Department of Defense (DoD) Requires Contractors Obtain CMMC Beginning FY2021


The Cybersecurity Maturity Model Certification (CMMC) is intended to enforce the Defense Federal Acquisition Regulation Supplement (DFARS) and National Institute of Standards and Technology (NIST) frameworks by requiring that all contractors - prime contractors and subcontractors - must pass a CMMC audit performed by an independent third-party certifier (3PAO).  Through the CMMC mandate, the DoD is requiring contractors lock down and enforce their cybersecurity practices; especially DFARS 252.204-7012 and NIST 800-171.



"In the past two years, Pentagon officials have become increasingly concerned that one of their greatest cybersecurity risks lies in the second- and third-tier contractors who work with the Defense Department and the largest defense companies."

Ms. Ellen Lord
DoD Undersecretary for Acquisition and Logistics

Fifth Domain Article, March 25, 2019


Beginning June 2020: Requests for Proposals (RFP) and Requests for Information (RFI) shall state the procurement's CMMC level requirement.  Contractors are required to possess the required CMMC at the time of award.  A Plan of Action & Milestones (POA&M) shall not be accepted in lieu of the CMMC at the time of award.  

Beginning October 2020: Unless a higher level CMMC is specified in the RFP or RFI, all prime contractors and subcontractors must possess CMMC Level 1 to receive a contract or subcontract award.


Prime contractors shall flow down the appropriate CMMC level requirement to its subcontractors, and shall only engage for contract performance those subcontractors possessing the appropriate CMMC.  


The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) recognizes that security is foundational to acquisition and should not be traded along with cost, schedule, and performance moving forward. The Department is committed to working with the Defense Industrial Base (DIB) sector to enhance the protection of controlled unclassified information (CUI) within the supply chain.

Office of the Under Secretary of Defense for Acquisition & Sustainment
Cybersecurity Maturity Model Certification


January 2020: O



September 2019:  DoD CMMC releases the CMMC Framework - Draft Version 0.4 for public comment.  The draft described the CMMC Framework as a unified cybersecurity standard intended to build upon existing regulations, policy, and memoranda by adding a verification component to the existing standards for safeguarding Controlled Unclassified Information (CUI) within the DIB.

July 2019:  Securing the DoD Supply Chain (based on CMMC Framework Draft Version 0.2) is presented by HQE Cyber for ASD (A).  Research conducted in concert with John Hopkins University Applied Physics Laboratory (APL) and Carnegie Mellon University Software Engineering Institute (SEI) show that the vast majority of the DIB's cyber hygiene practices are inconsistent and they are regularly the victims of low-level cyber attacks.  The briefing 

May 2019:  DoD announces its plans for creating and implement the Cybersecurity Maturity Model Certification (CMMC); initial efforts began in early 2019.  The CMMC concept is the result of, and in response to, a series of high profile DoD information information breaches; causing the DoD to reevaluate its reliance on the Defense Industrial Base's (DIB) self-administered DFARS 252.204-7012 and NIST 800-171 security controls and ability to thwart the increasing and evolving threats, especially from nation-state actors.

November 2018:  The DoD released guidance to assist acquisition personnel develop effective cybersecurity strategies for acquisitions (solicitations), and to help enhance and simplify protection requirements

guidance: Assessing Compliance and Enhancing Protections Required by DFARS Clause DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.