• Government Contracting

    For government contractors, change opens opportunities
    to capitalize on growth and gain a competitive advantage.

Compliance and growth go hand in hand for government contractors.

In January 2020, the Department of Defense (DoD) released the Cybersecurity Maturity Model Certification (CMMC), a tiered system of cybersecurity standards to be applied across the Defense Industrial Base (DIB). These contractual requirements, developed and launched in response to substantial compromises of sensitive data held on contractors’ computer systems, are being rolled out gradually through 2025 (FY 2026). All defense contractors will see CMMC Maturity Level (ML) requirements in their government contracts by 2026, with the minimum threshold being ML 1, “Basic Cyber Hygiene.” Contractors processing Controlled Unclassified Information (CUI) will be expected to maintain ML 3 or ML 5.

As the number of contracts with these requirements increases, U.S. government contractors must plan, design and implement their cybersecurity strategy for safeguarding CUI.
Image of the CMMC Registered Provider Organization (RPO) Seal As a CMMC Registered Provider Organization (RPO), BDO has built a cybersecurity compliance team that possesses a deep bench of advanced degrees in cybersecurity and information assurance, combined with over 30 years of experience supporting DoD programs in information technology, information assurance and cybersecurity. The team includes CMMC-certified Registered Practitioners with Cybersecurity Industry certifications, such as EC-Council Certified Ethical Hacker (CEH), Certified Hacking Forensic Investigator (CHFI), Certified Network Defense Architect (CNDA) and CompTIA Security+ certified professionals.

Other Cybersecurity Compliance Services


FedRAMP, or the “Federal Risk and Authorization Management Program,” standardizes security assessment and authorization for cloud products and services used by U.S. federal government agencies. The goal of FedRAMP is to ensure federal data is consistently protected, and every FedRAMP package must meet the same level of cybersecurity best practice to maintain this high watermark. The level of security required for a FedRAMP-qualified authorization is mandated by law. There are 14 applicable laws and regulations, along with 19 standards and guidance documents. BDO leverages its dedicated and experienced subject matter experts (SMEs) to carefully build a compliance package to support this rigorous certification.

Cyber Supply Chain Risk Management (C-SCRM)

Organizations supporting the DIB are required to institutionalize effective SCRM practices with operational strategies to secure their internal processes and assess and mitigate risks within their supply chain. The goal is for organizations to be both secure and compliant with their contract obligations. Unfortunately, there are currently no clear U.S. laws or regulations that mandate suppliers provide multi-tier transparency of their supply chains.

In the absence of a government mandate, BDO works with organizations to implement a C-SCRM program as part of their overall enterprise risk management activities. C-SCRM is an amalgamation of cybersecurity and supply chain risk management practices implemented across the organization and throughout the system development lifecycle. BDO provides guidance and consulting for:
  • Identifying and assessing applicable cyber supply chain risks
  • Determining appropriate mitigations
  • Developing a C-SCRM Plan to document selected policies and mitigating actions
  • Monitoring performance continuously in compliance with the C-SCRM Plan
Because cyber supply chains differ across and within organizations, the C-SCRM Plan is tailored to individual organizational contexts.

Risk Management Framework

BDO’s team of experienced Risk Management Framework (RMF) SMEs provides full-scope package preparation for DoD contractors to achieve, maintain and renew their Defense Counterintelligence and Security Agency (DCSA) classified facility Authorization to Operate (ATO).

BDO’s professionals provide package preparation services for DoD clients through the prescribed seven-step RMF process, as outlined by the DCSA:
  1. Policy development
  2. Security control implementation and validation
  3. Enterprise Mission Assurance Support Service (eMASS) consulting and support
  4. eMASS security control matrix preparation and population
  5. Cybersecurity lab processes
  6. Security Technical Implementation Guide (STIG) hardening
  7. Package submission
BDO cyber consultants also support our clients with continuous monitoring activities required by eMASS and RMF.