RGCI - Project Spectrum Offers Free Resources for Government Contractor Cybersecurity Requirements

The FY 2026 NDAA, Section 1807, directs DoD to maintain Project Spectrum, a no-cost online platform offering cybersecurity training, tools, and resources for small and medium-sized government contractors. Originally launched in 2019, the platform supports CMMC compliance and is available to any company pursuing DoD work, regardless of current contract status.

Highlights

  • Project Spectrum is Already Active. The DoD platform has offered no-cost cybersecurity tools and training for small and medium-sized government contractors since 2019, and the FY 2026 NDAA now formally codifies it.
  • CMMC is Now a Contract Award Requirement. DFARS 252.204-7021, effective November 2025, requires Contracting Officers to verify a government contractor's CMMC level before awarding a DoD contract.
  • The Program is Open to More Than Current DoD Contractors. Any small or medium-sized government contractor pursuing DoD contracts, subcontracts, grants, or other agreements qualifies as a covered entity, regardless of current DoD contract status.
  • Resources are Free and Wide-Ranging. Registered users can access cyber readiness checks, vulnerability assessments, SSP development, POAM creation, workforce training, and continuous threat monitoring at no cost.
  • Cybersecurity Requirements Extend Beyond DoD. Other federal agencies, including the GSA, require NIST SP 800-171 controls, making Project Spectrum's resources relevant to government contractors across the federal landscape.

The FY 2026 National Defense Authorization Act (NDAA), Section 1807, directs the Director of the Department of Defense (DoD) Office of Small Business Programs to establish and maintain a program to be known as “Project Spectrum.” This program will provide covered entities with an online platform of digital resources, training, and services designed to increase awareness of, and support compliance with, the Cybersecurity Maturity Model Certification (CMMC) requirements and other compliance requirements.

The NDAA defines a covered entity as “a small business or a medium business that contracts with, or seeks to enter into a contract with, the Department of Defense that is registered to access the online platform of Project Spectrum.” It looks to us that this is open to most government contractors, other than large businesses like Boeing and Lockheed, etc. After all, what company would not be happy to do business with DoD?

When Will Project Spectrum Come Online?

Believe it or not, it already is up and running. DoD’s Office of Small Business Programs (OSBP) originally launched Project Spectrum in December 2019 to help small and medium-sized businesses meet cybersecurity requirements. Although the platform has existed since 2019, it has received relatively little visibility. That’s unfortunate, because it offers a wide range of valuable, free resources that can help companies strengthen their cybersecurity controls and meet and maintain other compliance requirements.

Project Spectrum was created in 2019 to assist small- and medium-sized contractors that must comply with one of the three CMMC levels when their companies process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). DFARS 252.204-7021, Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirements, became effective in November 2025, with a phased implementation period. The clause is included in all DoD contracts and subcontracts, except those for commercially available off-the-shelf (COTS) products. Contracting Officers must verify that a contractor has achieved the appropriate CMMC level before awarding a contract.

How Can Project Spectrum Assist My Company?

Project Spectrum provides cybersecurity information, resources and training at no cost, provided you have registered. Their core competencies include:

  • Cyber Readiness Checks;
  • Monitoring Cybersecurity Dashboard;
  • Risk Assessment Analysis;
  • Cyber Curriculum Development;
  • Tool Reviews Secure Collaboration Platform;
  • Workforce Development Training;
  • Cybersecurity Training Courses;
  • Educational Webinars;
  • Continuous Threat Monitoring;
  • Vulnerability Assessment;
  • Maintain Patching and Conduct Testing;
  • Policy Guidance and Violation Reviews;
  • Security System Plan (SSP Development); and
  • Plan of Action and Milestones (POAM) Creation.

The website also features blogs, recent news, videos, and upcoming events and even offers the option to book a speaker for your own event.

Is Project Spectrum Limited to Companies that Only Have DoD Contracts and Subcontracts?

