New Cybersecurity Mandate for DOD Contractors in 2020

2020 is here. And if you’re looking to do business with the Department of Defense, that means your organization will have new cybersecurity certification requirements you must comply with if you’re hoping to win a DOD contract. 

Wisconsin alone has over 3,600 companies that have been awarded DOD contracts in the past decade making everything from war machines to microscope motors.

Wisconsin companies will be impacted by these requirements.

What’s changing?

In January 2020, the Office of the Under Secretary of Defense for Acquisition & Sustainment will release version 1.0 of the Cybersecurity Maturity Model Certification (CMMC).

In June 2020, contractors can expect to see requests for certification appear in all DOD Requests for Proposal; certification will be used as a go/no-go for continued contractual discussions.

This means that the maturity of a contractor's cybersecurity program will be materially relevant to the awarding of DOD contracts.

What is CMMC?

CMMC is the standard by which the DOD will assess the cybersecurity of their contracted businesses. “All companies doing business with the Department of Defense will need to obtain CMMC.” Depending on the nature of the product/service, certification may require only Basic Cybersecurity Hygiene (Level 1) all the way up to Advanced (Level 5). The level required will be specified in the RFP.

Why is CMMC being implemented?

The DOD has a vested interest in ensuring the confidentiality, integrity, and availability of their contracted partners, the defense industrial base. Using the most comprehensive security frameworks, the CMMC will ensure that the components that make up our national security infrastructure are protected from intrusion & exploitation.

The cybersecurity of contractors will be materially relevant to the awarding of DOD contracts.

How can my company become certified?

Your company must contact a third-party assessor; after you specify the level required of your organization in the RFP, the assessor will determine whether or not you meet the requirements to be certified at that level. Self-certification is not an option. Your certification level will be public knowledge, but specific findings will not be publicly available.

How am I going to pay for this?

Costs of certification are going to be reimbursable under this program. Costs to implement cybersecurity systems & processes, though, will be borne by the company.

All companies doing business with the Department of Defense will need to obtain CMMC.

What should I do now?

If you haven’t yet begun formalizing an information security program, now is the time. Since certification will be a determining factor in whether or not you can proceed with a DOD contract, you need to start preparing now for the eventual certification. It remains to be seen exactly what elements the DOD will stress over others, but standing up a program now will put you in a much stronger position later.

Gillware has extensive experience implementing proactive security programs in regulated industries and can help implement & improve an information security program that not only meets CMMC requirements, but more importantly, secures your business.

To learn more about the CMMC, visit DOD’s FAQ page here:; the information in the article is drawn directly from this source.

About the Author

David Kruse - Gillware

Posted in: Cyber Liability, Manufacturing

Posted by David Kruse - Gillware

Gillware is located in Madison, Wisconsin and is a worldwide leader and pioneer in all forms of data recovery, from troubled hard drives and RAID devices to flash cards and solid-state drives. Since its founding, Gillware has grown to offer exceptional digital forensics, incident response, and risk management services. Founded in 2004 by Brian and Tyler Gill, Gillware's mission was to be the best value in the data recovery industry by providing superior data recovery engineering at an extremely competitive cost. Gillware pioneered the concept of only charging for successful data recoveries. Through thousands of successful data recoveries and digital forensics cases per year, Gillware has developed a robust and scalable remote data backup solution aimed at helping our data recovery clientele avoid any future data loss, as well as inventive forensics and incident response techniques so businesses and individuals can recover from data compromise or misconduct. Gillware has been a member of the Better Business Bureau for over 5 years and has maintained at least an "A"​ rating since joining. Gillware Inc. is an active member of IDEMA, an organization committed to advancing hard drive technology, and has been named the number one data recovery laboratory for three years in a row by TopTepReviews.