Leonardo DRS believes in working with customers, colleagues, and suppliers to mitigate cyber risks
Global cybercrime is expected to grow by over 15% annually over the next five years, reaching $10.5 trillion USD by 2025. Intellectual Property (IP) theft accounts for one of the largest portions of overall global cybercrime. The Department of Defense (DoD) is working with industry partners to safeguard Controlled Unclassified Information (CUI) and to ensure products are delivered uncompromised through the implementation of the Cybersecurity Maturity Model Certification (CMMC).
Preparing for CMMC
If you are a Leonardo DRS supplier supporting DoD programs and are not exclusively providing COTS items, you will be required to meet the CMMC requirements flowed down to you under DFARS 252.204-7021.
- DRS suppliers who do not receive Controlled Unclassified Information (CUI) but do receive Federal Contract Information (FCI) will be required to meet the requirements of CMMC Maturity Level 1.
- DRS suppliers who receive CUI are required to meet the requirements of CMMC Maturity Level 2 and obtain certification from a Certified Third-Party Auditing Organization (C3PAO). To prepare for CMMC Maturity Level 2, your organization must:
While the phased roll out of CMMC is expected to take place over the next year and half, DoD Program Management Offices can enter the clause into new contracts as well as executed contract options based on the sensitivity of the program.
Engage with a C3PAO as soon as possible
C3PAOs currently have a backlog of Organization Seeking Certification (OSCs). As soon as your organization meets the necessary requirements, it is highly recommended that you begin engaging with C3PAOs promptly. Please note that achieving CMMC Maturity Level 2 is a pre-award requirement. Do not wait for the contract clause to flow down before starting the certification process.
All accredited C3PAO’s are listed on the CyberAB’s Marketplace.
Be DFARS 7012 compliant (This is how:)
- Implement NIST SP 800-171 requirements on your information system and document an implementation strategy for each of the 110 requirements in a System Security Plan (SSP).
- Ensure that your next-tier subcontractors do the same by obtaining attestation through a Certs and Reps form.
- Report any unauthorized disclosure of Covered Technical Information (CTI) to DIBNet within 72 hours of discovery.
- Ensure that any cloud service providers processing, storing, or transmitting CUI are FedRAMP Moderate authorized or have an equivalent certification.
Have a System Security Plan (per NIST 800-171 3.12.4) (This is how:)
- Develop, document, and periodically update a System Security Plan (SSP) that describes system boundaries, details how each NIST SP 800-171 requirement is implemented, and explains relationships or connections to other systems.
- If the implementation of NIST SP 800-171 requirements is incomplete, contractors must develop and implement Plans of Action and Milestones (POA&M) to describe when and how any unimplemented security requirements will be addressed.
- Note: For CMMC, POA&M items must be resolved within six months.
Be compliant with DFARS 7019, 7020, and 7021 (This is how:)
- At a minimum, conduct a basic self-assessment of your NIST SP 800-171 implementation using the NIST SP 800-171A assessment objectives, in accordance with the NIST SP 800-171 DoD Assessment Methodology, and upload your score to the DoD Supplier Performance Risk System (SPRS).
- Reassess at least every three years and update your SPRS score accordingly.
- Ensure that next-tier subcontractors perform the same assessment and provide attestation via a Certs and Reps form.
CMMC Frequently Asked Questions
The Cybersecurity Maturity Model Certification (CMMC), as established in 32 CFR Part 170, is a federal program led by the Department of Defense (DoD). It is designed to assess and enforce cybersecurity standards—such as NIST SP 800-171—for contractors and subcontractors who handle sensitive, unclassified information.
Registered Practitioner Organizations (RPOs) certified by CyberAB are the best resource for organizations seeking technical assistance in preparing for CMMC. RPOs are experts in the CMMC framework and are authorized to help your organization implement the required cybersecurity controls.
A complete listing of RPOs is available on the CyberAB Marketplace.
