New Mandatory Cybersecurity Requirements for Defense Contractors

October 1, 2020

Regulatory Rule Published 

On September 29, the Department of Defense (DOD) released the interim rule that will amend the Defense Federal Acquisition Regulation Supplement (DFARS) marking a key milestone that will eventually require a Cybersecurity Maturity Model Certification (CMMC) in all defense contracts phased in completely by 2026. For defense contractors CMMC certification is a “go/no go” requirement. The rule was originally slated to be released in the spring but was delayed. Disappointingly, the interim rule will take immediate effect at the end of the 60-day comment period giving regulators little time to make any adjustments. The rule comes on the heels of the CMMC Accreditation Body announcing that it had selected the first batch of 73 provisional CMMC Third Party Assessment Organization (C3PAO) who will undergo training.

The purpose of CMMC is to become the “unified cybersecurity standard” for all DOD contractors, including subcontractors. Under this model, Defense contractors, including subcontractors, will be required to be certified among the different CMMC levels (1-5) in order to be eligible for contract award. The level of security is determined based on the security requirements needs for each defense contract. This differs from previous cybersecurity mandates as CMMC will require contractors to obtain a third-party accreditation. 

AGC has communicated the difficulty many contractors have had implementing these new cybersecurity requirements and the challenges that the CMMC model brings. AGC of America has previously filed comments on CMMC as it was developed and will file comments on the new interim rule. On December 19, AGC hosted a CMMC WebEd that discussed CMMC and how contractors should begin to prepare.  

For more information, contact or (703) 837-5368.

Contractor Type: 
Industry Priorities: 
Go to top