Your company just landed its first DoD contract. Congratulations. Now you need to figure out what DoD contractor cybersecurity actually requires, and the clock is ticking. What you're about to discover is that defense contractor cybersecurity isn't just "regular security plus a checklist." It's a different operating model, backed by regulations that carry real enforcement teeth and contract language that can cut off revenue if you don't deliver.
I've worked with dozens of companies making this transition. The pattern I see most often: leadership assumes their existing security program will mostly suffice, they'll just "add CMMC" or "get the certification." Then they talk to an assessor, or worse, they get the first POAM rejection from a contracting officer, and reality sets in. Defense work means operating under DFARS clauses, preparing for CMMC assessments, understanding when FedRAMP applies, and potentially connecting to DIBNet. None of these are mere formalities.
This article walks through what new defense contractors actually need to understand about DoD contractor cybersecurity requirements, where the regulatory frameworks overlap, and how to approach implementation without wasting six months going in the wrong direction.
DFARS 7012: The Foundation Everything Else Builds On
If you're handling Covered Defense Information (CDI), you're operating under DFARS clause 252.204-7012. This isn't optional. It flows down through prime contractors to subs, and it's been in force since 2017. The clause requires you to implement specific security controls from NIST SP 800-171, report cyber incidents within 72 hours, and submit malware to DoD Cyber Crime Center for analysis.
NIST 800-171 contains 110 security requirements across 14 families: access control, incident response, system and communications protection, and eleven others. These aren't aspirational guidelines. They're contractual obligations. When you sign a contract with DFARS 7012 incorporated, you're representing that you've implemented these controls or have a Plan of Action and Milestones (POA&M) to close the gaps.
The assessment methodology matters here. You need to conduct a Basic Assessment at minimum, which means scoring yourself against each of the 110 requirements. Each unimplemented or partially implemented control costs you points. Your final score goes into the Supplier Performance Risk System (SPRS), and contracting officers can see it. A score below 110 doesn't automatically disqualify you from all contracts, but it raises questions, and you need documented POA&Ms for every gap.
What CDI Actually Means
Covered Defense Information is unclassified controlled technical information that requires safeguarding. If you're designing parts, reviewing specifications, accessing technical data packages, or handling performance characteristics of defense systems, you're touching CDI. The scope question becomes critical: which systems and networks process, store, or transmit this information?
I see companies make two mistakes here. First, they scope too broadly and try to bring their entire enterprise into 800-171 compliance, which is expensive and often unnecessary. Second, they scope too narrowly, isolating CDI on a single laptop or air-gapped system, which creates workflow problems that employees route around within weeks. The right scope protects CDI effectively while acknowledging how your business actually operates.
CMMC: The Certification Requirement That Changes Enforcement
CMMC 2.0 shifts DoD contractor cybersecurity from self-attestation to third-party assessment for most contractors handling CUI. The program has three levels, but most defense contractors will fall into Level 2, which maps to the same NIST 800-171 requirements you're already obligated to implement under DFARS 7012. The difference is enforcement. Instead of self-assessing and uploading a score, you'll need a Certified Third-Party Assessment Organization (C3PAO) to validate your implementation.
The CMMC assessment looks at the same 110 practices from 800-171, but the evidence standards are more rigorous. Assessors want to see artifacts: policy documents, configuration screenshots, logs demonstrating monitoring is happening, evidence that incident response procedures have been tested. "We do that" doesn't satisfy the requirement. "Here's the documented procedure, here's the configuration backup, here's the test results from our last tabletop exercise" does.
Level 1 CMMC covers a subset of 17 practices and allows for self-assessment in many cases. Level 3 addresses a subset of NIST 800-172 requirements for the most sensitive programs. Most contractors entering defense work will start at Level 2. Understanding which level applies to your contracts determines your timeline and budget.
The POA&M Reality
CMMC 2.0 permits Plans of Action and Milestones for up to five controls at Level 2, with restrictions. You cannot have POA&Ms for any of the 17 Level 1 controls, and your POA&M must show progress every 180 days. The idea that you can indefinitely defer difficult controls is wrong. POA&Ms have specific rules about what qualifies, how long you have to close them, and what documentation you need to maintain.
