Demystifying DoD Cybersecurity Requirements in Federal Contracts

Eric Marquette

Welcome back to the Procurement Federal Acquisition Supplement & Defense Federal Acquisition Supplements Clauses podcast. I'm Eric Marquette, and today we're diving into the world of DoD cybersecurity requirements in federal contracts. Ruby, Paul, great to have you both here. Let's kick things off with something that's tripped up more than a few contractors—Section 889 of the FY19 NDAA. This is the one that prohibits certain telecommunications and surveillance equipment, right?

Ruby Sturt

Yeah, that's the one! Section 889, implemented at FAR 4.21, basically says, “No Huawei, no ZTE, no Dahua, no Hytera, and no Hangzhou.” And not just the main companies, but their subsidiaries and affiliates too. It’s not just about what you buy directly—if your supplier’s part has a restricted chip, you’re in trouble. I remember my team once got totally confused because a supplier’s widget had a component from a restricted source. We had to scramble to verify every part. It’s a nightmare if you don’t have a clear process for checking this stuff.

Paul Netopski

That’s a common scenario, Ruby. The interim FAR rules—889(a)(1)(A) and (B)—make it clear: you can’t contract with entities using or providing covered equipment or services. And it’s not just big contracts. Even purchases with Governmentwide Commercial Purchase Cards are covered. There’s specific guidance for cardholders to ensure compliance, so it’s not something you can just ignore for small buys. The DPC even rolled out robotic process automation in SAM to help with verification, but ultimately, the responsibility sits with the contractor to do a reasonable inquiry.

Eric Marquette

And if you’re not sure, you need to make that annual representation—affirming you don’t use any of the banned tech. If you get it wrong, it’s not just a slap on the wrist. You could lose the contract or face penalties. So, having a robust verification mechanism is absolutely essential. Ruby, your story really highlights why this isn’t just a box-ticking exercise.

Ruby Sturt

Exactly. And honestly, the confusion is real. If you don’t have a system for tracking your supply chain, you’re just hoping for the best. That’s not a great strategy when the stakes are this high.

Paul Netopski

Let’s move to the core cybersecurity clauses—DFARS 252.204-7012 and 252.204-7020. These are the backbone for safeguarding Controlled Unclassified Information, or CUI, and for incident reporting. The 7012 clause requires contractors to implement NIST SP 800-171 on their systems and to report cyber incidents. The 7020 clause adds the requirement for assessments—Basic, Medium, or High—using the DoD’s methodology. The Basic Assessment is a self-assessment, but Medium and High are government-led, and the results go into the Supplier Performance Risk System, or SPRS.

Eric Marquette

Paul, I always get a bit muddled on the difference between those assessment levels. The Basic is self-done, but what triggers a Medium or High assessment?

Paul Netopski

Good question, Eric. The Basic is required for all, and it’s valid for three years. The government may trigger a Medium or High assessment based on the sensitivity of the contract or if there are concerns about your security posture. Medium involves a document review and some discussion, while High is much more in-depth—on-site, with demonstrations and interviews. The confidence level in your score goes up with each level. And, importantly, you can’t get a contract award without a current assessment posted in SPRS.

Ruby Sturt

I’ve seen small manufacturers get tripped up here. One client thought a self-assessment was enough, but they didn’t realize they had to post the results in SPRS. Once they figured that out, their compliance score improved, and they were able to keep bidding. It’s not just about doing the work—it’s about documenting it and making sure it’s visible to the government.

Paul Netopski

Exactly, Ruby. If you’re not in SPRS, you’re invisible to the DoD. And if you’re a subcontractor, you need to make sure your prime knows you’re compliant, too. The flow-down requirements are strict—if you’re handling CUI, you need to be assessed and documented.

Eric Marquette

So, building on that, let’s talk about the Cybersecurity Maturity Model Certification, or CMMC. This is the new kid on the block, and it’s raising the bar for everyone in the DoD supply chain. The CMMC framework was created to address gaps in the old self-attestation model. Now, you need a third-party certification at the level required by your contract, and you have to maintain it for the duration of the contract.

Paul Netopski

Right. CMMC is layered—Level 1 is basic safeguarding, Level 2 is a stepping stone, and Level 3 and above are for organizations handling CUI or more sensitive data. Each level adds more practices and process maturity. The phased rollout means not every contract requires CMMC yet, but by October 2025, it’ll be everywhere except for COTS items. And, just like with NIST assessments, your certification status is tracked in SPRS.

Ruby Sturt

And don’t forget, the CMMC requirement flows down to subs, too. If you’re a prime, you need to make sure your subs are certified at the right level before you award them work. I’ve seen teams get caught out because they assumed their subs were covered, but they weren’t. It’s a supply chain thing, not just a prime contractor thing.

