Every major penalty against a defense contractor started with a workforce gap — not a nation-state zero-day exploit.
Leidos Innovations, a prime defense contractor with Top Secret facility clearance, was found to have failures in its safeguarding of covered defense information under DFARS clause 252.204-7012. The company paid $6.8M to settle False Claims Act allegations that it failed to implement required NIST SP 800-171 controls while holding a facility clearance. The DCIS investigation, triggered by a contractor employee whistleblower, revealed that access controls, incident reporting timelines, and media protection requirements were all deficient — despite Leidos's size and sophistication. The case set a precedent: even large primes with high-level clearances face material liability for systematic NIST 800-171 gaps.
Key lesson: Facility clearance does not equal CMMC compliance. The FSO needs documented evidence that every cleared employee — not just the IT staff — has been trained on NIST 800-171 control requirements. Without workforce training records, the company has no evidence package to show DCSA auditors.
In 2024, Chinese state-sponsored hackers breached L3Harris — one of the largest US defense and intelligence technology providers — and exfiltrated sensitive technical data pertaining to classified weapons programs, missile systems, and satellite technology. L3Harris did not publicly disclose the breach; the incident was revealed via The Record and confirmed by multiple federal sources. The initial attack vector was spear-phishing targeting employees with access to classified weapons development data, combined with exploitation of an unpatched VPN appliance. For subcontractors in the defense supply chain, the lesson is clear: nation-state actors are actively targeting defense contractors with years of dwell time. CMMC compliance is not a contract requirement — it is the minimum viable defense against adversaries with resources and patience.
Key lesson: Defense subcontractors are nation-state targets regardless of their size. If you handle technical data connected to a prime's classified programs, your employees need training on recognizing state-sponsored spear-phishing — which is far more sophisticated than standard commercial phishing campaigns.
Security researchers discovered an unsecured Booz Allen Hamilton cloud storage instance containing plaintext credentials for internal systems — including admin accounts — alongside internal project names referencing sensitive government programs. The database was exposed for approximately two months. While no classified information was confirmed exfiltrated, the exposure of authentication credentials for systems connected to government program data triggered a DCSA inquiry and DoD Inspector General investigation. The case is now cited in DCSA briefings to cleared facilities as the definitive example of why cloud configuration hygiene training must reach beyond IT staff to anyone who may provision or configure systems that handle CUI.
Key lesson: Every employee who has the ability to provision cloud resources, configure S3 buckets, or set access policies needs training on what CUI looks like in a cloud environment — and what an exposed credential means for the classified network connection that credential protects.
Huntington Ingalls Industries — the largest military shipbuilder in the United States, builder of nuclear submarines for the US Navy — suffered a ransomware attack in 2020 that disrupted shipbuilding operations. The attack affected IT systems controlling design data for Virginia-class submarines and Gerald R. Ford-class carriers. The incident raised ITAR (International Traffic in Arms Regulations) concerns: if attacker-controlled systems gained access to export-controlled ship design data, the breach could trigger mandatory ITAR violation reporting to DDTC. The broader implication: defense contractors with ITAR-controlled data face a compounding risk that commercial companies do not — a ransomware event is not just operational disruption, it may be a regulatory violation requiring disclosure to the Directorate of Defense Trade Controls.
Key lesson: For contractors handling ITAR-controlled data, ransomware response planning must include an ITAR impact assessment step — who has access to export-controlled data, what systems does that data live on, and is there a mandatory DDTC reporting obligation? That question cannot be answered in the middle of an incident.
Generic cybersecurity awareness training was not built for environments where a single misclassified email attachment can trigger a DCSA inquiry. These four vectors require defense-specific training.
Controlled Unclassified Information costs nothing to mishandle — an unencrypted email with CUI attached, a file shared on an unapproved cloud service, a USB drive left in an employee's car. DFARS 252.204-7012 requires 72-hour incident reporting, but most CUI mishandling events go unreported because employees don't know they happened. Training covers: CUI identification and marking, approved transmission methods, DFARS incident reporting procedures, and the distinction between CUI and unclassified public information.
