Contractors hoping to land a job with the federal government will soon have to prove their information security chops in order to be in the running. 

In 2026, the U.S. Department of Defense will mandate that most potential government contractors have at least a Level 2 Cybersecurity Maturity Model Certification. While the certification is a mouthful, it basically boils down to contractors demonstrating that they can adequately protect unclassified, but potentially risky, government information. 

That could be anything from personally identifiable information of employees to the color of paint used on fighter jets, said Matt Paulson (pictured right), an instructor with Network Management Technology, part of Weber State University’s School of Computing. 

The year 2026 is really just around the corner, Paulson said. That’s especially true because businesses who might not have a strong understanding of information security will still need to meet those standards. Further, small businesses will need to figure out how people who perform multiple roles will be able to take this on. 

“It seems really far away right now, but, boy, it’s not,” he said.

Preparation for CMMC involves two parts: NIST 800-171 and the actual certification. Paulson estimates that it will take approximately a year for businesses to finish the NIST 800-171 portion, which involves creating an information security checklist for your business. The certification itself regards implementing the checklist, and several levels of certification can be reached. Level 1 indicates a potential contractor has identified the information that must be secured and taken basic steps to protect it. Level 2 indicates improved documentation, establishing processes and following them. Level 3 organizations are proactive in identifying and mitigating known risks and vulnerabilities. Different government contracts require different certifications. 

Paulson recognizes that many of the businesses seeking contract work aren’t information security experts, and they don’t have to be. 

“A lot of folks aren’t going to know what they’re supposed to be protecting,” he said. “This is going to help clarify what the information is and what they need to do to protect it.”

WSU is planning to offer two courses to help people prepare for the new mandates. The first, offered in partnership with Strong Connexions, will provide an introduction to CMMC and guide participants through the creation of their NIST 800-171 documents. 
The second course, offered by WSU only, will focus on obtaining the actual certification. To learn more and request more information on either course, visit WSU’s web page on NIST 800-171 and fill out the form at the bottom.