From a practical standpoint, if you're nine months away from needing CMMC certification, and you have 20 control gaps, you're not getting compliant on time with POA&Ms. You're redesigning your environment, changing how you handle authentication, implementing endpoint detection and response, segmenting networks, or moving CDI to a compliant cloud environment. Those are infrastructure projects, not paperwork exercises.
Need to Brief Leadership on Defense Contractor Security?
Carl delivers keynotes that translate CMMC, DFARS, and DoD cybersecurity requirements into strategic context executives and boards can act on—without the vendor spin or compliance theater.
Book Carl to Speak
DIBNet and the Threat Intelligence Sharing Ecosystem
The Defense Industrial Base Network (DIBNet) isn't a compliance requirement in the same way DFARS or CMMC are, but it's becoming an expectation for contractors working on sensitive programs. DIBNet provides enhanced cybersecurity services: threat intelligence sharing, malicious traffic filtering, and enhanced visibility into attacks targeting defense contractors.
Participation requires meeting NIST 800-171 requirements and routing your internet traffic through one of the approved managed security service providers. This isn't trivial. It means changing how your network connects to the internet, potentially moving to a managed services model, and accepting some loss of direct control over perimeter security in exchange for DoD-provided threat intelligence and traffic scrubbing.
The value proposition depends on your threat profile. If you're manufacturing widgets with minimal digital interaction with DoD systems, DIBNet may be overhead without proportional benefit. If you're developing software for weapons systems, accessing classified networks, or holding sensitive technical data that adversaries actively target, DIBNet's enhanced monitoring and intelligence sharing becomes more valuable. The pattern I see: contractors wait until a contracting officer asks about DIBNet participation, then scramble to understand what it requires. Better to evaluate it early, understand the costs and architectural changes, and make an informed decision before it becomes an urgent contract requirement.
When FedRAMP Enters the Picture
FedRAMP governs cloud service providers supporting federal agencies. For most defense contractors, FedRAMP becomes relevant when you're deciding where to host CDI or CUI. If you're moving email, file sharing, or project management systems to the cloud, and those systems will handle defense information, you need a FedRAMP-authorized cloud service provider—or you need to meet equivalent security standards yourself, which is almost never the economical choice.
The key distinction: FedRAMP authorizes cloud providers. CMMC certifies defense contractors. If you're using Microsoft 365 GCC High or Azure Government, those environments carry FedRAMP High authorizations. You still need to configure them correctly, implement your own access controls, train your users, and get your CMMC certification. The FedRAMP authorization means the underlying infrastructure meets federal security standards; it doesn't certify your use of that infrastructure.
I see confusion here frequently. A company moves to a FedRAMP-authorized environment and assumes that satisfies their CMMC obligations. It doesn't. You still need multi-factor authentication configured correctly, incident response procedures documented and tested, media sanitization processes for decommissioned equipment, and all the other 800-171 controls that apply to your organization, not just the cloud provider.
The Overlap Between FedRAMP and CMMC
Both FedRAMP and CMMC draw from NIST standards—FedRAMP from 800-53, CMMC from 800-171. There's significant overlap in what they require: encryption, access controls, audit logging, incident response. If you're hosting your own infrastructure on-premises, you implement these controls yourself. If you're using a FedRAMP-authorized cloud, the provider handles some controls (physical security, environmental controls, infrastructure redundancy), and you handle others (user authentication, data classification, application-layer security).
This shared responsibility model is where implementation goes wrong. Companies assume the cloud provider's authorization covers more than it does. Azure Government being FedRAMP High authorized doesn't mean your Azure tenant is configured to protect CUI. You need to enable the right services, disable risky features, configure conditional access policies, implement DLP, and verify that your configuration meets CMMC requirements. The authorization provides a compliant foundation; you still build the house.
