War Department Enacts New Cybersecurity Program to Safeguard Service Member Data

Jan. 15, 2026 | By Air Force Tech. Sgt. Javier Cruz, Permanent Change of Station Joint Task Force |

The War Department began implementing the Cybersecurity Maturity Model Certification, a landmark cybersecurity program, in November 2025 to better protect sensitive information across the U.S. defense industrial base. 

CMMC establishes a mandatory framework to ensure that thousands of companies contracting with DOW have verified cybersecurity measures in place to protect the department's data they handle. 

The program is especially critical for protecting the personally identifiable information of service members and their families, particularly during the permanent change of station process. 

What is CMMC and Why is it Important for PCS? 

The CMMC program functions as a verification mechanism, ensuring DOW contractors meet the department's cybersecurity standards. The CMMC program will require that a contractor's leaders provide an assessment of their company's compliance for CMMC levels 1 and 2. 

This verification mechanism directly impacts the security of military families' personally identifiable information. The PCS process, a regular part of military life, requires service members to share vast amounts of PII, including names, Social Security numbers, birthdates, telephone numbers and financial details, with numerous third-party contractors that manage moving, travel and housing. Without robust security measures in place, this sensitive data is a prime target for cybercriminals and foreign intelligence entities, potentially leading to identity theft and financial fraud. 

"The CMMC program provides increased assurance to the DOW that a defense contractor can adequately protect sensitive unclassified information at a level commensurate with the risk," the department states in the rule. By mandating CMMC, the DOW ensures that any company involved in the PCS process must maintain a certified level of cybersecurity, directly protecting service members' personal data from compromise. 

How the CMMC Program Works 

• The CMMC framework is designed to be scalable, matching the level of certification required to the sensitivity of the information being handled. 
• Tiered levels: The program has multiple levels. A contractor handling basic federal contract information will need to comply with CMMC Level 1, which can be accomplished through a self-assessment, or CMMC Level 2, which can be achieved through a self-assessment or through a certified third-party organization or the DOW's Industrial Base Cybersecurity Assessment Center once every three years. 
• Verification and reporting: Contractors must report their CMMC status in the government's Supplier Performance Risk System. DOW contracting officers will verify a bidder's or contractor's CMMC status before awarding any new contracts or exercising options on existing ones. Contractors must also make an annual affirmation of their continued compliance. 
• Phased implementation: The DOW will phase in the CMMC requirements over a three-year period to minimize the financial impact and disruption to the defense industrial base, particularly for small businesses. Following this period, the CMMC requirements will apply to all applicable DOW contracts. As part of the CMMC program implementation, all federal contractors remain subject to a DOW audit to ensure compliance. 

Phased implementation of the CMMC program represents a significant step forward in securing the defense industrial base. 

For service members and their families, it provides much-needed peace of mind, knowing their personally identifiable information is protected by a more resilient and cyber-aware network of defense contractors.