DoD Update on Cybersecurity Requirements

If your company is in the Defense supply chain, you are aware of the cybersecurity requirements outlined in DFARS 252.204-70212, as well as the NIST SP 800-171 framework for cybersecurity. What you may not be aware of are the changes that are being developed and will be rolled-out in 2020:

  • NIST 800-171A – This is the government standard for assessing compliance with each security requirement of 800-171. It was released June 2018 and explains what evidence should be gathered for review by assessors. It includes 320 objective tests to confirm compliance with each of the 110 security requirements.
  • NIST 800-171B – This standard is still in draft form. It contains enhanced requirements for critical programs and high value assets.
  • Cybersecurity Maturity Model Certification (CMMC) – The DoD is currently working with John Hopkins University Applied Physics Laboratory and Carnegie Mellon University Software Engineering Institute to review and combine various cybersecurity standards into one unified standard for cybersecurity. The CMMC will incorporate five (5) Levels. The criteria to meet a specific Level is still in development. Below are the draft Levels and criteria:

    • Level 5 (Advanced / Progressive): 4 security controls from NIST SP 800-171 rev B
    • Level 4 (Proactive):  26 security controls from NIST SP 800-171 rev B
    • Level 3 (Good Cyber Hygiene):  47 security controls from NIST SP 800-171
    • Level 2 (Intermediate Cyber Hygiene):  46 security controls from NIST SP 800-171
    • Level 1 (Basic Cyber Hygiene):  17 security controls from NIST SP 800-171

In the future, all DoD contracts will specify the required CMMC Level in sections L and M of the RFP. This requirement will be incorporated into the go / no-go decision process related to contract awards. At a minimum, ALL contractors must meet CMMC Level 1.

NOTE:  The CMMC does not replace DFARS 252.204-7012 and NIST SP 800-171. For more information the CMMC Initiative, go to

  • CMMC Assessments & Certification – DoD will be requiring cybersecurity assessments by neutral 3rd parties. Training of 3rd party assessors will start in early 2020. A tool is currently being developed that 3rd party cybersecurity certifiers will use to conduct audits, collect metrics, and inform risk mitigation for the entire supply chain. The DoD is currently planning to include CMMC certification levels as a requirement in new RFPs starting in September 2020.

What You Should Do Now To Prepare

STEP 1:  Develop a true situation awareness of your company’s current state related to compliance with DFARS 252.204-70212. Use the assessment process defined in NIST SP 800-171A and start collecting the required evidence. Keep in mind that true situation awareness applies to your company as well as all the suppliers in your supply chain for DoD projects.

STEP 2:  Use 800-171A to develop a Plan of Action and Milestones (POAM).

STEP 3:  This step relates to remediation, i.e. execution of your POAM. This includes understanding where your subcontractors are in their respective POAMs. In order to receive CMMC certification, your POAM must be executed.

STEP 4:  This step relates to 800-171A validation. Prime contractors will be validating that all of their critical suppliers follow cybersecurity best practices and 800-171A.

If you have any cybersecurity questions, or need assistance with the above steps, contact Connie Palucka at or 412-918-4259.