The United States Department of Defense (DoD) was created in 1947 by unifying the military branches under one department. Since then, the DoD has been protecting the nation from physical threats and, as of late, cyber threats. At the onset of the personal computer wave in the 1980s, the DoD began publishing computer security recommendations. These recommendations have since developed into the required DoD cyber security certifications that companies have today.

Technology increases rapidly in sophistication and capability. As a result, so do cyber security risks. The DoD is at the heart of national security, so it is only natural that its security standards are among the highest in the world. The DoD’s cyber security history may help familiarize companies with federal compliance to prepare them for future DoD contracts and help them establish strong protocols.

> Get a Free Checklist of NIST SP 800-171 Security Controls: Self-Assessment Tool

Rainbow Books

The Rainbow Series was an assortment of free documents released in the 1980s through the 1990s that provided security recommendations for U.S. government agencies. Each recommendation category is identifiable by the book's cover, the colors of which coined the nickname "Rainbow." The following are examples of some of the DoD cyber security documents:

  • Orange Book (CSC-STD-001-83) – DOD Trusted Computer System Evaluation Criteria (TCSEC) [DOD 5200.28].
  • Green Book (CSC-STD-002-85) – DOD Password Management Guidelines.
  • Light Yellow Book (CSC-STD-003-85) – Guidance for Applying the DOD Trusted Computer System Evaluation Criteria in Specific Environments.
  • Yellow Book II (CSC-STD-004-85) – Technical Rationale Behind CSC-STD-003-85: Computer Security Requirements.


The DoD Information Technology Security Certification and Accreditation Process (DITSCAP) was the first accreditation and certification process that the DoD used. It was created in 1992 to show that contractor systems were safe to operate in the manner agreed upon in the contract. DIACAP replaced DITSCAP.

The DoD Information Assurance Certification and Accreditation Process (DIACAP) produced a formal standard for risk management. The intent was to ensure that risk management was applied to information systems. DIACAP was comprised of DoD processes to recognize, implement, confirm, and manage information assurance measures and services. The initial version formed in 2006, and the final version was signed in 2014.

NIST SP 800-53, RMF, CSF

NIST SP 800-53 was initially created in 2006. The final version was developed in April 2013. This publication provided a framework for security and privacy controls to apply to federal computer systems. The NIST Risk Management Framework (RMF) superseded NIST SP 800-53 in 2020.

The RMF was designed to aid in the discovery and mitigation of risk in federal systems. It utilizes a process to integrate security, privacy and cyber supply chain risk management activities into the system development lifecycle. The RMF can apply to legacy technology and new technology systems.

In 2014, NIST worked with the private sector and the federal government to create the Cybersecurity Framework (CSF).

  • The CSF integrates industry standards and best practices to help organizations set up and manage their DoD cyber security program.
  • The primary objective of CSF is to address cyber threats and support business goals.
  • CSF generates a common language to simplify the understanding of threats to staff at all levels within a business.

DFARS 252.204-7012/NIST SP 800-171

The Defense Federal Acquisition Regulation Supplement (DFARS) was created to establish rules on the handling of covered defense information, including the reporting of cyber incidents.

DFARS’ main objective is to protect the DoD’s unclassified information on a defense contractor’s internal information systems.

NIST SP 800-171 was established to guide standards and best practices in the handling of controlled unclassified information (CUI) within non-federal systems and organizations. CUI is data that does not require clearance to view but is not meant for public distribution. The requirements should be applied to all non-federal systems that handle (process, store or transmit) CUI or that provide protection for such components.

The development of the CMMC effectively supersedes 800-171.

NIST SP 800-171 Compliance
Get a comprehensive checklist of NIST security controls with our free NIST SP 800-171 self-assessment tool.


For a considerable time, the NIST SP 800-171 framework was the standard to guide DoD contractors and subcontractors in managing CUI. With the rapid increase in cyber threats across the globe, an enhanced model is needed to protect the Defense Industrial Base (DIB) sector as well as the DoD. The answer to this problem is the Cybersecurity Maturity Model Certification (CMMC).

The CMMC launched on January 31, 2020, as a unified standard for DoD cyber security practices. It replaces NIST SP 800-171 as the federal government's mechanism for protecting CUI. The CMMC has five different levels at which a defense contractor can become certified in order to bid on DoD contracts. Starting with Level 1, each subsequent level requires more security controls and practices. The CMMC ensures security compliance and safety within the supply chain for DoD work.

  • One key difference between CMMC and NIST SP 800-171 is the need for third-party assessments. While NIST SP 800-171 only required self-assessments, the CMMC mandate requires an outside organization to audit remediation and certify compliance.
  • As a precursor to CMMC, the DFARS Interim Rule (252.204-7019) establishes requirements for NIST SP 800-171 compliance scoring (SPRS score) and remediation.

Learn More About the DoD Cyber Security Requirements

The DoD has a long history of setting standards to protect national security. As technology has progressed, so has the response to threats and the standard for achieving a strong security posture. The DoD requirements have moved from having reasonable cyber security measures with self-assessments to having strong cyber security controls.

If a company relies on DoD contracts, then it must become CMMC certified. The certification level required depends on the contract and the CUI involved. Regardless of the required level, however, the contractor still needs a professional third party that can get them to where they need to be.

InfoDefense has helped many clients achieve compliance standards to make them successful. If you are a defense contractor and need help becoming CMMC certified, contact us today for more information.

Originally published July 26, 2021 , updated September 16, 2021


related posts: