Cybersecurity Services for
DoD Government Contractors

DoD Cybersecurity Requirements for Government Contractors

With the new DFARS update, the DoD will be enforcing cybersecurity requirements on all government contractors. The original NIST 800-171 was the cybersecurity requirement for government contractors that processed Controlled Unclassified Information (CUI). With the release of the Cybersecurity Maturity Model Certification (CMMC) all DoD contractors will need to meet at least a CMMC Level 1 certification, which is basic cyber hygiene. In fact, the FAR clause 52.204-21 already included these cybersecurity requirements for government contractors. 

Totem takes pride in offering affordable solutions for these cybersecurity requirements for small to mid-sized prime and subcontractors.  We also provide assistance for prime contractors needing to secure their supply chain. 

Manufacturing cybersecurity requirements in government contracting

What do these cybersecurity requirements look like for government contractors?

Most of you have heard of the DFARS 7012 cybersecurity requirement through your prime contractors. All government contractors that work within the DoD supply chain will eventually have to be certified with a Level 1 CMMC. However, contracts will vary in their cybersecurity requirements by different maturity levels (CMMC Level 1 – Level 5).  These cybersecurity requirements flow down to all government contractors, and if a contract requires a Level 4 certification, then many of the subcontractors working on that contract will need that same certification level. The required certification level isn’t based upon how far down the supply chain you are but about the information you are handling.   

Your prime contractor may have requested that you fill out an 800-171 questionnaire using a system such as Exostar. This is expected. It’s the prime contractors’ responsibility to notify their subs of the cybersecurity requirement for all government contractors and to define what types of information must be considered Controlled Unclassified Information. If, as a sub, you aren’t sure if you process Controlled Unclassified Information or what information is covered, make sure to inquire with your prime; it’s their job to tell you. They may not be able to tell you exactly which types of information are Controlled Unclassified Information, but keep pressing them to find out. 

Specifying exactly which data and information is critical to the first step in protecting Controlled Unclassified Information. The type of CUI you process will determine which CMMC level is your cybersecurity requirement as a government contractor. 

Totem provides assistance with these cybersecurity requirements for all government contractors.

Interactive DFARS Cybersecurity Workshops

Totem's interactive cybersecurity compliance workshops are a hybrid between a traditional classroom setting and on-site consulting. During the workshop, you work side-by-side with one of our cybersecurity engineers to develop your custom System Security Plan to meet these cybersecurity requirements. We help you create policies and procedures that work for your business and meet your compliance regulations.

Webinar Cybersecurity Training for Business

DFARS Webinars

Totem assists government contractors around the United States with these strict cybersecurity requirements. Our online webinar series has been a great resource for government contractors who can't afford a consultant to come on-site or can't travel to one of our compliance workshops. We understand learning online doesn't provide the same hands-on experience, but we do our best to offer the same interaction we provide in our face-to-face cybersecurity trainings and on-site consulting.

Cybersecurity Requirements for prime Government contractors

Online DFARS Cybersecurity Training

Defense contractors are finding themselves overwhelmed trying to understand the ever-changing cybersecurity requirements. Our online DFARS cybersecurity educational series provides your business with 18 lessons in CMMC/NIST 800-171 compliance. This series is spread over seven weeks. At the end of seven weeks, one of Totem's cybersecurity engineers will provide a compliance assessment using the DoD Assessment Methodology.


Totem’s Cybersecurity Compliance Management Software takes the headache out of complying to the hundreds of assessment objectives required for the DoD. The software makes these cybersecurity requirements easier for government contractors to manage. It helps with the creation and management of your System Security Plan, Plan of Action and Milestones, and Incident Response Plan. Contract us to receive a free 30 day trial.

What do these Cybersecurity Requirements look like for
Prime Government Contractors?

The vast majority of, if not all, DoD prime contractors process some sort of Controlled Unclassified Information (CUI) and must abide by these cybersecurity requirements. Prime contractors—“primes”—have historically had a difficult time extracting from their DoD program management offices exactly what information is considered Controlled Unclassified Information. That’s because the DoD hasn’t adopted the Controlled Unclassified Information process as efficiently as it could have. (It’s understandable: the DoD has its hands full classifying and protecting SECRET and TOP SECRET information.)  

For a while, it was up to the primes to guess what information was considered Controlled Unclassified Information. Of late; however, DoD contractor officers have begun including language in solicitations and contracts specifying what information is considered Controlled Unclassified Information. It currently looks like the cybersecurity requirement for government contractors possessing CUI will be CMMC Level 3, 4, or 5.  

When the process is perfected, all contracts will include a Security Classification Guide (SCG) or equivalent, which dictates classification, marking, and handling requirements for all information types processed under the contract. If, as a prime, your contract does not currently provide an SCG, ask for one—it’s the DoD’s duty to provide one.

Primes are also required to flow down the DFARS 7012 / NIST 800-171 / CMMC cybersecurity requirements to their sub contractors that process Controlled Unclassified Information (CUI), and these subcontractors are likewise required to flow down these cybersecurity requirements to their vendors and suppliers. This has not been an easy process for prime contractors.

How does Totem assist prime contractors in preparing their sub contractors for these cybersecurity requirements?

Cybersecurity Requirements for prime Government contractors


Don’t let Google be the only resource your supply chain has access to while they try to navigate these complex cybersecurity requirements. The Totem DFARS Cybersecurity 101 Educational Series consists of 18 lessons spread over a seven week period. The lessons were created so any government contractor can understand these cybersecurity requirements. At the end of week seven, contractors receive a compliance assessment using the DoD Assessment Methodology. Prime contractors can set up their own custom promo code with Totem to provide this cybersecurity education to their supply chain at no cost to them or their sub-contractors.

small business cybersecurity requirements for government contractors


Totem’s Interactive DFARS Cybersecurity Workshop provides contractors a hybrid solution between traditional classroom education and consulting services. Government contractors sit down with experienced cybersecurity engineers and develop their own custom SSP, POA&M, and IRP to meet these cybersecurity requirements. Our focus is to help government contractors create cybersecurity policies and procedures that work for their organization while also meeting the DoD’s cybersecurity requirements. After the 2-day workshop, contractors receive 30 days of additional support. Work with Totem and sponsor a workshop for the critical contractors in your supply chain.


Totem’s Cybersecurity Compliance Management Software makes complying with these cybersecurity requirements easier for government contractors. Large prime contractors can use it over multiple programs, and, if needed, with multiple System Security Plans (SSP).

The software also has the ability to give Prime Contractors oversight of these cybersecurity requirements within their government contractor supply chain.