Alerts and Updates

Department of Defense Releases Cybersecurity Maturity Model Certification Framework for DoD Contractors

February 13, 2020

Beginning in June 2020, contractors competing for DoD contracts will be required to obtain third-party certification as part of the RFP process.

On January 30, 2020, the Pentagon issued the final standards under the Cybersecurity Maturity Model Certification (CMMC), which marks the first steps toward implementation of new cybersecurity standards into all Department of Defense (DoD) contracts. This model was created in an effort to strengthen the cybersecurity of hundreds of thousands of DoD contractors and prevent malicious cyber activity that leads to loss of intellectual property and sensitive information, as well as supply chain disruptions.

Certification Requirements

The CMMC lays out five cybersecurity maturity certification levels and certification processes. Each level is designed to provide the DoD with increased assurance that contractors can protect sensitive information, including controlled unclassified information (CUI) and federal contract information (FCI). At each level, the process and practice maturity level identified must be achieved. The five levels are:



Process Maturity

Practice Maturity

Level 1

Safeguard FCI


No process assessment

Basic Cyber Hygiene

17 practices (meeting FAR clause 52.204-21) 

Level 2

Transition step to protecting CUI


Document policies and implement practices

Intermediate Cyber Hygiene

72 practices

Level 3

Protect CUI


Establish, maintain and resource a plan

Good Cyber Hygiene

130 practices (includes all NIST SP 800-171 plus others)

Level 4

Protect CUI and reduce risk of advanced persistent threats


Review and measure activities for effectiveness


156 practices

Level 5


Standardize and optimize an organizational approach


171 practices

What to Expect

Beginning in June 2020, contractors competing for DoD contracts will be required to obtain third-party certification as part of the RFP process, a change from previously permitted self-certification. Contractors will be expected to obtain certification with one of the approved CMMC assessors, who will audit a contractor’s cybersecurity capabilities based on the chart above.

Next Steps

While a proposed rule that amends the Defense Federal Acquisition Regulation Supplement (DFARS) to implement CMMC into contracts is not expected until the summer of 2020, contractors should take initial steps now to prepare for CMMC certification. Contractors should begin evaluating the level they will be required to achieve by reviewing their DoD contracts and subcontracts. Contractors should also assess ways to pass along the costs of certification and related cybersecurity upgrades to DoD, an issue that DoD continues to study. DoD has previously indicated that these costs will be allowable as indirect costs.

For Further Information

If you have any questions about this Alert, please contact Michael E. Barnicle, Keith J. Feigenbaum, Jamie E. Brown, any attorney in the Government Contracts Group or the attorney in the firm with whom you are regularly in contact.

Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.