Cybersecurity Requirements for Government Contractors

Cybersecurity Services for
DoD Government Contractors

Feeling stressed about DFARS cybersecurity compliance?

Did you know that Totem knows first-hand how stressful these cybersecurity requirements are for government contractors? Totem was born from our parent company Haight Bey and Associates, a small DoD Prime Contractor. Even with cybersecurity as one of our core capabilities, the NIST 800-171 regulation left us scrambling to comply with limited resources.  After months of searching and not finding a great solution we decided to start our compliance journey in-house. It didn’t take long before our contracting peers were reaching out to us for help. We quickly found that we had a strong passion to keep small businesses compliant so they could continue their work with the DoD. This was the start of our Totem Offerings.

Now with the introduction of the Cybersecurity Maturity Model Certification (CMMC) along side of the NIST 800-171 cybersecurity requirement we are finding government contractors are even more stressed and confused. With our decades of experience securing government IT systems and managing our own (and our contracting peers) NIST 800-171 compliance, we are dedicated to simplify these cybersecurity requirements for you. 

What do these cybersecurity requirements look like for government contractors?

Most of you have heard of the DFARS 7012 cybersecurity requirement through your prime contractors. Your prime contractor may have requested that you fill out an 800-171 questionnaire using a system such as Exostar. This is expected. It’s the prime contractors’ responsibility to notify their subs of the cybersecurity requirement for all government contractors. However, until now they haven’t been great at flowing down these requirements to their sub contractors.

All government contractors that work within the DoD supply chain will eventually have to be certified with a CMMC Level 1 certification. However, contracts will vary in their cybersecurity requirements by different maturity levels from basic cybersecurity hygiene to cutting edge security (CMMC Level 1 – Level 5).  The DoD has started rolling out the CMMC and we should start seeing the certificate requirement in RFPs by the end of 2020.  It is estimated that is will take five years to be completely rolled out and to get every DoD contractor certified. 


If your company stores or processes Controlled Unclassified Information (CUI) then you must be compliant with the current NIST 800-171 cybersecurity requirement. If, as a sub, you aren’t sure if you process CUI or what information is covered, make sure to inquire with your prime; it’s their job to tell you. They may not be able to tell you exactly which types of information are Controlled Unclassified Information, but keep pressing them to find out. 

Specifying exactly which data and information is critical to the first step in protecting Controlled Unclassified Information. The type of CUI you process will determine if you need to be compliant now with the current cybersecurity requirement or once it rolls out, which CMMC level will be your cybersecurity requirement as a government contractor.  Even if you don’t process CUI, the CMMC is coming.  This cybersecurity requirement takes time to implement, so we recommend starting now and moving in a steady pace forward.

Totem provides assistance with these cybersecurity requirements for all government contractors.

cybersecurity consulting management


Totem's provides Security Assessments "gap analysis" on contractors IT system and their organization as a whole. We will measure the assessment against the NIST 800-171/CMMC requirements and help develop custom policies that fit the business needs and meet the requirement. 

Webinar Cybersecurity Training for Business


Totem assists government contractors around the United States with these strict cybersecurity requirements. Our online, live, virtual classroom course has been a great resource for government contractors who can't afford a consultant to come on-site or can't travel to one of our compliance workshops.

Cybersecurity Requirements for prime Government contractors


Defense contractors are finding themselves overwhelmed trying to understand the ever-changing cybersecurity requirements. Our online DFARS cybersecurity E-lesson series provides your business with 18 lessons about CMMC/NIST 800-171 compliance. This series will give you a complete understanding of the requirement. At the end of seven weeks, one of Totem's cybersecurity engineers will provide a compliance assessment using the DoD Assessment Methodology.


Totem’s Cybersecurity Compliance Management Software takes the headache out of complying to the hundreds of assessment objectives required for the DoD. The software makes these cybersecurity requirements easier for government contractors to manage. It helps with the creation and management of your System Security Plan, Plan of Action and Milestones, and Incident Response Plan. Contract us to receive a free 30 day trial.

What do these Cybersecurity Requirements look like for
Prime Government Contractors?

The vast majority of, if not all, DoD prime contractors process some sort of Controlled Unclassified Information (CUI) and must abide by these cybersecurity requirements. Prime contractors—“primes”—have historically had a difficult time extracting from their DoD program management offices exactly what information is considered Controlled Unclassified Information. That’s because the DoD hasn’t adopted the Controlled Unclassified Information process as efficiently as it could have. (It’s understandable: the DoD has its hands full classifying and protecting SECRET and TOP SECRET information.)  

For a while, it was up to the primes to guess what information was considered Controlled Unclassified Information. Of late; however, DoD contractor officers have begun including language in solicitations and contracts specifying what information is considered Controlled Unclassified Information. It currently looks like the cybersecurity requirement for government contractors possessing CUI will be CMMC Level 3, 4, or 5.  

When the process is perfected, all contracts will include a Security Classification Guide (SCG) or equivalent, which dictates classification, marking, and handling requirements for all information types processed under the contract. If, as a prime, your contract does not currently provide an SCG, ask for one—it’s the DoD’s duty to provide one.

Primes are also required to flow down the DFARS 7012 / NIST 800-171 / CMMC cybersecurity requirements to their sub contractors that process Controlled Unclassified Information (CUI), and these subcontractors are likewise required to flow down these cybersecurity requirements to their vendors and suppliers. This has not been an easy process for prime contractors.

How does Totem assist prime contractors in preparing their sub contractors for these cybersecurity requirements?

Cybersecurity Requirements for prime Government contractors


Don’t let Google be the only resource your supply chain has access to while they try to navigate these complex cybersecurity requirements. The Totem DFARS Cybersecurity 101 Educational Series consists of 18 lessons spread over a seven week period. The lessons were created so any government contractor can understand these cybersecurity requirements. At the end of week seven, contractors receive a compliance assessment using the DoD Assessment Methodology. Prime contractors can set up their own custom promo code with Totem to provide this cybersecurity education to their supply chain at no cost to them or their sub-contractors.

small business cybersecurity requirements for government contractors


Totem’s Interactive DFARS Cybersecurity Workshop provides contractors a hybrid solution between traditional classroom education and consulting services. Government contractors sit down with experienced cybersecurity engineers and develop their own custom SSP, POA&M, and IRP to meet these cybersecurity requirements. Our focus is to help government contractors create cybersecurity policies and procedures that work for their organization while also meeting the DoD’s cybersecurity requirements. After the 2-day workshop, contractors receive 30 days of additional support. Work with Totem and sponsor a workshop for the critical contractors in your supply chain.


Totem’s Cybersecurity Compliance Management Software makes complying with these cybersecurity requirements easier for government contractors. Large prime contractors can use it over multiple programs, and, if needed, with multiple System Security Plans (SSP).

The software also has the ability to give Prime Contractors oversight of these cybersecurity requirements within their government contractor supply chain.