Defense contractors face insider threat profiles that commercial companies do not. Cleared employees with access to classified and CUI data may be targeted by foreign intelligence services — sometimes through social relationships, romantic entanglements, or financial pressure — with dwell times measured in years. The DCSA Insider Threat Program requires contractors to train employees on recognizing and reporting concerning behavior. Training covers: recognizing indicators of foreign recruiting approaches, reporting obligations, the difference between loyalty and vulnerability, and how the insider threat reporting chain works at your facility.
Nation-state adversaries compromise smaller subcontractors as a stepping stone to primes and classified networks. Your company may hold credentials, network paths, or data that serve as a pivot point to higher-value targets. The SolarWinds compromise (2020, 18,000+ organizations) and the后续 campaign targeting MSPs demonstrated that supply chain intrusion is DoD's preferred attack vector. Training covers: recognizing phishing campaigns targeted at defense subcontractors specifically, NIST SP 800-171 supply chain risk management requirements, and the subcontract flow-down obligations under DFARS 252.204-7019 and 252.204-7020.
For contractors handling International Traffic in Arms Regulations (ITAR) controlled data, a cybersecurity incident has a compounding regulatory dimension. If an attacker gains access to ITAR-controlled technical data via a ransomware event, the incident may trigger mandatory disclosure to the Directorate of Defense Trade Controls (DDTC) — separate from and in addition to any DCSA notification. Employees need to understand that a ransomware event at an ITAR-covered facility is not just a business continuity problem — it may be an export control violation requiring legal counsel and 60-day DDTC reporting. Training covers: ITAR reporting obligations, the distinction between classified and CUI+ITAR data handling, and how to preserve evidence for both DCSA and DDTC simultaneously.
If you're pursuing or defending DoD contracts, these frameworks are not optional. Here's how SecurEveryone's training maps to each one.
| Framework | Key Requirement | Training Coverage |
|---|---|---|
| CMMC 2.0 Levels 1–3, DoD rulemaking pending |
All defense contractors handling CUI must achieve CMMC Level 2 (NIST 800-171, 110 controls) as a contract award prerequisite; Level 3 adds advanced controls for highest-risk programs | Full coverage — training records serve as CMMC practice evidence (AT.1, RM.2) |
| NIST SP 800-171 Rev 3 Rev. 3 published May 2024, flowing into CMMC |
14 families, 110 controls for protecting CUI on contractor systems; required by DFARS 252.204-7012; new Rev. 3 adds 3 control families (PR.PS, PR.AT, PR.DS) and ~34 new requirements | Full coverage — session deliverables include NIST 800-171 Rev. 3 workforce mapping evidence |
| DFARS 252.204-7012 Mandatory for all DoD contracts with CUI |
Implement NIST 800-171, report cyber incidents to DoD within 72 hours, preserve incident response evidence, flow requirements to subcontracts; False Claims Act liability for false compliance certification | Full coverage — incident reporting workflow training + 72-hour reporting SLA drill |
| ITAR / EAR 22 CFR Parts 120–130; 15 CFR Parts 730–774 |
Export control regulations requiring safeguarding of defense technical data; mandatory DDTC reporting within 60 days for unauthorized export or loss of ITAR-controlled data; civil and criminal penalties up to $1M per violation | Full coverage — ITAR reporting chain training + compound incident response (DCSA + DDTC simultaneously) drill |
| DCSA Insider Threat Program Adjudicative Standards for Classified Businesses |
Contractors with facility clearance must implement an insider threat program per E.O. 13587; requires annual workforce training on recognizing and reporting concerning behavior; NISS reporting for insider threat indicators | Full coverage — annual DCSA insider threat training module, documented completion records for facility clearance maintenance |
| FedRAMP Moderate Cloud services handling government data |
Federal Risk and Authorization Management Program for cloud service providers handling government data; 325 controls across 18 families; required for cloud services sold to federal agencies | Full coverage — FedRAMP awareness module covering cloud security controls relevant to contractor workforce |
Each drill reconstructs a real incident, walks participants through the decision points, and produces documented evidence your FSO can present to DCSA auditors.