Registered Practitioner Organization (RPO):
An RPO is a certified organization authorized by CyberAB to provide technical consulting and advisory services to help companies prepare for CMMC assessments. RPOs assist with implementing cybersecurity controls, conducting gap analyses, and preparing organizations to meet CMMC requirements, but they do not perform official certifications.
Certified Third-Party Assessment Organization (C3PAO):
A C3PAO is an accredited organization authorized by CyberAB and the DoD to conduct formal CMMC assessments and certifications. They perform the official evaluations to verify that an organization meets the required maturity level and issue the certification.
In short: RPOs help you prepare; C3PAOs certify your compliance.
DFARS 252.204-7012 mandates the implementation of specific cybersecurity controls to protect Controlled Unclassified Information (CUI). The CMMC framework provides a standardized mechanism to verify and validate that these controls have been properly implemented.
The Department of Defense (DoD) has made cybersecurity a foundational requirement in its acquisition process and is transitioning to a model that validates suppliers’ cybersecurity posture and programs. The Cybersecurity Maturity Model Certification (CMMC) provides the framework and methods to ensure that DoD suppliers are effectively protecting sensitive information as required.
No, a CMMC Maturity Level 2 self-assessment is valid only for contractors handling “Basic” CUI. As a DRS Supplier, the Controlled Unclassified Information (CUI) you receive falls under one or more types of “Specified” CUI, which requires a formal assessment by a C3PAO to achieve Maturity Level 2 certification.
Using the scoring methodology outlined in 32 CFR Part 170.24, organizations scoring between 88 and 109 may be granted CMMC Maturity Level 2 (Conditional) status for up to 6 months while identified deficiencies are addressed. To achieve CMMC Maturity Level 2 (Final) certification, a perfect score of 110 is required.
Given the rapidly evolving nature of the CMMC landscape, the most reliable sources of information are the governing body CyberAB and the DoD CIO’s official CMMC resource page. Additionally, your organization may benefit from engaging with a CyberAB Registered Practitioner Organization (RPO), which can be found on the CyberAB Marketplace.
DFARS Frequently Asked Questions
Effective December 31, 2017, DFARS Clause 252.204-7012, titled “Safeguarding Covered Defense Information and Cyber Incident Reporting,” is a Department of Defense (DoD) regulation requiring contractors to safeguard Controlled Technical Information (CTI). This is achieved by implementing the cybersecurity controls outlined in NIST Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.
Commonly known as the “Cyber Clause,” DFARS 7012 was established in response to growing cybersecurity threats and data breaches within the Defense Industrial Base (DIB), aiming to strengthen the protection of sensitive defense-related information.
Key Elements of DFARS Clause 252.204-7012
- Safeguard Controlled Unclassified Information (CUI) wherever it is stored or processed, in accordance with NIST SP 800-171* requirements.
- Report any unauthorized disclosure of Controlled Technical Information (CTI) to the DIBnet within 72 hours of discovery.
- Ensure all Cloud Services that store, transmit, or process CUI are authorized at the FedRAMP Moderate level.
- Verify that subcontractors in the supply chain are also compliant by obtaining their certifications and representations (Certs and Reps) attesting to adherence.
*Note: There is a class deviation for DFARS 252.204-7012 which specifies NIST SP 800-171 Revision 2 to align with the current version of CMMC.
Navigate to icf.dcise.cert.org and report the incident. This site will generate a .xml file that you will download and email to DC3 via encrypted email. For questions regarding reporting email [email protected]
DFARS Clause 252.204-7019 (Notice of NIST SP 800-171 DoD Assessment Requirements) and DFARS Clause 252.204-7020 (NIST SP 800-171 DoD Assessment Requirements) are Department of Defense (DoD) regulations that require contractors and subcontractors to conduct cybersecurity assessments of their information systems using the DoD NIST SP 800-171 Scoring Methodology.
Additionally, these clauses mandate that organizations post their assessment scores in the Supplier Performance Risk System (SPRS) to provide visibility into their cybersecurity posture.
