As of 2026, the United States Department of Defense (DoD) will be requiring all defense contractors to complete a new cybersecurity certification course before submitting proposals.
The DoD will require all defense contractor hopefuls to complete the Cybersecurity Maturity Model Certification (CMMC) framework. The first version of the framework was released to the public at the beginning of February, after several drafts and rounds of feedback from current and potential vendors.
Certification will require passing an assessment conducted by a third party organization; those seeking the highest levels of certification may be assessed directly by the Defense Contract Management Agency (DCMA) or the Defense Counterintelligence and Security Agency (DCSA). The cost of the certification has not yet been established, but the DoD has said that they expect it to scale with the required level of security readiness.
Cyber requirements for certain higher-level contractors will begin rolling out in June of this year. By 2026, the cybersecurity certification will be required of all contractors at all levels.
The purpose of the new cybersecurity certification
The DoD has been working on the new cybersecurity certification system for roughly a year. The CMMC framework was prompted by a number of data breaches that impacted national security and originated with federal contractors, chiefly the late 2018 breach of the DoD’s travel record system. That attack exposed the personal information and payment card information of about 30,000 military and civilian personnel.
The DoD recognized a need to not just screen primary contractors more thoroughly, but to give equal attention to the secondary and tertiary subcontractors that those companies employ. Information that is not classified but still considered sensitive, categorized as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), often makes its way down the chain of contractors to a point where it is not adequately protected.
The new cybersecurity certification will not require all defense contractors to meet the most rigorous standards. It establishes five different levels that contractors will be required to meet for each contract. The level that they must be certified at depends upon the information they will be handling for that particular job, and they must ensure that any subcontractors with access to this information are operating at that level as well. Subcontractors in the DoD supply chain will be required to obtain their own independent certifications even if the parent contractor is certified at a higher level.
A breach or compromise will not be automatic grounds to remove a certification, but a government program manager will review the incident and may opt to do so.
Will there be any relief for smaller defense contractors?
The first and most basic level has been characterized by DoD Chief Information Security Officer (CISO) Katie Arrington as meeting standards of basic cyber hygiene – things like changing passwords regularly and having updated antivirus software running. The first level will be required of anyone handling FCI, while the third level of the cybersecurity certification will be required of anyone handling CUI. The most advanced levels of the certification are reserved for defense contractors handling information that is expected to be targeted by advanced persistent threat (APT) hacking groups backed by nation-states, generally considered the most capable cyber threats in the world.
Under Secretary of Defense for Acquisition and Sustainment Ellen Lord stated that the DoD is aware that the cost of certification could be burdensome for small and medium businesses, and will be working with those businesses to ensure that they can meet compliance standards. The department offered CMMC compliance training to 5,200 small business defense contractors last year and anticipates running similar programs in the future. DoD also plans to provide assistance directly to larger contractors to pass on to their smaller subcontractors.
The new CMMC requirements will replace the current system of 110 cybersecurity standards that defense contractors are required to self-attest to. Each level of certification has a comparable set of “practices” that must be complied with; the two lowest levels have only 17 and 72 respectively. Small businesses that are legitimately meeting most or all of their current 110 requirements thus might actually see a cost reduction under this plan.
How to prepare
Defense contractors that expect to be in the fourth or fifth classification (those that are expected to be targeted by APT groups) should be prepared to obtain the cybersecurity certification by September of this year. The terms will only apply to new contracts.
Organizations will be certified by independent groups called C3PAOs subject to regulations preventing conflict of interest, whom organizations will pay directly. Neither initial or renewal costs have been determined as of this writing, but Arrington stated that a cost of “thousands” of dollars for the lowest level of certification would be “missing the mark.”
The cost of certification will also be an “allowable cost,” along with many other cybersecurity expenses that relate to meeting the new cybersecurity requirements. This means that these costs can eventually be reimbursed, although they will still represent a significant up-front expense.
The training will be available at the Defense Acquisition University’s website sometime this summer. Defense contractors that feel they may need assistance with the cybersecurity certification process should contact one of the DoD’s Procurement Technical Assistance Centers.