Man looking at computer screen.

DFARS vs CMMC: Navigating the Regulatory Landscape

As a defense contractor or supplier, making sense of the regulatory landscape can be challenging. To achieve compliance with a list of regulations, you must implement the necessary security controls, reporting procedures, and risk management processes. It is also essential to stay abreast of updates and maintain ongoing compliance.


What’s in your contract?

First, review what’s in your contracts to determine what you are actually obligated to do. Also, consider what product or service you are providing the government. Note that what is often called DFARS 252.204-7012 was created to protect controlled unclassified information (CUI).


If you’re selling a consumer off the shelf (COTS) commodity, CUI is not involved as that product is a commercially available item. In these cases it’s still important to meet the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 controls. Moving forward it appears that the Department of Defense (DOD) is going to require implementation of these controls to do business with the agency in order to protect information systems across the defense industrial base (DIB).


What are the primary regulations in this area?


Federal Acquisition Regulation (FAR)

FAR 52.204-21: This clause requires contractors and subcontractors to implement basic safeguarding measures to protect federal contract information (FCI) in their possession.


Defense Federal Acquisition Regulation Supplement (DFARS)

DFARS 252.204-7012: This clause requires DOD contractors and subcontractors that process, store, or transmit CUI to implement specific cybersecurity measures when handling CUI. The regulation mandates that these organizations comply with NIST SP 800-171, which outlines a set of security requirements for protecting CUI. Failure to comply can result in the loss of contracts and other penalties. Additionally, this clause requires contractors and subcontractors to report any cyber incidents within 72 hours.

DFARS 252.204-7019: This clause requires suppliers to have undergone an assessment of compliance with NIST SP 800-171 guidelines within the past three years and to have scored at one of the three levels of Basic, Medium, or High. The assessment is used to verify that suppliers have taken the necessary steps to protect CUI in non-federal systems and organizations. Additionally, the scores obtained from the assessment must be posted in the Supplier Performance Risk System (SPRS), which is a database used by the DOD to evaluate the performance and reliability of its suppliers. The SPRS contains information on a supplier’s past performance, including quality, delivery, cost, and management, which helps the DOD make informed decisions on contract awards.

DFARS 252.204-7020: This clause specifies the requirements for self-assessment and third-party assessment of contractor and subcontractor compliance with NIST SP 800-171 by a certified third-party assessment organization (C3PAO) or government entity. Additionally, this clause requires DOD contractors and subcontractors to provide the DOD with access to their facilities, systems, and personnel to conduct a security review or audit.

DFARS 252.204-7021: This clause requires DOD contractors to comply with the Cybersecurity Maturity Model Certification (CMMC) framework, which is a set of cybersecurity standards that contractors must meet to do business with the DOD. The clause requires contractors and subcontractors to achieve a specific CMMC level to be eligible for the award of a DOD contract.



CMMC is a unified standard for cybersecurity that measures an organization’s cybersecurity maturity by three distinct levels. The framework was created to provide assurance to the DOD that their contractors and suppliers are taking adequate measures to safeguard sensitive information, like CUI.

The CMMC model consists of three levels of maturity that organizations must achieve, with each level building upon the previous one. The levels are designed to measure different aspects of cybersecurity, such as access control, incident response, and asset management. FAR and DFARS are the requirements; CMMC is the certification proving that the organization is in compliance with the DFARS clauses.


How to move forward

If your organization is a member of the DIB, you need to be following DFARS 7012 now. Know that’s already in your contracts if you touch CUI. There is no need to wait for CMMC to be codified.

If a review of your contracts did not uncover any DFARS clauses that you are responsible for, you should still consider meeting these requirements as their omission could be a procedural oversight. Regardless, implementing the NIST SP 800-171 cybersecurity controls makes sense in terms of protecting your intellectual property, and that of any prime contractors or subcontractors you are working with.


If you would like assistance determining your regulatory and compliance requirements, the experts at CyberSheath can help. Contact us to get started.

Join our May 29th 12 pm ET webinar Mastering CUI Boundaries: A Comprehensive Guide to Scoping, SPRS Input and Audit Navigation.
This is default text for notification bar