Eric Marquette

Absolutely. And when you’re negotiating subcontracts, it’s worth clarifying who’s responsible for what. I’ve helped teams adapt their contract templates to spell out CMMC responsibilities, timelines, and evidence requirements. It’s a lot easier to negotiate up front than to scramble when an audit is looming.

Paul Netopski

That’s a great point, Eric. The CMMC framework is all about verification and accountability. If you’re not ready, you’re not getting the work. It’s that simple.

Paul Netopski

Let’s talk about implementation. To meet CMMC requirements, you need a comprehensive cybersecurity plan. That means mapping out specific controls, procedures, and documentation practices that align with your required CMMC level. It’s not just a one-time thing—you need to keep it updated as your systems and risks evolve.

Ruby Sturt

And you’ve gotta have a continuous monitoring system. That’s not just a fancy dashboard—it’s regular checks, vulnerability scans, and prompt remediation when you find issues. If you wait for the annual review, you’re already behind. I always tell clients, “Don’t let your first audit be the first time you look for problems.”

Eric Marquette

Training is another big one. Everyone on your team needs to know the basics of cybersecurity, especially if you’re handling CUI. I’ve seen organizations trip up because someone clicked a phishing link or didn’t follow the right process. Regular training, refreshers, and clear policies make a huge difference in staying compliant and secure.

Paul Netopski

Exactly. Adherence to standards like NIST SP 800-171 and CMMC isn’t just for the IT folks. It’s an organization-wide responsibility. If you don’t have buy-in from the top down, you’re going to struggle to maintain compliance.

Eric Marquette

So, you’ve got your plan and your monitoring in place—now what about the audit? Before the official CMMC assessment, it’s smart to do a pre-assessment audit. You can use your own team or bring in a third-party consultant to spot gaps. The goal is to find and fix issues before the real auditors show up.

Paul Netopski

And once you’ve identified those gaps, you need a detailed remediation plan. Prioritize the critical vulnerabilities and make sure your fixes align with the CMMC level you’re targeting. Don’t just patch things randomly—target your improvements so you’re ready for the specific requirements of your audit.

Ruby Sturt

And document everything. I mean, everything. Policies, procedures, training records, incident response logs—if you can’t show it, it didn’t happen. Auditors want to see evidence, not just hear that you’re doing the right thing. I’ve seen teams breeze through audits because they had their documentation in order, and others get stuck because they couldn’t find the right files.

Eric Marquette

That’s so true. Good documentation is your best friend in an audit. It shows you’re not just compliant on paper, but in practice.

Paul Netopski

Once you’re ready for certification, it’s important to engage with an accredited CMMC Third Party Assessment Organization, or C3PAO, early. Scheduling can be a bottleneck, especially as more companies seek certification. Building that relationship ahead of time can help you avoid delays.

Ruby Sturt

And keep a detailed record-keeping system. Log every cybersecurity activity, every training session, every incident response. When the auditors come, you want to be able to pull up evidence quickly. It’s not just about passing the audit—it’s about being able to prove you’re doing the work, day in and day out.

Eric Marquette

A compliance calendar is a lifesaver, too. Track your assessment deadlines, policy reviews, and training refreshers. Cybersecurity standards evolve, and you don’t want to miss a deadline or let your certification lapse. Staying organized keeps you ahead of the curve and ready for whatever comes next.

Paul Netopski

Continuous adherence is the name of the game. Don’t let compliance become a once-a-year scramble. Make it part of your regular business rhythm.

Eric Marquette

Let’s wrap up by talking about contract management. Cybersecurity compliance needs to be baked into your contract review process. That means checking for CMMC levels, incident reporting clauses, and making sure your obligations are clear before you sign anything.

Paul Netopski

And when you’re onboarding new suppliers, use a checklist to verify their cybersecurity capabilities. Don’t just take their word for it—make sure they meet the required standards before you bring them into your supply chain. It’s a lot easier to prevent problems than to fix them after the fact.

Ruby Sturt

A dashboard for ongoing contract performance is a game-changer. If you can flag compliance issues early, you can intervene before they become major headaches. It’s all about proactive management—don’t wait for a crisis to start paying attention to cybersecurity.

Eric Marquette

That’s a great note to end on. Cybersecurity isn’t just an IT issue—it’s a contract management issue, a supply chain issue, and a business issue. Thanks, Paul and Ruby, for another insightful discussion. And thanks to our listeners for joining us as we demystified DoD cybersecurity requirements in federal contracts. We’ll be back soon with more on procurement, compliance, and everything in between. Take care, everyone!

Ruby Sturt

Thanks, Eric! Thanks, Paul! Catch you all next time—don’t forget to check your supply chain!

Paul Netopski

Thanks, Ruby, Eric. Stay secure, everyone. See you on the next episode.