UW Research

July 20, 2020

Department of Defense Requirement for Cybersecurity Maturity Measure Certification

The DoD released Cybersecurity Maturity Model Certification (CMMC) version 1.0 on January 31, 2020 as the first step in a program to establish basic cybersecurity hygiene and enhance protections for Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) in DoD-funded research.

Beginning November 1, 2020, DoD will incorporate requirements for Cybersecurity Maturity Model Certification into Requests for Proposals (RFPs), Requests for Information (RFIs), and research awards.

DoD contract awards will require certification, to Level 1 at a minimum, and there is an associated cost. There will be an updated Defense Federal Acquisition Regulations (DFARS) clause included in the resulting contract that requires certification by the awardee that the Level is met.

If you plan to respond to a DoD RFP or RFI, please note:

  • You must have adequate cybersecurity measures in place according to the Maturity Level ¬†established by DoD. This required Level will be noted in the RFP or RFI.
  • Implementation of these measures must be certified by an accredited 3rd party (external to UW). This is known as a Cybersecurity Maturity Model Certification (CMMC)
  • You may include the costs to implement these measures as a direct cost in your proposal budget, with proper substantiation of cost.

We expect that 3rd party certification will be required in order for UW to accept the DFARS clause in the DoD contract. However, DoD may require certification at time of proposal, in which case your proposal will not move forward without the 3rd party certification in place.


This announcement was sent to PIs who have submitted proposals to the DoD or currently have DoD funding, their Administrative Contact, and departmental IT Advocates.