The ITAR Dimension: When Export Controls Intersect with Cybersecurity
If your DoD contract involves defense articles or technical data covered by the International Traffic in Arms Regulations, cybersecurity requirements expand beyond NIST 800-171. ITAR doesn't prescribe specific technical controls, but it requires you to prevent unauthorized access and unauthorized transfers. That means understanding who has access to ITAR-controlled data, ensuring they're US persons or appropriately authorized foreign persons, and implementing technical controls to prevent inadvertent disclosure.
The cybersecurity intersection happens in several places. Cloud storage needs to restrict data to US regions with US-person administrators. Remote access systems need to verify user citizenship or authorization before granting access to ITAR data. Email systems need DLP rules that prevent sending technical data to unauthorized recipients. Backup and disaster recovery processes need to ensure ITAR data doesn't replicate to foreign data centers.
ITAR registration is the starting point, but the cybersecurity implementation is where most violations happen. An employee emails a technical drawing to a foreign national consultant without thinking about ITAR. A misconfigured cloud sync tool replicates files to a personal device. A former employee retains access to an ITAR repository after termination. These are violations that trigger investigations and penalties, and they stem from insufficient technical controls, not malicious intent.
Supply Chain Security and Flow-Down Requirements
If you're a subcontractor, you don't get to opt out of DoD contractor cybersecurity requirements just because you're not the prime. DFARS clauses flow down. CMMC requirements flow down. If the prime is handling CUI and you're receiving some of that data, you need the same Level 2 certification they do. The contract language should specify what flows down, but the absence of specific language doesn't eliminate the obligation if you're handling CUI or CDI.
Prime contractors are increasingly auditing their supply chains. They're asking for SPRS scores, CMMC roadmaps, evidence of 800-171 implementation, and contractual commitments about incident reporting. This isn't bureaucratic box-checking. Primes are liable for supply chain compromises. If a sub gets breached and CUI is exposed, the prime answers to the government. Defense supply chain security expectations are becoming more specific and more enforced.
The practical implication: if you're entering defense contracting as a small supplier, you need to budget for cybersecurity investment before you bid the contract. The cost to implement 800-171 controls and achieve CMMC certification isn't trivial. It involves technology purchases, process changes, potentially hiring expertise you don't have in-house, and ongoing monitoring and maintenance. Companies that assume they'll "figure it out after we win the work" often discover the compliance costs exceed their contract margin.
Planning a Conference on Defense Contracting or Regulatory Compliance?
Carl's keynotes translate complex regulatory requirements into strategic clarity for defense contractors navigating CMMC, DFARS, and supply chain security obligations. See all keynote speaking topics or reach out about your event.
Book Carl for Your EventBuilding a Realistic Implementation Roadmap
You have a contract with DFARS 7012 or a pending CMMC requirement. Where do you actually start? The temptation is to hire a consultant who promises certification in 90 days, or buy a software platform that claims to automate compliance. Neither approach works if you don't understand your current state and the specific gaps you need to close.
Start with a gap assessment against NIST 800-171. This needs to be thorough, not aspirational. For each of the 110 requirements, document whether you've implemented it, partially implemented it, or not implemented it. Where you've implemented controls, identify the evidence you can show an assessor. A policy document that says "we encrypt data in transit" is a start, but the assessor will want to see configuration settings, certificate management procedures, and evidence that unencrypted protocols are disabled.
Prioritize Based on Risk and Contract Timeline
Not all gaps are equal. An unimplemented incident response plan is a bigger problem than lack of formal media sanitization procedures, though both are required. Your contract timeline dictates how aggressive your remediation schedule needs to be. If you need CMMC certification in six months, you're making different decisions than if you have 18 months.
The controls that take the longest to implement are usually architectural: network segmentation, centralized logging and monitoring, multi-factor authentication across all systems, endpoint detection and response. These aren't configuration changes; they're infrastructure projects. They require planning, budget, potential downtime, user training, and testing. Start these early.
