitation.

The cybersecurity of contractors will be materially relevant to the awarding of DOD contracts.

How can my company become certified?

Your company must contact a third-party assessor; after you specify the level required of your organization in the RFP, the assessor will determine whether or not you meet the requirements to be certified at that level. Self-certification is not an option. Your certification level will be public knowledge, but specific findings will not be publicly available.

How am I going to pay for this?

Costs of certification are going to be reimbursable under this program. Costs to implement cybersecurity systems & processes, though, will be borne by the company.

All companies doing business with the Department of Defense will need to obtain CMMC.

What should I do now?

If you haven’t yet begun formalizing an information security program, now is the time. Since certification will be a determining factor in whether or not you can proceed with a DOD contract, you need to start preparing now for the eventual certification. It remains to be seen exactly what elements the DOD will stress over others, but standing up a program now will put you in a much stronger position later.

Tetra Defense has extensive experience implementing proactive security programs in regulated industries and can help implement & improve an information security program that not only meets CMMC requirements, but more importantly, secures your business.

To learn more about the CMMC, visit DOD’s FAQ page here: https://www.acq.osd.mil/cmmc/faq.html; the information in the article is drawn directly from this source.

Register for our webinar: Doubling Down for the DOD - How New Cybersecurity Requirements Impact Defense Contractors to learn more about these upcoming requirements.

Register Now


David Kruse - Tetra Defense

Tetra Defense, formerly Gillware Digital Forensics, is an incident response, cyber risk management, and digital forensics firm helping clients recover and restore from incidents like ransomware, business email compromise and wire transfer fraud. Services range from in-depth forensics investigations of intellectual property theft to the assessment and development of corporate information security programs. With offices in Madison and Milwaukee, the top-priority objectives for the Tetra Defense team are to help organizations get back on their feet after an incident and guide them through the process of building a more secure environment to lessen the risk of incidents in the first place. Tetra frequently works with insurance carriers and some of the nation’s largest and most respected privacy law firms to navigate cyber liability insurance claims and also works directly with businesses large and small to reduce their cyber risk.