Requirements and impacts on Department of Defense (DoD) suppliers & vendors

The US DoD is taking steps to limit the threat of supply chain exposure to cyber-crime with a new certification program for its vendors and suppliers.

The Cybersecurity Maturity Model Certification (CMMC), to be introduced this year, will measure the maturity level of all Defense Industrial Base (DIB) / DoD suppliers’ cybersecurity programs. The CMMC has five levels of maturity that align with DoD contract requirements, and suppliers wishing to participate in the DoD contracting process must achieve maturity levels that align with those individual contract requirements.  

The CMMC will be rolled out into contracts in phases from fiscal year 2021 through fiscal year 2025, and the final CMMC rule definitions are expected in the first quarter of 2021. However, the DoD issued an Interim Rule, effective November 30, 2020, to amend the Defense Federal Acquisition Regulation Supplement (DFARS) to implement the CMMC framework. This interim rule includes new DFARS clause 252.204.7021, which specifies CMMC requirements.

HKA provides an easy way to get started. Our FREE CMMC Online Assessment Questionnaire provides a helpful baseline of information on your CMMC obligations, and helps you chart a course that best meets your needs.

The interim rule also enables the DoD to verify the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CFI) within the unclassified networks of DIB companies using the National Institute of Standards and Technologies (NIST) 800-171 framework and assessment methodology.

The interim rule became effective on 30 November 2020.


Cyber-crime is one of the fastest growing criminal activities globally, and government agencies are prime targets.

The modern-day battlefield has moved to cyberspace, and nation-state attackers are trying to gather intelligence on their adversaries by any means possible. Emerging technologies and the expanding universe of the “Internet-of-Things” have increased the threat of exposure for both government agencies and their suppliers.

The cyber-theft of intellectual property and sensitive information, along with the compromise of systems in every US industrial sector threatens our national defence and economic security. According to a 2018 report from The US Council of Economic Advisors, malicious cyber activity cost the US economy between USD$57 billion and USD$109 billion in 2016, and these figures have likely increased exponentially since then. Extrapolated over a ten-year period, these figures equate to USD$570 billion to USD$1.09 trillion in damages.