Table of Contents
Understanding DFARS and Its Role in CMMC Compliance
DFARS, the Defense Federal Acquisition Regulation Supplement, is the regulatory framework that governs cybersecurity obligations for DoD contractors. Most contractors know the name. Fewer understand exactly what each clause requires, or how it connects to CMMC certification. For a full overview of the certification framework, see our complete CMMC compliance guide. how they connect to each other, and what the consequences are for non-compliance. That gap is where most compliance problems originate.
The Four Clauses and What They Actually Require
DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting
This is the foundational clause, in place since 2016. It requires contractors to implement the security controls in NIST SP 800-171 on any system that processes, stores, or transmits Covered Defense Information (CDI), which includes CUI. It also requires reporting cybersecurity incidents to the DoD within 72 hours of discovery, preserving images of compromised systems, and providing the DoD access to those systems for damage assessment.
Two operational requirements that contractors frequently miss: the 72-hour incident reporting window is tight and requires a functioning incident response process with documented escalation paths, not something you can improvise after an incident occurs. And the clause flows down to subcontractors: if your subcontractor processes CDI, they must also comply with 7012. You are responsible for ensuring that flow-down happens and that subcontractors are actually meeting the requirement.
DFARS 252.204-7019, NIST SP 800-171 DoD Assessment Requirements
This clause, added in 2020, requires contractors to conduct a NIST SP 800-171 self-assessment using the DoD Assessment Methodology and submit the resulting score to the Supplier Performance Risk System (SPRS) before a contract can be awarded. The score must be current, no more than three years old, and must reflect actual implementation, not aspirational compliance.
The SPRS submission requires a senior official to affirm the score, creating personal accountability. Submitting an inflated score isn't just a compliance risk, as the MORSE Corp settlement demonstrated in 2025, it can result in False Claims Act liability. MORSE submitted a self-assessed score of 104 when the actual score was -142; the company paid $4.6 million to settle.
DFARS 252.204-7020, NIST SP 800-171 DoD Assessment Methodology and Audit Access
This clause authorizes the DoD to conduct medium and high confidence assessments, meaning government auditors can come in to verify the score you submitted under 7019. Medium confidence assessments involve reviewing your documentation; high confidence assessments involve on-site evaluation of technical implementation.
The practical implication. Your SPRS score and the documentation behind it need to be defensible under external scrutiny, not just internally consistent. An SSP that describes controls you haven't actually implemented, or a POA&M with unrealistic timelines, creates risk the moment a contracting officer pulls your score and questions it.
DFARS 252.204-7021, Cybersecurity Maturity Model Certification Requirements
This clause, which became effective with CMMC 2.0's final rule, integrates CMMC certification directly into DoD contracts. It specifies the required CMMC level for a given contract, Level 1, 2, or 3, and requires contractors to achieve and maintain that certification as a condition of award. The clause also flows down: prime contractors must verify that subcontractors handling FCI or CUI hold the applicable CMMC level.
CMMC Phase 1 started November 10, 2025. At this phase, contracts may require CMMC Level 1 self-assessment or Level 2 self-assessment. Full third-party assessment requirements for Level 2 are being phased in over the rulemaking implementation period.
How the Clauses Work Together
The four clauses form a layered system, not independent obligations:
7012 established the baseline requirement to implement NIST SP 800-171 and report incidents. 7019 and 7020 added accountability for that self-assessment, you have to score yourself, submit the score, and be prepared for the government to verify it. 7021 adds certification requirements on top, replacing self-attestation with third-party validation for contracts where the stakes are high enough to warrant it.
The progression matters for understanding where you are in the system. If your contracts include 7012 but not yet 7021, you're currently in the self-assessment regime, but the incident reporting, flow-down, and SPRS requirements from 7012, 7019, and 7020 are active and enforceable now. Waiting for 7021 to appear in a contract before addressing cybersecurity obligations is a common and costly mistake.
The Flow-Down Problem
Flow-down is where compliance breaks down most often at the supply chain level. Prime contractors are responsible for ensuring their subcontractors meet applicable DFARS requirements, but many primes don't have a systematic process for verifying this. They pass the clauses down contractually and assume compliance without confirming it.
That assumption creates exposure. If a subcontractor handling CUI experiences a breach and it emerges they weren't meeting NIST SP 800-171 requirements, the prime contractor faces scrutiny for inadequate oversight, even if the breach originated downstream. Under 7021, primes must verify that subcontractors hold the applicable CMMC level before award and confirm they maintain it throughout the contract period.
Practical approaches to managing flow-down: include DFARS and CMMC requirements explicitly in subcontractor agreements, request SPRS scores or CMMC certificates as part of subcontractor qualification, and build periodic compliance reviews into vendor management processes.
