In Focus Resource Center > Insights

DoD Mandate and the Impact on YOUR Company

By now, Department of Defense contractors or sub-contractors should be well aware of the cybersecurity mandates that been sweeping across the defense industry over the past several years. Back in 2015 the U.S. Department of Defense (DoD) published the Defense Acquisition Federal Regulation Supplement (DFARS) which mandated private DoD contractors and/or subcontractors adopt cybersecurity standards according to the NIST SP 800-171 cybersecurity framework to protect Controlled Unclassified Information (CUI). In 2017, Citrin Cooperman hosted a webinar to explain the CUI/DFARS compliance requirements and steps companies would need to take to validate compliance by December 31, 2017.

Since that time, the DoD has come to the realization that despite all efforts, many contractors have either chosen to put off compliance or have falsely claimed to be in compliance on DoD contracts and were later found to be non-compliant. Because of this lag in cybersecurity compliance and the increasing risk of cyber-attacks, the DoD has released the Cybersecurity Maturity Model Certification (CMMC) to ensure appropriate levels of cybersecurity controls and processes are adequate and in place to protect controlled unclassified information (CUI) on DoD contractor and sub-contractor systems.

What type of companies are required to be compliant with CUI/DFARS and pass the CMMC audit?

There are hundreds of thousands of domestic and foreign entities and subcontractors that perform work for the DOD. These entities may provide research services; develop, design, produce, deliver, or maintain products or parts used by the DoD; or provide defense related services, such as, equip, inform, mobilize, deploy, and sustain forces conducting military operations worldwide.

What does this mean for companies who are DoD contractors or sub-contractors?

All DoD contractors and sub-contractors will need to become CMMC Certified by passing a CMMC audit to verify they have met the appropriate level of cybersecurity for their business.

DoD will deploy certified third-party assessor organizations (C3PAO) to conduct audits on DoD contractor and sub-contractor information systems to verify their businesses have met the appropriate level of cybersecurity controls.

Based on the audit, the DoD will award a certification Level of 1-5 to the businesses, if they comply with 100% of the controls for a given Level.

What are the steps you need to take to be audit ready?

The first step towards certification is for the contractors and sub-contractors to have a third-party Readiness Assessment to see what work needs to be done to meet the minimum requirements in the CMMC. Without understanding the gaps in compliance, it is impossible for a company to know the changes they need to make to meet the requirements. Based on the gaps found in the Readiness Assessment, remediation plans should be created that define the steps and actions the company will need to follow to obtain compliance. Once the company is 100% compliant, they can move forward with the C3PAO audit to obtain their CMMC certification.

What you should know about Citrin Cooperman’s ability to assist you?

The Manufacturing Extension Partnership (MEP) Centers nationwide have been on a mission to bring guidance and training to assist manufacturers in understanding the urgency of this looming deadline.

In 2017, Citrin Cooperman was selected as 1 of 6 recommended vendors by Polaris MEP, TPAC, and SENEDA in Rhode Island and Connecticut to perform readiness assessments and help with remediation.

Citrin Cooperman’s Technology, Risk Advisory, and Cybersecurity (TRAC) practice is pursing becoming a C3PAO third-party assessor company for CMMC.

Stay tuned for upcoming events:

TRAC will be hosting a CMMC series webinars in the near future.


Any DoD contractor or vendor that is subject to DFARS clause 252.204.7012 is mandated to demonstrate compliance with NIST SP 800-171 for Department of Defense (DoD) Federal Acquisition Regulations Supplement (DFARS) requirements, commonly called CUI/CTI. This mandate applies to the entire supply chain (including small subcontractors), and there are no extensions. The initial round of audits will begin June 2020 for a select number of DoD programs. From October 2020 and beyond, DoD contractors and subcontractors will need to be certified by a C3PAO in order to bid on new work.

Contact us to learn more:

Suzanne Miller

Shawn Howard

Sirena Johnson

Our specialists are here to help.

Get in touch with a specialist in your industry today.

* Required

* I understand and agree to Citrin Cooperman’s Privacy Notice, which governs how Citrin Cooperman collects, uses, and shares my personal information. This includes my right to unsubscribe from marketing emails and further manage my Privacy Choices at any time. If you are a California Resident, please refer to our California Notice at Collection. If you have questions regarding our use of your personal data/information, please send an e-mail to