Requirements and impacts on Department of Defense (DoD) suppliers & vendors:

The US DoD is taking steps to limit the threat of supply chain exposure to cyber-crime with a new certification program for its vendors and suppliers. HKA can provide your organisation with the support to comply with the DoD.

Nearly two years after initial rollout, the Cybersecurity Maturity Model Certification Accreditation Board (CMMC-AB) has revamped its current standards with the introduction of CMMC 2.0. Two of the biggest changes are the condensing of the original five levels of cybersecurity maturity down to three and the reintroduction of self- assessment for Level 1 and for some programs at Level 2, depending on the type of information being managed. It is paramount to acknowledge that the DoD will not include CMMC 2.0 into any contracts prior to the completion of the rulemaking process, which Is estimated to be sometime between the end of 2022 and the end of 2023.

This major adjustment could be a great risk onto the shoulders of an organization’s executives, as CMMC 2.0, for Level 1 and Level 2 (for some programs), calls for an annual review from an internal company executive. Executives are putting their trust into individuals within the organization to ensure controls are in place, and they’re working efficiently and effectively. This approach contradicts the cybersecurity world’s best practice of “Zero-Trust” and increases an organization’s risk of an FCA violation. Every organization has a different risk tolerance and with the potential penalties being so high in this situation, it would be vital for an organization to assess theirs during this process. While CMMC 2.0 requirements do not require a third-party attestation, executives should highly consider getting a third-party review of their cyber and information security controls to help mitigate those potential risks.

HKA provides an easy way to get started. Our FREE CMMC Online Assessment Questionnaire provides a helpful baseline of information on your CMMC obligations, and helps you chart a course that best meets your needs.


Cyber-crime is one of the fastest growing criminal activities globally, and government agencies are prime targets.

The modern-day battlefield has moved to cyberspace, and nation-state attackers are trying to gather intelligence on their adversaries by any means possible. Emerging technologies and the expanding universe of the “Internet-of-Things” have increased the threat of exposure for both government agencies and their suppliers.

At the beginning of 2020, the DoD started taking steps to limit the threat of supply chain exposure to cyber- crime with the introduction of CMMC 1.0. CMMC 1.0 was originally developed because the cybersecurity self-assessment allowed under DFARS 252.204-7012 was not conducted as anticipated. This program was intended to be a requirement for all DoD suppliers and vendors, but the rollout was a staged one so that there would be enough time to implement properly and have the least amount of impact initially.

CMMC 1.0 had five different levels of maturity that an organization could be certified at, depending on their role in the supply chain and needs. For these certifications, an organization’s cybersecurity processes and practices were to be evaluated against the NIST 800- 171 framework. These assessments were to be conducted by independent third-party organizations for certification at every level of the CMMC 1.0 model.


Follow HKA on WeChat


HKA WeChat