Controls that depend on documentation and process—risk assessments, security awareness training, incident response procedures—are faster to implement but require organizational discipline to maintain. You can write an incident response plan in a week. Making sure everyone knows it, tests it, and follows it during an actual incident takes longer and requires ongoing reinforcement.
The Cloud vs. On-Premises Decision
Many contractors entering defense work decide to move CDI and CUI to a FedRAMP-authorized cloud environment rather than hardening on-premises infrastructure. This can be the right choice, but it's not automatically easier or cheaper. Cloud environments require different expertise. You're trading hardware management for configuration management, which means understanding identity and access management, security groups, encryption key management, and logging in a cloud-native context.
The advantage of cloud is that foundational controls—physical security, environmental controls, infrastructure redundancy, patch management for underlying systems—are handled by a provider who's already been assessed. The disadvantage is you lose some visibility and direct control. You're configuring security within the boundaries the cloud provider establishes. For some organizations, that trade-off makes sense. For others, especially those with significant existing on-premises infrastructure and in-house IT expertise, hardening what you have may be more practical.
Incident Reporting: The Requirement That Catches People Off Guard
DFARS 7012 requires contractors to report cyber incidents affecting CDI within 72 hours. This isn't limited to confirmed breaches. If you have evidence that an incident has occurred, or even a reasonable belief that CDI might have been compromised, you report it. You report to DoD at dibnet.dod.mil, and you submit malware found during the incident to DoD Cyber Crime Center.
The 72-hour clock starts when you discover the incident, not when you finish investigating it. That means you're often reporting incomplete information: "We detected unauthorized access to a system containing CDI, investigation ongoing, scope not yet determined." Companies uncomfortable with this level of uncertainty sometimes delay reporting until they have complete information, which violates the requirement and creates worse problems when the delay is discovered.
You also need to preserve forensic evidence and provide DoD access to affected systems and artifacts. This can conflict with your instinct to restore operations quickly. The contract requires you to balance operational recovery with evidence preservation, and there's no clear guidance on where that balance lies in every situation. The pattern I see: companies that have thought through incident response before an incident happens, including how they'll handle DoD reporting requirements, respond more effectively and with less panic than those figuring it out in real time.
Strategic Considerations for Leadership
DoD contractor cybersecurity requirements represent a cost of doing defense business. Leadership needs to understand that entering this market means sustained investment in security infrastructure, ongoing compliance maintenance, and potential restrictions on how you operate. These aren't one-time project costs you absorb during onboarding; they're permanent changes to your operating model.
The strategic question is whether defense contracting revenue justifies this investment. For some companies, the answer is clearly yes: defense work represents significant revenue, long-term contracts, and strategic positioning. For others, the compliance burden outweighs the opportunity, especially if defense represents a small percentage of overall business. There's no shame in deciding that defense work doesn't fit your business model. There's significant risk in committing to defense contracts without committing to the cybersecurity investment required to execute them properly.
If you're moving forward, budget realistically. A CMMC Level 2 certification project for a small contractor typically costs between $100,000 and $300,000 when you include gap remediation, technology purchases, consultant support, and the assessment itself. Larger organizations or those with significant gaps spend more. Ongoing maintenance—annual assessments, continuous monitoring, security training, tool subscriptions—adds recurring costs. These numbers need to be in your financial model before you bid contracts.
Finally, recognize that regulatory compliance in defense contracting is not a static target. CMMC is still being implemented. New DFARS clauses are proposed. Threat intelligence sharing programs like DIBNet are evolving. The security requirements you meet today will expand over the life of your defense business. Building an adaptable security program—one that can absorb new requirements without complete redesign—is more valuable than optimizing for today's checklist and hoping nothing changes.
Companies that treat DoD contractor cybersecurity as a strategic capability rather than a compliance obligation position themselves better. They invest in people who understand both security and defense requirements. They build relationships with C3PAOs and cloud providers before they're urgent needs. They contribute to industry groups working through implementation challenges. And they recognize that strong security, beyond satisfying contract requirements, protects intellectual property, operational continuity, and reputation in a market where security incidents can end your defense business entirely.