US Department of Defense introduces new cybersecurity requirements for all contractors

CBG DoD banner

If your organisation is one of the 300,000 currently doing business with the US Department of Defense (DoD), then you may be affected by regulatory requirements being brought in this year as part of the new Cyber Maturity Model Certification (CMMC).

Designed to allow for better assessment  and pragmatic improvements to the cybersecurity posture of the US Defense Industrial Base (DIB), CMMC unifies existing legislation into a new set of cybersecurity best practices, mapping these best practices and processes to five Maturity Levels ranging from basic cybersecurity hygiene (ML1) to advanced cybersecurity practices (ML5).

Given the range and scope of the services being delivered by the DIB sector, the CMMC framework is designed to support suppliers with varying requirements for cyber hygiene, which will depend on the types of data they store and process as part of their contract. Each of the five Maturity Levels is cumulative, with the level of compliance being defined through each procurement. Notably the primary contractor will have to flow the relevant level of compliance with procedures and capabilities down to any sub-contractors that its organisation involves in fulfilling DoD contracts, although they may be able to certify at a lower level depending on their role in the contract.

Whereas in the past organisations could self-assess their compliance with the DoD’s cybersecurity requirements, going forward in order to close perceived gaps in assurance and ensure mandatory standards of compliance are maintained across the entire DIB the assessement must be completed by an independent Third-Party Assessor Organisation (3PAO). With around 15 procurement programmes being switched as of mid-2021, many businesses are expected to be affected by the changes and will need to be certified or risk losing the ability to bid for DoD contracts.

With the CMMC Accreditation Body recommending six months to prepare for certification, companies should look to get on the front foot now by reviewing CMMC requirements, identifying their desired Maturity Level to bid on contracts, assessing existing cybersecurity practices and running a gap analysis assessment. This proactive approach will provide for a smoother transition to the new operating model and mean that companies can accredit quickly and avoid exposure to contract risk.

Cyber Business Growth (CBG) has introduced a pre-certification Readiness Assessment that covers all the above steps to highlight any areas of compliance risk. Our specialist Consultants can further support your organisation to remediate identified gaps and implement the practices and processes necessary to align your security controls and policies with the CMMC framework required for your designated Maturity Level. Contact us to discuss how CMMC could affect your business and how we can help you prepare for certification.


Cyber Business Growth is a specialist cyber consultancy practice consolidating the skills of trusted, accomplished and influential industry experts to help enterprises, vendors, channel partners and investment companies navigate the complex world of cyber security.
The philosophy of CBG is to impart our cyber experience, knowledge, operational know-how and access to the market to those that need it. Our range of services has evolved to ensure we can successfully provide comprehensive expertise in the ever-changing marketplace by understanding and solving complex business and security challenges through advisory, cyber, and business-focused consultancy services.
Our unparalleled experience with both emerging and established Cyber Security vendors across the globe and our access to cyber experts, provides a full 360-degree view around Cyber Security, alongside our specialist service capabilities.

Cyber Business Growth