Defense Contractors Get Ready: DoD Close to Unveiling New Cyber Certification Program

The Department of Defense (“DoD”) recently announced that a new cybersecurity standard and certification program for defense contractors, the Cybersecurity Capability Model Certification program (“CCMC”), is currently under development and nearly ready for deployment.

Of course, being mindful of cybersecurity should be nothing new for companies contracting with the DoD (or subcontractors of those companies).  After all, for the past several years, contractors working for the government have been bound by the Defense Federal Acquisition Regulation Supplement (“DFARS”), which generally requires the safeguarding of sensitive, unclassified information and the reporting of breaches involving such information. 

But the CCMC is expected to bring new requirements and additional layers of complexity to the table.  Most notably, CCMC will require anyone wishing to contract with the DoD to undertake a cyber audit, the results of which will be measured against the program’s five-level cybersecurity maturity model.  The various levels will be used as minimum benchmarks that must be met by contractors that wish to bid on DoD projects.  If a contractor’s certified maturity level falls below the one required for any particular contract, that contractor cannot bid on the project.  Moreover, companies will not be able to self-certify, meaning that the audits they must perform need to be completed by independent, third-party firms, which raises potential confidentiality and privilege concerns.

Additional information pertaining to CCMC, including a DoD website containing FAQs, is expected within the coming months.  In the meantime, Pentagon officials have already started to make their rounds to familiarize the industry with what is coming down the pike.  With a launch of the new program expected in January 2020, defense contractors should be preparing themselves now for what’s ahead.

New York Raises the Stakes in Relation to Breach R...
What’s Old is New Again - NY SHIELD Act Passes the...


This website presents only general information not intended as legal advice. Although we encourage calls, letters and emails from prospective clients, please keep in mind that merely contacting Harter Secrest & Emery LLP (HSE) does not establish an attorney-client relationship between us. Confidential information should not be sent to HSE until you have been notified in writing by HSE that a formal attorney-client relationship has been established. Information sent to us before then may not be treated as confidential by HSE or the court.

I have read this and agree     Cancel

Our website uses cookies. By continuing to use our site, you agree to our use of cookies in accordance with our Privacy Policy.