Department of War Enforces New Cybersecurity Program to Safeguard Service Member Data

The Department of War (DoW) began implementation of a landmark cybersecurity program in November 2025 to better protect sensitive information across the U.S. defense industrial base called the Cybersecurity Maturity Model Certification (CMMC) program.

CMMC establishes a mandatory framework to ensure that thousands of companies contracting with the DoW have verified cybersecurity measures in place to protect the DoW data they handle.

The program is especially critical for securing the Personally Identifiable Information (PII) of service members and their families, particularly during the often-stressful Permanent Change of Station (PCS) process.

What is CMMC and Why is it Important for PCS?

The CMMC program functions as a verification mechanism, ensuring DoW contractors meet DoW cybersecurity standards. The CMMC program will require that a contractor’s leadership provide an assessment of their company’s compliance for CMMC levels 1 & 2.

This has a direct impact on the security of military families’ personal information. The PCS process, a regular part of military life, requires service members to share vast amounts of PII, including names, social security numbers, birthdates, telephone numbers, and financial details, with numerous third-party contractors that manage moving, travel, and housing. Without robust security measures in place, this sensitive data is a prime target for cybercriminals and foreign intelligence entities, potentially leading to identity theft and financial fraud.

"The CMMC program provides increased assurance to the DoW that a defense contractor can adequately protect sensitive unclassified information at a level commensurate with the risk," the Department stated in the rule. By mandating CMMC, theDoW ensures that any company involved in the PCS process must have a certified level of cybersecurity, directly protecting service members' personal data from being compromised.

How the CMMC Program Works

The CMMC framework is designed to be scalable, matching the level of certification required to the sensitivity of the information being handled.

• Tiered Levels:The program has multiple levels. A contractor handling basic Federal Contract Information (FCI) will need to comply with CMMC Level 1, which can be accomplished through a self-assessment, or CMMC Level 2 which can be accomplished through a self-assessment or through a certified third-party organization (C3PAO) or the DoW’s Industrial Base Cybersecurity Assessment Center (DIBCAC) once every 3 years.
• Verification and Reporting: Contractors must report their CMMC status in the government's Supplier Performance Risk System (SPRS). DoW Contracting Officers will verify a bidder’s or contractor’s CMMC status before awarding any new contracts or exercising options on existing ones. Contractors must also make an annual affirmation of their continued compliance.
• Phased Implementation: The DoW will phase in the CMMC requirements over a three-year period to minimize the financial impact and disruption to the defense industrial base, particularly for small businesses. Following this period, the CMMC requirements will apply to all applicable DoW contracts. As part of the implementation of the CMMC program, all federal contractors remain subject to a DoW audit to ensure compliance.

Phased implementation of the CMMC program represents a significant step forward in securing the Defense Industrial Base.

For service members and their families, it provides much-needed peace of mind, knowing that their personal information will be better protected by a more resilient and cyber-aware network of defense contractors.