CMMC's Relationship to DFARS
CMMC didn't replace DFARS, it enforced it. The core problem CMMC was designed to solve was that DFARS 7012 had been self-attested for years with inconsistent actual implementation. Studies of SPRS scores in the defense industrial base found a significant number of contractors with scores near 110 that, when independently assessed, had substantial gaps. CMMC introduces third-party verification to close that gap.
For most contractors, those handling standard CUI under Level 2 requirements, the technical controls required are still the same 110 NIST SP 800-171 Rev 2 requirements from 7012. What changes under CMMC is who verifies them and what evidence standard is applied. Self-assessment under 7019 requires documentation sufficient for a senior official to affirm. C3PAO assessment under 7021 requires documentation sufficient for trained assessors to independently verify, a meaningfully higher bar.
What Contractors Should Confirm Now
Review every active DoD contract and identify which DFARS clauses are included. Many contractors have 7012 in contracts without realizing they also have active obligations under 7019 and 7020. Check your current SPRS score: when was it last updated, does it reflect your actual implementation, and is it supported by a current SSP and POA&M? Verify that your incident response plan addresses the 72-hour reporting requirement under 7012, specifically, who is responsible for making the report and how the notification to the DoD's DIBNet portal is executed.
For prime contractors with subcontractors touching CUI: audit your flow-down practices. Request current SPRS scores from subcontractors handling CUI and document that review as part of your vendor management record.
For a full walkthrough of how DFARS obligations connect to the CMMC certification process and timeline, see our CMMC compliance guide for small defense contractors.
Reach out to Stratify IT to review your current DFARS obligations, assess your SPRS score accuracy, and build a roadmap toward CMMC certification, we work with defense contractors at every stage of this process.
The DFARS clauses set the obligation, the controls that satisfy them are defined in Controlled Unclassified Information (CUI) scoping, which determines exactly which systems fall in scope for 7012 and 7021. For contractors ready to translate those obligations into a certification roadmap, CMMC compliance certification process covers the full process from gap assessment through C3PAO assessment.
Frequently Asked Questions
You have more leverage than you might think, and it starts with the contract. Before awarding any subcontract involving CDI, make SSP access and SPRS score disclosure a contractual condition. If an existing subcontractor won't cooperate, that's a red flag worth escalating. You can require a third-party attestation or bring in an independent assessor to verify their posture. Ultimately, if they won't demonstrate compliance, you may need to find a different subcontractor. Your prime contract liability doesn't pause because a sub is uncooperative.
Verification has historically been inconsistent, but that's changing fast. DCSA and DCMA both conduct assessments for certain contract types, and contracting officers increasingly request SSPs and SPRS scores during source selection. The bigger shift is CMMC: third-party assessments (C3PAOs) and the requirement for affirmations of compliance create a formal verification mechanism that self-attestation never had. Misrepresenting your SPRS score is also a False Claims Act exposure, which gives DOJ another avenue to pursue contractors who inflate their posture.
The DoD's definition is broader than most contractors expect. A reportable incident under 7012 includes any actual or suspected unauthorized access to, use of, disclosure of, modification of, or destruction of information or systems holding CDI, including unsuccessful intrusion attempts if they indicate a compromise of network defenses. Ransomware hitting a system that touches CDI is reportable. A phishing attack that led to credential theft on a CDI-adjacent system is reportable. When in doubt, report. The cost of over-reporting is minimal compared to the liability for missing the window.
Yes, and yes, with specifics. Any cloud solution used to process, store, or transmit CUI must meet FedRAMP Moderate equivalency at minimum, which is explicitly required under 7012. That means you can't just drop CUI into a standard Microsoft 365 or Google Workspace tenant. You need the GCC High or equivalent environment that meets the FedRAMP Moderate baseline. The CSP itself isn't a subcontractor in the traditional sense, but the requirement to flow down compliance obligations means you're responsible for ensuring the environment you're using actually meets the standard.
The difference is accountability and trajectory. A POA&M isn't just a list of gaps, it should include specific remediation steps, resource assignments, realistic target dates, and interim compensating controls where possible. DCSA and assessors review POA&Ms to judge whether a contractor is actively managing their compliance posture or just acknowledging problems. A gap list with no dates or owners signals the latter. For CMMC, open POA&M items above certain thresholds can affect your assessment outcome, so treating the POA&M as a living management document matters operationally, not just administratively.
Not entirely. CMMC Level 2 certification demonstrates that you've implemented the 110 controls in NIST SP 800-171, which addresses the core technical requirement of 7012 and the assessment requirement of 7019. But 7012 also carries independent obligations, the 72-hour incident reporting, system image preservation, and DoD access for damage assessment, that aren't 'certified away' by CMMC. You still need a functioning incident response program, a documented reporting workflow, and flow-down management for subcontractors. CMMC handles the control implementation piece; it doesn't replace the operational and contractual obligations in 7012.