DFARS Clause 252.204-7021: “Cybersecurity Maturity Model Certification Requirements” is a Department of Defense (DoD) regulation that mandates contractors and subcontractors to maintain an active CMMC certification at the required maturity level.
Note: As of May 2025, this clause is under revision and will be updated as part of forthcoming rule changes to 48 CFR.
If any of the aforementioned DFARS clauses (including 252.204-7012, 252.204-7019, 252.204-7020, and 252.204-7021) have been flowed down through your contract with DRS, these requirements apply to your organization. Additionally, they may also apply to your suppliers if they handle Controlled Unclassified Information (CUI), regardless of their geographical location.
If a subcontractor or supplier must receive, store, or handle Controlled Unclassified Information (CUI) during the performance of a contract, the applicable DFARS clause for Safeguarding CUI and the corresponding CMMC requirements must be flowed down to that subcontractor or supplier.
CUI Frequently Asked Questions
According to the National Archives, Controlled Unclassified Information (CUI) refers to data that requires safeguarding and dissemination controls in accordance with U.S. government laws and regulations.
Currently, there are 20 CUI categories and 125 subcategories that require protection, as defined by Executive Order 13556 – Controlled Unclassified Information, signed by President Obama on May 7, 2008.
In accordance with DFARS 252.204-7012, Covered Defense Information (CDI) is classified as Controlled Technical Information (CTI). CTI refers to information with a specific military or space application that is subject to stringent controls regarding its access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.
CUI stands for Controlled Unclassified Information, which is a broad category of sensitive information that requires safeguarding and dissemination controls under U.S. government regulations.
CTI stands for Controlled Technical Information, which is a specific category within CUI that pertains to technical data with military or space applications subject to stricter control requirements.
DFARS 7019 & 7020 Assessment Frequently Asked Questions
In accordance with DFARS 252.204-7020, there are three levels of cybersecurity assessments—Basic, Medium, and High—which differ in the depth of the assessment and the confidence level in the resulting score:
Basic Assessment: A self-review conducted by the contractor.
Medium Assessment: Conducted by the U.S. Government.
High Assessment: Also conducted by the U.S. Government, with greater rigor.
Before engaging with a C3PAO for a CMMC assessment, you will be required to have completed a Basic Assessment.
A Basic Assessment consists of a self-review of all 110 security requirements outlined in NIST SP 800-171, validating that each requirement has been fully implemented based on the contractor’s System Security Plan (SSP).
To conduct a basic assessment:
- Verify that you meet each assessment objective for the controls, as detailed in NIST SP 800-171A.
- It is recommended to use all three assessment methods during your review: Interview, Observe, and Test.
During a CMMC audit, a C3PAO will select two of these methods to verify the implementation of each control.
In accordance with DFARS 252.204-7020, Basic Assessment scores must be uploaded to the Supplier Performance Risk System (SPRS) to maintain full compliance with the clause.
The Basic Assessment is a self-review and self-attestation by the contractor of compliance with the 110 security requirements outlined in NIST SP 800-171, as required by DFARS 252.204-7020.
Per DFARS 252.204-7019 (Notice of NIST SP 800-171 DoD Assessment Requirements), there is no minimum score required for a Basic Assessment (self-review).
However, a minimum score is required for CMMC compliance under the relevant CMMC requirements, which are separate from the 7019 clause.
A System Security Plan (SSP) documents a contractor’s description of how each of the 110 security requirements outlined in NIST SP 800-171 is implemented, including the current implementation status for each requirement.
For any security requirement not yet implemented, an entry must be made in the Plan of Action & Milestones (POAM), detailing how and when the requirement will be addressed and brought into compliance.
POAM items must be closed within 6 months for compliance with CMMC.
Yes. Assessment scores can be edited or updated after being submitted, as the NIST SP 800-171 security requirements are being implemented by the contractor.