The DoD to Contractors: Time to be More Mature

American Flag

Is your company’s cybersecurity program mature and effective?  When asked this question, most executives will answer yes, but the Department of Defense (“DoD”) disagrees.  According to Katie Arrington, Special Assistant to the Assistant Secretary of Defense for Cyber:

“If we were doing all the necessary security controls, we wouldn’t be getting exfiltrated to the level that we are. We need to level set because a good portion of our defense industrial base [(“DIB”)] doesn’t have robust cyber hygiene. Only 1% of DIB companies have implemented all 110 controls from the National Institute of Standards and Technology. We need to get to scale where the vast majority of DIB partners can defend themselves from nation state attacks.”  

That is why the United States Department of Defense (“DoD”) recently announced two important changes to its approach to securing its supply chain:  1) cybersecurity costs will soon be allowable under DoD contracts, and 2) the creation of a Cybersecurity Maturity Model Certification (“CMMC”) which will be required under all DoD contracts.[1]

The DoD has not announced additional cost allowability details yet. Subscribe to our newsletter for more details when they become available.

Aggressive CMMC Implementation Timeline

The DoD knows it needs to make fundamental changes quickly to combat threats to its supply chain and has set out an aggressive timeline: CMMC Version 1.0 and the certification process will be finalized in January 2020, and the CMMC will be a mandatory go/no-go part of all solicitations beginning in September 2020

CMMC Details

Rather than focusing on whether certain technologies are deployed in the contractor’s environment, the CMMC measures the maturity of contractors’ cybersecurity programs.  The CMMC will define five levels of maturity, from “basic” to “state-of-the-art”, and all government solicitations will soon include threshold maturity requirements for all contractor cybersecurity programs.  Every vendor on a contract, including subcontractors, must meet those maturity requirements or their proposal will not be considered.  Internal maturity evaluations are not enough: the maturity certifications must be conducted by third-party cybersecurity auditors who will conduct audits, collect metrics, and inform risk mitigation for the entire supply chain.

Conduct a Maturity Assessment Now

Although the CMMC won’t be finalized until January, the uncertainty shouldn’t keep your company from acting.  In our experience, initial cybersecurity maturity assessments are a wake-up call for many companies, and it can take many months, or even years, for the companies to find the resources necessary to improve their maturity.  Assessing systems now will allow your company to improve its maturity before the CMMC requirements take effect.  Fathom Cyber’s maturity assessments use many of the industry standards upon which the CMMC is likely to be built so your company can start acting now.

For more details on the CMMC and how Fathom Cyber can improve your company’s cybersecurity maturity, visit

[1] “Help Me, Help You”: Defense Department Advises Contractors That Cybersecurity Is An Allowable Cost – Damon Silver and Catherine Tucciarello – (last viewed 6/28/2019)