Cybersecurity Requirements

DBEDT is offering two free programs to help Hawaii-based companies and organizations become cyber ready.


  • Cyber Ready Hawaii is a free program designed to train entry-level cybersecurity professionals to lead and support Hawaii’s small to medium-sized businesses and nonprofits through a cyber readiness program that focuses on cybersecurity hygiene and basic safeguarding measures required to meet federal contracting requirements. For more information about the program visit
  • The Hawaii Defense Economy Cyber Compliance Education Program by eResilience is available to current, Hawaii-based DOD contractors and subcontractors requesting more in-depth information and assistance related to DOD cybersecurity contracting requirements. The program includes an online webinar to help DOD contractors and subcontractors understand, differentiate and navigate various cybersecurity contracting mandates, as well as provides free consulting assistance to select contractors handling Controlled Unclassified Information (CUI). To access this program visit

Cybersecurity Requirements for DoD Contractors

The threats facing DoD’s unclassified information have dramatically increased as the department is relying on external service providers to help carry out a wide range of missions and business functions using information systems. Many contractors process, store, and transmit sensitive federal information to support the delivery of products and services, e.g. providing financial services; providing web and electronic mail services; processing security clearances or healthcare data; providing cloud services; and developing communications, satellite, and weapons systems. The protection of Controlled Unclassified Information (CUI) residing in contractor systems (nonfederal organizations) is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully conduct its essential missions and functions.

Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012 requires DoD contractors, including small businesses, to provide adequate security to safeguard covered defense information that resides in or transits through their internal unclassified information systems from unauthorized access and disclosure. National Institute of Standards and Technology (NIST) special publication SP 800-171 focuses on protecting the confidentiality of Controlled Unclassified Information (CUI) in nonfederal systems and organizations, and recommends specific security requirements to achieve that objective. Although these requirements may initially seem overwhelming, small businesses can use this framework to divide the project into small, manageable segments and work toward attaining compliance.

Small manufacturers are often seen as an easy entry point into larger businesses and government agencies. With limited resources and budgets, small manufacturers need cybersecurity guidance, solutions, and training that is practical, actionable, cost-effective and helps manage their cybersecurity risks. NIST’s Manufacturing Extension Partnership (MEP) & INNOVATE Hawaii offer resources to protect your business.

Additional cybersecurity guidance can be found at the following:

Cybersecurity Maturity Model Certification

DoD’s Cybersecurity Maturity Model Certification (CMMC) program is a new set of cybersecurity standards to protect defense companies from cyber-attacks. The CMMC program will require certification for all companies doing business or who want to do business with DoD. Certified Third-Party Assessment Organizations (C3PAO) will certify companies against the different CMMC standards/levels. All companies on contract with the DoD will need at least CMMC Level 1 certification.