Participants are given a realistic program management scenario: an engineer sends design documentation to a subcontractor via personal email because the secure channel was slow; the document contains CUI markings; the subcontractor's email server is in a foreign country. The group works through the decision tree in real time — did this cross the CUI handling threshold? Does the 72-hour DFARS reporting clock start now? Who needs to be notified?
Takeaways:
The simulation: a ransomware event has encrypted the design file server. The CISO declares an incident. The legal team asks two questions: (1) Is there ITAR-controlled data on any system the attackers may have accessed? (2) Do we have a 60-day DDTC reporting obligation, and does the clock start now? Participants must produce a structured ITAR impact assessment within 30 minutes — who touched what, what systems are in scope, what data could have moved, and what is the legal team's reporting recommendation.
Takeaways:
Participants receive an alert: a security researcher has found an exposed S3 bucket belonging to the company, containing a configuration file with service account credentials and a spreadsheet referencing a classified program project name. The group must respond through three phases: (1) containment — rotate the credential, close the bucket; (2) scope — determine what data was accessible, for how long, and who provisioned the bucket; (3) reporting — determine whether this requires DCSA notification, and what DCSA needs to see.
Takeaways:
Live, expert-led, structured for FSO reporting and CMMC evidence packages. Sessions are 60–120 minutes, held over Zoom.
Free Resource
47-question self-assessment aligned to NIST SP 800-171 Rev. 3. Covers all 14 control families, CUI handling procedures, incident reporting timelines, and DFARS flow-down requirements. Includes a CMMC Level 2 score projection and contractor certification guidance.
Download Free Checklist →The Cybersecurity Maturity Model Certification (CMMC) 2.0 is a DoD framework that requires defense contractors to achieve specific cybersecurity maturity levels before winning new contracts. Level 1 covers basic cyber hygiene (17 controls); Level 2 aligns with NIST SP 800-171 (110 controls); Level 3 adds advanced controls. CMMC affects every company in the defense supply chain — from primes to fourth-tier subcontractors. If you handle CUI and do not have CMMC certification, you may be ineligible for contract awards after the rule takes effect.
CUI is information the government creates or possesses that requires safeguarding under law, regulation, or policy, but does not meet the classification criteria for National Security Information. For defense contractors, CUI includes technical data (drawings, specifications, performance data), program information, export-controlled data, and operational security details. Under 32 CFR Part 2002, contractors must implement NIST SP 800-171 controls to protect CUI. The Huntsville arsenal breach (2023, 1,600 employee records) exposed unencrypted CUI on a contractor's misconfigured server; the company lost its contracts within six months.
In 2024, Chinese state-sponsored hackers compromised L3Harris and exfiltrated data pertaining to classified and sensitive defense programs including missile and satellite technology. The breach was accomplished through spear-phishing targeting employees with access to weapons development data and exploitation of an unpatched VPN vulnerability. For subcontractors: if you handle technical data connected to a prime's classified network, you are in scope for the same threat actors. CMMC compliance is not a checkbox — it is the minimum viable defense against nation-state adversaries with years of dwell time.
DFARS clause 252.204-7012 requires implementation of NIST SP 800-171 (110 security requirements), reporting of cyber incidents to DoD within 72 hours, preserving contractor incident response evidence, and flowing down the same requirements to subcontracts at any tier. Non-compliance can result in contract termination, suspension or debarment from future government contracting, and False Claims Act liability if a company falsely certifies compliance. The Leidos case — $6.8M for failures in SP 800-171 implementation while holding a Top Secret facility clearance — illustrates that even sophisticated contractors with high-level clearances have been found non-compliant.
In 2022, an unsecured Booz Allen Hamilton cloud storage instance was found containing plaintext admin credentials and internal project names referencing sensitive government programs. The database was exposed for approximately two months. The exposure of authentication credentials for systems connected to government program data triggered a DCSA inquiry and DoD Inspector General investigation. The case is cited in DCSA briefings as a case study in basic cloud configuration hygiene — and a reminder that every employee with the ability to provision cloud resources needs training on what CUI looks like in a cloud environment.
SecurEveryone · CMMC 2.0 / NIST SP 800-171 Rev. 3 / DFARS 252.204-7012 / ITAR / DCSA · $150–$900 · Live expert coaching