No. Under the NDAA, a covered entity is defined as a small or medium-sized business that contracts with DoD or seeks to enter into a contract with DoD. Most contractors are continually pursuing new opportunities, including DoD contracts, subcontracts, grants, or other agreements. Virtually any contractor that is seeking future work can make use of Project Spectrum’s resources. The program is not restricted to companies with existing DoD contracts; it is available to those seeking new opportunities, including DoD.

What Constitutes a Medium-Sized Business?

While the FAR part 19 – Small Business Programs defines a small business, the NDAA does not define what qualifies as a medium business. This leaves a wide range of companies in the “medium category by default. It is reasonable to conclude that “medium” does not include the major prime contractors such as Lockheed Martin, Boeing, Raytheon, etc. These companies are outside the program's intended scope. Unless your company is considered a large defense contractor, you will likely fall within the small to medium range and therefore qualify as a covered entity under Project Spectrum.

My company is Seeking Work with DoD, But Doesn’t Need to Meet CMMC Requirements

If your company is seeking new work, including DoD contracts/subcontract and grants, you should consider registering on the Project Spectrum platform now. While cybersecurity controls are tied to the various CMMC levels, other federal agencies also require contractors to implement cybersecurity controls based on NIST SP 800-171, the same framework that CMMC uses.

For example, the General Services Administration (GSA) has issued an IT Security Procedural Guide, Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations Process, which outlines expectations for protecting CUI. Additionally, the Office of the National Cyber Director has emphasized the importance of maintaining cybersecurity controls to protect critical infrastructure funded through Federal grants. This guidance is detailed in the Playbook for Strengthening Cybersecurity in Federal Grant Programs for Critical Infrastructure (Read more in our article, "Do Cybersecurity Maturity Model Certification (CMMC) Requirements Apply to Grants?").

Takeaways

We recommend that small and medium-sized contractors, whether they currently hold DoD contracts or subcontracts, register for Project Spectrum as soon as possible. Many small and medium-sized contractors lack a dedicated Information Technology department to support the implementation and ongoing monitoring of cybersecurity requirements. They also face financial resources that make it difficult to meet the cybersecurity controls required at any of the three CMMC levels. Project Spectrum provides support by offering no-cost tools, training, and resources designed to strengthen cybersecurity controls and support other compliance requirements.

Understanding cybersecurity and other compliance requirements is invaluable, and free support is something no qualifying government contractor should pass up.

Preparing for Cybersecurity Compliance in Government Contracting

Redstone GCI assists government contractors in understanding how cybersecurity compliance requirements, including CMMC requirements, NIST SP 800-171 controls, and related federal expectations, may affect internal processes, documentation, compliance responsibilities, and operational planning. This includes helping organizations interpret applicable requirements, evaluate how those requirements align with existing policies and procedures, and identify where additional internal coordination, documentation, or process updates may be needed to support compliance efforts. Our team also works alongside clients and their technical providers to help improve internal alignment and readiness, reducing the risk of compliance gaps and supporting preparation for contract award requirements, agency reviews, and other government expectations.

Contact Us for a Consultation

Frequently Asked Questions (FAQs)

  • What is Project Spectrum? Project Spectrum is a no-cost DoD platform providing small and medium-sized government contractors with cybersecurity tools, training, and risk assessments to support CMMC compliance and other federal cybersecurity requirements.
  • Who qualifies to use Project Spectrum? Any small or medium-sized government contractor that currently holds, or is pursuing, a DoD contract, subcontract, grant, or other agreement qualifies, with the exception of large prime contractors outside the program's intended scope.
  • What resources does Project Spectrum offer? The platform offers cyber readiness checks, vulnerability assessments, workforce development training, Security System Plan development, Plan of Action and Milestones creation, and a secure collaboration platform, all at no cost.
  • What is CMMC and why does it matter? CMMC is a DoD certification framework requiring government contractors that process, store, or transmit Federal Contract Information or Controlled Unclassified Information to achieve a specific level before a contract can be awarded.
  • Does a company need an existing DoD contract to use Project Spectrum? No. The program is open to any small or medium-sized government contractor pursuing future DoD opportunities, not just those with existing contracts.
  • Do cybersecurity requirements apply to non-DoD federal contracts? Yes. Other federal agencies, including the GSA, require government contractors to implement cybersecurity controls based on NIST SP 800-171, the same framework underlying CMMC.

