UW Research

December 17, 2020

Department of Defense Contracts: Preparing for Cybersecurity Requirements

Information about the Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) requirements and when they impact DoD contracts at the UW.

When will Cybersecurity Maturity Model Certification be Required?

Beginning November 30, 2020, the DoD will incorporate requirements for  Cybersecurity Maturity Model Certification (CMMC)  into selected Requests for Proposals (RFPs), Requests for Information (RFIs), and research contracts. By October 1, 2025, all DoD contracts will require CMMC certification to Level 1, at a minimum.

How do I know if CMMC is required?

There are two things that mean CMMC is required for your project activity.

  1. If your DoD contract includes any of these regulations:


  1. You will be handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).

When CMMC applies, the security Level of your IT system environment used for the project must also be CERTIFIED in the DoD Supplier Risk Performance System (SPRS).

Unsure about the Level that applies to your project?

Consult with your DoD program contact at the agency sponsoring your project.

Steps Necessary to Meet DoD IT Security Requirements

Review the IT security requirements you may need to have in place:

  • Level of IT security (1 low – 5 high) will be indicated within the Request for Proposal (RFP) or communicated by the Contracting Officer, if issuing a modification.
  • Meet with your IT and Department Administrator
  • Track any costs to implement – these are allowable costs you can charge to the award, if built into the Business portion of your DoD contract proposal

Responding to a new DoD Contract Solicitation?

At proposal submission stage:

  • Prepare your eGC1
  • Attach your Business and Technical proposal
  • Include in your budget the costs to achieve IT security compliance and to complete the Assessment
    • Provide the back-up documentation on these costs
  • Unable to complete your Assessment by the time of proposal, but intend to?
    • Use this language in your Business section of the proposal with your costing/pricing data explanation: “The Offeror intends to have the Level 1 Basic Assessment complete prior to issuance of the contract. Confirmation via the SPRS will be available prior to the anticipated proposed start date”.
    • Remember to include the costs in your estimates!