Skip to content

CMMC: New Cyber Compliance Mechanism for Government Contractors

As cybersecurity technology continually advances and becomes more innovative in nature, the cyber threat landscape has adapted. Thus, this evolution of cybersecurity threats merits concern and has become an increasing priority for the Federal Government.

This concern also encompasses Government Contractors, as they will be encumbered by new government compliance requirements in 2020. The United States Department of Defense (DoD) launched the Cybersecurity Maturity Model Certificate Initiative (CMMC) this year, a new enforcement mechanism designed to force contractors to comply with the Defense Federal Acquisition Regulation (DFARS), a governmental cybersecurity framework.

If you’re a government contractor, then you should know what these regulations are, what they mean, and how they relate to your business.

What is DFARS and CMMC?


The United States Department of Defense published a regulation called the Defense Federal Acquisition Regulation Supplement (DFARS). In short, all DoD contractors that process, store, or transmit controlled unclassified information (CUI) must meet DFARS minimum cybersecurity standards or they will risk losing DoD contracts.

This government policy is intended to safeguard the DoD’s supply chain from cybersecurity threats. Moreover, DFARS provides a set of minimum security controls that will constitute DFARS compliance with the DoD. Failure to meet these requirements could potentially mean the of loss of DoD contracts.


The Cybersecurity Maturity Model Certification (CMMC) is the DoD’s newest verification mechanism that is designed to ensure that cybersecurity controls and processes adequately protect controlled unclassified information. More specifically, the CMMC requires appropriate certification to remain eligible for government contracts.

Depending on how a contractor manages CUI, a contractor will have to be certified among the ascending 5 levels of CMMC certification. Additionally, each level is cumulative of each lower level of certification. These levels refer to different controls than what is outlined in NIST SP 800-171 Rev. 1 and NIST SP 800-171 Rev. B.

  • Level 1 – Basic Cyber Hygiene
  • Level 2 – Intermediate Cyber Hygiene
  • Level 3 – Good Cyber Hygiene
  • Level 4 – Proactive
  • Level 5 – Advanced/Progressive

How are DFARS and CMMC related?

CMMC builds upon an existing DFARS clause (DFARS 252.204-7012) and CMMC acts as a verification component for government contractors. Ever since the passing of DFARS, government contractors and subcontractors have been aiming to better understand DFARS, what it means to their business, and how they should become compliant. However, due to the slow adoption of DFARS compliance among the government supply chain, the DoD began the CMMC to ensure the compliance and adequate cybersecurity controls when managing CUI on DoD contractor systems.

Why is it important to act now?

Implications of government contractors (and subcontractors) means that government contractors are at risk of losing business with the DoD. Operational application of CMMC and associated DFARs requirements have begun in 2020 and government contractors will begin to see these requirements as early as June 2020. The CMMC requirement component are geared to provide the following benefits for the DoD:

  • Establish adequate CMMC controls to reduce cybersecurity risks
  • Verify compliance to DFARS
  • Conduct periodic cyber audits and risk evaluations

But what does this mean for government contractors within the supply chain? This means that DoD contractors will need to become CMMC certified by passing a CMMC audit. This will verify that contractors have the appropriate cybersecurity internal controls for their business and ultimately vet the contractor based on the DoD’s requirements.

How can we help?

Alliant Cybersecurity is here to lend a helping hand to businesses and improve their cybersecurity posture. For government subcontractors, it means that we are here to help you prepare for the DFARS compliance requirements and the CMMC certification that looms in the near future.