An official website of the United States Government 
Here's how you know

Official websites use .gov

.gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS

A lock ( lock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Cybersecurity Requirements Likely for Defense Contracts by June 2020

You have accessed part of a historical collection on defense.gov. Some of the information contained within may be outdated and links may not function. Please contact the DOD Webmaster with any questions.

The Defense Department expects that by June 2020, industry will see cybersecurity requirements included as part of new requests for information, which typically serve as one of the first steps in the awarding of new defense contracts.

Ellen Lord, the undersecretary of defense for acquisition and sustainment, said the new cybersecurity maturity model certification program is a critical part of ensuring that companies hoping to do business with the department meet important cybersecurity requirements.

"The cybersecurity maturity model certification, or CMMC program, establishes security as the foundation to acquisition and combines the various cybersecurity standards into one unified standard to secure the DOD supply chain," Lord said.

A woman sits at a table, with her hand folded.  In the background, a man in a military uniform stands behind a lectern.
Pentagon Conference
Ellen Lord, the Defense Department’s undersecretary for acquisition and sustainment, spoke at a news conference at the Pentagon, December 10, 2019.
Credit: Marine Corps Sgt. Warren Smith
VIRIN: 191210-D-MG926-003

She said the program will establish five levels of certification tailored to the criticality of a system or subsystem that a contractor might hope to do work on. The CMMC framework was developed by working with the defense industry, leadership on Capitol Hill and engagement with the public.

"These levels will measure technical capabilities and process maturity," Lord said. "The CMMC framework will be made fully available in January 2020."

The program's concept is designed to ensure that any business doing work for the government can demonstrate that their computer networks and cybersecurity practices are up to the task of defending against intrusions by adversaries who want access to information about government contracts and weapons systems development.

A military combat vehicle sits in a dirt lot.
Tactical Vehicle
Marines at Camp Pendleton, Calif., received the new joint light tactical vehicle, Sept. 6, 2019. In the future, defense contractors involved in the development of systems like this will need to show their company’s cybersecurity programs meet Defense Department standards.
Credit: Marine Corps Sgt. Joseph Prado
VIRIN: 190906-M-OI329-1001
A U.S. military fighter jet sits on a runway near other aircraft.
Lightning II
An F-35A Lightning II aircraft returns to Al Dhafra Air Base, United Arab Emirates, Nov. 16, 2019. In the future, defense contractors involved in the development of systems like the F-35 will need to show their company’s cybersecurity programs meet Defense Department standards.
Credit: Air Force Tech. Sgt. Joshua Williams
VIRIN: 191116-F-HZ625-0009C

"Cybersecurity is a threat for the DOD and for all of government, as well as critical U.S. business sectors, such as banking and healthcare," Lord said. "We know the adversary is at cyberwar with us every day. So, this is a U.S. economic security issue, as well as a U.S. security issue. When we look at cybersecurity standards, I believe it is absolutely critical to be crystal clear as to what expectations [and] measurements are, what the metrics are and how we will basically audit against those."

The government itself won't audit potential contractors for compliance with the program's standards. Instead, a third party will perform those audits. Lord said DOD is working with multiple companies that are interested in performing that work, and she said she expects a decision by January.

The server room of the 153rd Airlift Wing, Wyoming Air National Guard Base.
Server Room
Air Force Airman 1st Class Thomas Schoening, a cyber transport systems airman, stands in the server room at the 153rd Airlift Wing, Wyoming Air National Guard Base, Cheyenne, Wyo., Nov. 1, 2019.
Credit: Air Force Staff Sgt. Jonathon Alderman, Wyoming Air National Guard
VIRIN: 191101-Z-QG327-0018C

Lord said DOD expects some challenges for small businesses to meet the program's requirements. DOD is aware of industry's concerns, and efforts are being made to alleviate some of those concerns, she said.

"We know that this can be a burden to small companies, particularly, and small companies is where the preponderance of our innovation comes from," Lord said. "So, we have been working with the primes, with the industry associations, with the mid-tiers, with the small companies on how we can most effectively roll this out so it doesn't cause an enormous cost penalty for the industrial base."

Related Stories