Final Version of Mandatory Cybersecurity Requirements for Defense Contractors Released

On Jan. 31, the Office of the Undersecretary of Defense for Acquisition and Sustainment (OSD) released the final version of the Cybersecurity Maturity Model Certification (CMMC). The Department of Defense (DOD) will begin including the final CMMC model as “go/no go” in all new solicitations starting in late summer/early fall of 2020. On the same day, defense officials held a news conference discussing the final version of CMMC. For further information on this, click “learn more.”

The purpose of CMMC is to become the “unified cybersecurity standard” for all DOD contractors, including subcontractors. Under this model, all defense contractors will be required to be certified among the different CMMC levels (1-5) in order to be eligible for contract award. The level of security is determined based on the security requirement needs for each contract. This differs from previous cybersecurity mandates as CMMC will require contractors to obtain third-party accreditation. The standards for third-party accreditors is being developed by the CMMC Accreditation Body.  

AGC has communicated the difficulty many contractors have had implementing these new cybersecurity requirements and the challenges that the new model brings. OSD has acknowledged the challenge of being compliant with CMMC, but suggest a firm’s “policies, plans, processes, and procedures” may offset the need for full compliance.  

Late last year, AGC hosted a CMMC WebEd that discussed how contractors should begin to prepare. The standard and other requirements will be discussed at this year’s Federal Contractors Conference in Washington, D.C.

For more information, contact Jordan Howard at or (703) 837-5368.

Contractor Type
Industry Priorities