Skip to main content



Did You Know?

  • 61% of experts in technology and policy predict a major cyberattack causing widespread harm will occur by 2025, according to a Pew Research Center report.
  • $445 billion is lost annually to cybercrime and espionage across the entire world economy, according to the Center for Strategic and International Studies.
  • 46,605 breaches of federal computer networks occurred in 2013 according to the US - Computer Emergency Readiness Team.

Now, do we have your attention?

All Department of Defense (DoD), General Services Administration (GSA), and NASA contractors must have met the Federal Acquisition Regulations (FAR) minimum cybersecurity standards as of December 31, 2017. If you are not compliant, your company is at risk of losing federal contracts.

On November 30, 2020, a second significant DoD cybersecurity contracting requirement became effective. The Defense Federal Acquisition Regulation Supplement (DFARs): Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041) introduced three new DFARs clauses:

  1. DFARS 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements
    1. This clause provides the requirement for a cybersecurity assessment to be completed prior to contract award and score entered in the Supplier Performance Risk System (SPRS).
  2. DFARS 252.204-7020, NIST SP 800-171 DoD Assessment Requirements
    1. This clause includes the DoD assessment requirements for contractors.
  3. DFARS 252.204-7021, Contractor Compliance with the Cybersecurity Maturity Model Certification (CMMC) Level Requirement
    1. This clause describes the requirements for DoD’s new CMMC program.

CMMC will be gradually included in DoD contracts at a rate that is controlled by the Under Secretary of Defense for Acquisition and Sustainment. By October 1, 2025, all DoD contracts, except commercial off-the-shelf and micro-purchases, will require a Cybersecurity Maturity Model Certification prior to DoD contract award. This will be a “go/no-go” criteria in the selection process which means that your proposal will be rejected if it does not include the required CMMC level.

If you are a manufacturer who makes a product unique to DoD specifications, you most likely need CMMC Level 3. CMMC Level 3 takes many months to attain, so don’t wait to get started!

If you’re like many manufacturers, you may not know everything that is expected or even how to get started. To make this process easier, Purdue MEP has assembled a team of cybersecurity experts to help ensure you are compliant with the standards described in NIST Special Publication 800-171. Additionally, you could attend one of our cybersecurity workshops to learn the DoD cybersecurity requirements, to be exposed to resources to help you become compliant and to meet local cybersecurity providers. 

Purdue MEP’s experienced team has designed a comprehensive four-step cybersecurity program. This is intended to help you gauge your current situation, and then tailor a plan specifically for your company’s internal capabilities, budget, and time sensitivity.

Four-Step Cybersecurity Program:

  • Step 1: Discovery – an assessment of your company’s practices related to the new standard. If necessary, a gap analysis will be completed to document the scope to be remediated.
  • Step 2: Remediate to Meet New Standard – supports all fixes necessary for compliance. Sample work could include updating firewalls, patches, policy development, employee training, physical security, network configuration, etc.
  • Step 3: Test and Validate – verifies all technology and physical security aspects are working properly.
  • Step 4: Monitoring/Reporting – establishes ongoing monitoring and scanning of the required enterprise network. Creates a working process to log, remediate, and report (as required) cyberattacks.

Why is it important to determine the correct cyber compliance level for your company?

Determining the correct cyber compliance level for your company could potentially save tens of thousands of dollars and months of work. It is based on the information that you receive and must protect. Click here to learn more.






Gene Jones
Gene Jones
Senior Program Manager, Cybersecurity and Defense

Contact Us



Return to main content

Purdue Manufacturing Extension Partnership, 550 Congressional Blvd., Suite 140, Carmel, IN 46032, (317) 275-6810

© 2023 Purdue University | An equal access/equal opportunity university | Copyright Complaints | Maintained by Manufacturing Extension Partnership

Trouble with this page? Disability-related accessibility issue? Please contact Manufacturing Extension Partnership at