Cybersecurity - DFARS 252.204-7012/NIST 800-171 Compliance (CMMC)

Are you a small-to-medium-sized manufacturer that is also a DoD contractor?  You might be eligible for a funding opportunity!

UTCIS has been awarded an Office of Local Defense Community Cooperation grant to assist small to medium sized manufacturers in assessing and implementing cyber hygiene practices that enable compliance with DFARS 252.204-7012/NIST 800-171 security control requirements.

Contact your local Solutions Consultant to learn more


Did You Know?

If your company sells products to the U.S. government, you are required to comply with the minimum cybersecurity standards set by FAR 52.202.21. If your company produces products used by the Department of Defense (DoD), you may be required to comply with the minimum cybersecurity standards set by DFARS if those products aren’t commercially available off-the-shelf (COTS).


  • FAR 52.202.21: Requires government contractors to follow 15 basic safeguarding requirements and procedures to protect systems used to collect, process, maintain, use, share, disseminate, or dispose of Federal Contract Information (FCI). 

  • DFARS 252.204-7012: Requires contractors with CUI to follow NIST SP 800-171, report cyber incidents, report cybersecurity gaps

  • DFARS 252.204-7019 (interim): Requires primes and subcontractors to submit self-assessment of NIST 800-171 controls through the Supplier Performance Risk System (SPRS)

  • DFARS 252.204-7020 (interim): Requires primes and subcontractors give the DoD access to their infrastructure to verify the self-assessment (via DMCA); requires contractors roll requirements down to subcontractors

  • DFARS 252.204-7021 (interim): Rolling out of the Cybersecurity Maturity Model Certification program over 5 years



CMMC will be gradually included in DoD contracts at a rate that is controlled by the Under Secretary of Defense for Acquisition and Sustainment. By October 1, 2025, all DoD contracts, except commercial off-the-shelf and micro-purchases, will require a Cybersecurity Maturity Model Certification prior to DoD contract award. This will be a “go/no-go” criteria in the selection process which means that your proposal will be rejected if it does not include the required CMMC level.

If you’re like many manufacturers, you may not know everything that is expected or even how to get started. To make this process easier, UTCIS has assembled a team of cybersecurity experts to help ensure you are compliant with the standards described in NIST Special Publication 800-171. Additionally, you could attend one of our cybersecurity workshops to learn the DoD cybersecurity requirements, to be exposed to resources to help you become compliant and to meet local cybersecurity providers. 

UT CIS's experienced team has designed a comprehensive four-step cybersecurity process. This is intended to help you gauge your current situation, and then tailor a plan specifically for your company’s internal capabilities, budget, and time sensitivity.

Four-Step Cybersecurity Program:

Step 1: Discovery – an assessment of your company’s practices related to current DoD standards. A gap assessment will be completed to document the scope to be remediated.

Step 2: Remediate to Meet New Standard – supports all fixes necessary for compliance. Sample work could include updating firewalls, patches, policy development, employee training, physical security, network configuration, etc.

Step 3: Test and Validate – verifies all technology and physical security aspects are working properly.

Step 4: Monitoring/Reporting – establishes ongoing monitoring and scanning of the required enterprise network. Creates a working process to log, remediate, and report (as required) cyberattacks.


DON’T RISK BEING UNPREPARED! Contact your local Solutions Consultant to see how we can help.