The DoD Instructs Project Managers to Consider Cybersecurity When Awarding Contracts

The DoD announced the rollout of the CMMC in January 2020, and since then, there has been a flurry of activity as contractors attempt to bring their cybersecurity standards up to scratch.

Currently, industry players are focusing on the requirements of DoD Instruction 5000.90, entitled “Cybersecurity for Acquisition Decision Authorities and Program Managers.” This document asks DoD program managers to take the cybersecurity level of contractors into account during contract negotiations. The implication is that the Department of Defense is more likely to award work to outsourcing firms that fully meet the standards.

How the DoD Is Taking CMMC Security into Account When Awarding Contractors

Many DoD contractors have spent years building up close relationships with officials, slowly gaining their trust over time. However, that old way of securing contracts may be coming to an end with the CMMC rollout—at least in part.

Now, even firms with longstanding relationships may be out of the running for contracts if they fail to meet the required security level appropriate for their contract work. And upstart rivals with better cybersecurity hygiene could take their place. 

Program managers—DoD officials who allocate and oversee contractor work—are being instructed to take a holistic view of a contractor’s cybersecurity maturity into account during the deliberation phase. So if a PM believes that a contractor’s security arrangements are inadequate, they may pass the work over to a rival bidder.

To make the new system airtight, the DoD also holds PMs responsible for the decision they make. If they award work to contractors who do not meet the requisite CMMC standards, there may be personal ramifications. 

The breadth and scope of cybersecurity requirements under the CMMC are expanding. The DoD no longer sees it as a box-checking exercise. Going forward, companies must prove to independent assessors that they have the necessary cyber hygiene tools in place. Anything less is potentially a threat to national security.

What Cybersecurity Traits Are Program Managers Looking For When Awarding DoD Contracts? 

Understandably, contractors are very interested in the type of security arrangements that program managers want to see. Already, contractors must complete a 110-step self-assessment and POA&M, reporting the results to the SPRS. But there are additional factors program managers are looking for when assessing the current level of cybersecurity competence. 

This includes whether the contractor is implementing:

  • A supply chain risk management system
  • A risk management framework 
  • Ongoing cyber threat analysis and evaluation
  • Periodic mock hacking attempts to assess the quality of current cybersecurity defenses
  • Security programs that protect all aspects of operational security
  • Tools that enable protection against all currently-known threats to data integrity
  • Plans of action to mitigate any future security breach


These aspects are just the main factors that PMs will assess when considering a contractor for work. Firms that can prove their cybersecurity readiness will put themselves at a distinct competitive advantage during contract negotiations. But they will need to go beyond mere box-checking and demonstrate genuine CMMC compliance, cybersecurity maturity, and competence in threat mitigation.

Chris Turn