The U.S. Department of Defense (DoD) recently released a memorandum signaling its increasing willingness to review contractor compliance with cybersecurity standards in its contracts and take action against noncompliant contractors.
It is no secret that DoD has been working toward ensuring that contractors are compliant with cybersecurity standards necessary to secure information critical to this nation's defense. Although the Cybersecurity Maturity Model Certification (CMMC) program will take a few more years to fully roll out,1 DoD is looking for ways to ensure that contractors handling Covered Defense Information (CDI) have systems that are compliant with the cybersecurity standards found in the National Institute for Standards and Technology (NIST) Special Publication (SP) 800-171. One way DoD has done this, was to release a new requirement in November 2021 that mandated contractors enter a score into the Supplier Performance Risk System (SPRS) reflecting its current compliance with the 110 controls in NIST SP 800-171. This is embodied in Defense Federal Acquisition Regulation Supplement (DFARS) Parts 252.204-7019 and 252.204-7020.
Of course, prior to CMMC and SPRS, DoD released DFARS 252.204-7012, which requires contractors, among other things, to comply with the 110 security controls in NIST SP 800-171. DoD has struggled to ensure this requirement, which has been in some contracts since 2016, has been followed. In fact, the CMMC program is a direct response to DoD's...
"Anura brother (elder sibling), making a system change," reads a Sinhala-language Facebook post shared on April 27, 2026, referring to Dissanayake. The post includes an image that appears to show ...