Understanding DFARS and Its Role in CMMC Compliance

Table of Contents

Understanding DFARS and Its Role in CMMC Compliance

DFARS — the Defense Federal Acquisition Regulation Supplement — is the regulatory framework that governs cybersecurity obligations for DoD contractors. Most contractors know the name. Fewer understand exactly what each clause requires, how they connect to each other, and what the consequences are for non-compliance. That gap is where most compliance problems originate.

This article walks through the four DFARS cybersecurity clauses, what each one actually requires operationally, and how they relate to CMMC.

The Four Clauses and What They Actually Require

DFARS 252.204-7012 — Safeguarding Covered Defense Information and Cyber Incident Reporting

This is the foundational clause, in place since 2016. It requires contractors to implement the security controls in NIST SP 800-171 on any system that processes, stores, or transmits Covered Defense Information (CDI) — which includes CUI. It also requires reporting cybersecurity incidents to the DoD within 72 hours of discovery, preserving images of compromised systems, and providing the DoD access to those systems for damage assessment.

Two operational requirements that contractors frequently miss: the 72-hour incident reporting window is tight and requires a functioning incident response process with documented escalation paths — not something you can improvise after an incident occurs. And the clause flows down to subcontractors: if your subcontractor processes CDI, they must also comply with 7012. You are responsible for ensuring that flow-down happens and that subcontractors are actually meeting the requirement.

DFARS 252.204-7019 — NIST SP 800-171 DoD Assessment Requirements

This clause, added in 2020, requires contractors to conduct a NIST SP 800-171 self-assessment using the DoD Assessment Methodology and submit the resulting score to the Supplier Performance Risk System (SPRS) before a contract can be awarded. The score must be current — no more than three years old — and must reflect actual implementation, not aspirational compliance.

The SPRS submission requires a senior official to affirm the score, creating personal accountability. Submitting an inflated score isn't just a compliance risk — as the MORSE Corp settlement demonstrated in 2025, it can result in False Claims Act liability. MORSE submitted a self-assessed score of 104 when the actual score was -142; the company paid $4.6 million to settle.

DFARS 252.204-7020 — NIST SP 800-171 DoD Assessment Methodology and Audit Access

This clause authorizes the DoD to conduct medium and high confidence assessments — meaning government auditors can come in to verify the score you submitted under 7019. Medium confidence assessments involve reviewing your documentation; high confidence assessments involve on-site evaluation of technical implementation.

The practical implication: your SPRS score and the documentation behind it need to be defensible under external scrutiny, not just internally consistent. An SSP that describes controls you haven't actually implemented, or a POA&M with unrealistic timelines, creates risk the moment a contracting officer pulls your score and questions it.

DFARS 252.204-7021 — Cybersecurity Maturity Model Certification Requirements

This clause, which became effective with CMMC 2.0's final rule, integrates CMMC certification directly into DoD contracts. It specifies the required CMMC level for a given contract — Level 1, 2, or 3 — and requires contractors to achieve and maintain that certification as a condition of award. The clause also flows down: prime contractors must verify that subcontractors handling FCI or CUI hold the applicable CMMC level.

CMMC Phase 1 started November 10, 2024. At this phase, contracts may require CMMC Level 1 self-assessment or Level 2 self-assessment. Full third-party assessment requirements for Level 2 are being phased in over the rulemaking implementation period.

How the Clauses Work Together

The four clauses form a layered system, not independent obligations:

7012 established the baseline requirement to implement NIST SP 800-171 and report incidents. 7019 and 7020 added accountability for that self-assessment — you have to score yourself, submit the score, and be prepared for the government to verify it. 7021 adds certification requirements on top, replacing self-attestation with third-party validation for contracts where the stakes are high enough to warrant it.

The progression matters for understanding where you are in the system. If your contracts include 7012 but not yet 7021, you're currently in the self-assessment regime — but the incident reporting, flow-down, and SPRS requirements from 7012, 7019, and 7020 are active and enforceable now. Waiting for 7021 to appear in a contract before addressing cybersecurity obligations is a common and costly mistake.

The Flow-Down Problem

Flow-down is where compliance breaks down most often at the supply chain level. Prime contractors are responsible for ensuring their subcontractors meet applicable DFARS requirements — but many primes don't have a systematic process for verifying this. They pass the clauses down contractually and assume compliance without confirming it.

That assumption creates exposure. If a subcontractor handling CUI experiences a breach and it emerges they weren't meeting NIST SP 800-171 requirements, the prime contractor faces scrutiny for inadequate oversight — even if the breach originated downstream. Under 7021, primes must verify that subcontractors hold the applicable CMMC level before award and confirm they maintain it throughout the contract period.

Practical approaches to managing flow-down: include DFARS and CMMC requirements explicitly in subcontractor agreements, request SPRS scores or CMMC certificates as part of subcontractor qualification, and build periodic compliance reviews into vendor management processes.

CMMC's Relationship to DFARS

CMMC didn't replace DFARS — it enforced it. The core problem CMMC was designed to solve was that DFARS 7012 had been self-attested for years with inconsistent actual implementation. Studies of SPRS scores in the defense industrial base found a significant number of contractors with scores near 110 that, when independently assessed, had substantial gaps. CMMC introduces third-party verification to close that gap.

For most contractors — those handling standard CUI under Level 2 requirements — the technical controls required are still the same 110 NIST SP 800-171 Rev 2 requirements from 7012. What changes under CMMC is who verifies them and what evidence standard is applied. Self-assessment under 7019 requires documentation sufficient for a senior official to affirm. C3PAO assessment under 7021 requires documentation sufficient for trained assessors to independently verify — a meaningfully higher bar.

What Contractors Should Confirm Now

Review every active DoD contract and identify which DFARS clauses are included. Many contractors have 7012 in contracts without realizing they also have active obligations under 7019 and 7020. Check your current SPRS score: when was it last updated, does it reflect your actual implementation, and is it supported by a current SSP and POA&M? Verify that your incident response plan addresses the 72-hour reporting requirement under 7012 — specifically, who is responsible for making the report and how the notification to the DoD's DIBNet portal is executed.

For prime contractors with subcontractors touching CUI: audit your flow-down practices. Request current SPRS scores from subcontractors handling CUI and document that review as part of your vendor management record.

Reach out to Stratify IT to review your current DFARS obligations, assess your SPRS score accuracy, and build a roadmap toward CMMC certification — we work with defense contractors at every stage of this process.

Learn more about our CMMC compliance services to see the full range of what we offer.

Stratify IT — compliance built around your business, not a template.

For more on CMMC readiness and DFARS compliance, explore our leadership blogs.