Written by Lynne Nalley, CPA

Lynne Nalley, CPA Lynne is a Director with Redstone Government Consulting, Inc. providing government contract consulting services to our clients primarily related to Commercial Item Determinations and support, Cost Accounting Standards, DFARS Business System Audits, Proposals, and Incurred Cost. Prior to joining Redstone Government Consulting, Lynne served in several capacities with DCAA and DCMA for over 35 years. Professional Experience Lynne began her career working with DCAA in the Honeywell Resident Office, Clearwater, FL in 1984. Lynne’s experience included various positions which involved conducting or reviewing forward proposals or rate audits, financial capability audits, progress payments, accounting and estimating systems, cost accounting standards, claims and disclosure statement reviews. She is an expert in FAR, DFARS, CAS and testified as an expert witness. Lynne assisted in drafting the commercial item guidance for DCAA Headquarters. Lynne was assigned as a Regional Technical Specialist where she provided guidance to 20 field offices on highly complex or technical issues relative to forward pricing, financial capability or progress payment issues. As an Assistant for Quality, she was involved in reviewing and ensuring audit reports were in compliance with policy and GAGAS as well as made NASBA certified presentations to the staff including but not limited to billing reviews, CAS, unallowable cost and progress payments. To enhance her experience in government contracting, Lynne accepted a position with DCMA in 2015 as part of the newly organized DCMA Cadre of Experts in the Commercial Item Group. This included performing reviews of prime contractor’s assertions and/or commercial item determinations as well as performing price analyses. Lynne was a project lead and later became a lead analyst where she engaged with the buying commands on requests and reviewed price analysis reviews performed by a team of 5 analysts. She also assisted the DCMA CPSR team relative to commercial items and co-instructed the Commercial Item Training presented to DCMA. Education Lynne earned a Bachelor of Science Degree in Accounting from the University of Central Florida. Certifications State of Florida Certified Public Accountant State of Alabama Certified Public Accountant Defense Acquisition Workforce Improvement Act (DAWIA) Level III- Auditing DAWIA Level III – Contracting

About Redstone GCI

Redstone GCI is a consulting firm focused on fulfilling the needs of government contractors in all areas of compliance. With a singular mission to help contractors through the multiple layers of “red tape,” we allow contractors to focus on what they do best – support their mission with the U.S. Government. We are home to a group of consultants made up of GovCon industry professionals, CPAs, attorneys, and retired government audit and acquisition professionals.

Our focus and knowledge of audit and compliance functions administered by DCAA and DCMA will always be at the heart of what we do. However, for the past decade, we’ve strategically grown to support other areas of the government contractor back-office with that same level of focus and expertise. We’ve added expertise in contracts management, subcontract administration, proposal pricing, various software systems, HR and employment law, property administration, manufacturing, data analytics/reporting, Grant specialists, M&A, and many other areas. When we see a trend in the needs of contractors, we act to ensure we can provide the best expertise in the market to fulfill those needs.

One thing our clients can be certain of is that with the Redstone GCI Team in your corner, there is no problem too big and no issue too technical for our team to tackle.

Topics: Small Business Compliance, Contracts & Subcontracts Administration, DFARS Business Systems, Contractor Purchasing System Review (CPSR), Government Regulations, Federal Acquisition Regulation (FAR), Material Management & Accounting System (MMAS), Cybersecurity, Commercial Item Determination, Manufacturing Operations Consulting