Cybersecurity for Government Contractors: CMMC and DFARS Compliance
Federal defense contracting increasingly requires demonstrated cybersecurity compliance as a condition of contract award and performance — not merely as a best practice. The Cybersecurity Maturity Model Certification (CMMC) program and the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 together define the primary compliance framework governing how contractors handling defense information must protect their systems and data. This page describes the structure of that framework, how compliance assessments are conducted, the scenarios that trigger different requirement levels, and the boundaries that distinguish CMMC obligations from related federal cybersecurity mandates.
Definition and scope
The CMMC program is administered by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) and governs cybersecurity requirements for members of the Defense Industrial Base (DIB) — the approximately 300,000 companies that hold contracts with the Department of Defense (DoD). CMMC 2.0, the current framework version finalized through the DoD's rulemaking published in the Federal Register in December 2024, consolidates requirements into three maturity levels rather than the five levels that characterized the original CMMC 1.0 model.
The scope of CMMC is defined by the type of information a contractor handles:
- Federal Contract Information (FCI): Information provided by or generated for the government under a contract, not intended for public release. CMMC Level 1 applies to any contractor handling FCI.
- Controlled Unclassified Information (CUI): A formal designation established under Executive Order 13556 and administered by the National Archives and Records Administration (NARA). Contractors processing, storing, or transmitting CUI on behalf of DoD are subject to CMMC Level 2 or Level 3 requirements.
DFARS clause 252.204-7012, codified at 48 C.F.R. § 252.204-7012, predates CMMC and remains independently applicable. It requires contractors to implement the 110 security controls specified in NIST SP 800-171, report cyber incidents to DoD within 72 hours, and preserve images of compromised systems for at least 90 days.
How it works
CMMC compliance operates through a structured certification and assessment process tied to contract requirements. The framework draws its technical control baseline from NIST SP 800-171 (for Level 2) and NIST SP 800-172 (for Level 3), both published by the National Institute of Standards and Technology (NIST).
The three CMMC levels function as follows:
- Level 1 — Foundational: 17 practices derived from 48 C.F.R. § 52.204-21. Annual self-assessment with contractor affirmation submitted to the Supplier Performance Risk System (SPRS).
- Level 2 — Advanced: 110 practices aligned to NIST SP 800-171 Rev. 2. For contracts involving prioritized CUI, a third-party assessment by a CMMC Third-Party Assessor Organization (C3PAO) is required. Non-prioritized programs may accept annual self-assessment with senior official affirmation.
- Level 3 — Expert: 24 additional practices drawn from NIST SP 800-172. Government-led assessments conducted by the Defense Contract Management Agency's (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
Assessment organizations are accredited and listed by the Cybersecurity Maturity Model Certification Accreditation Body (Cyber AB), the nonprofit authorized by DoD to manage the assessor ecosystem. Assessment results are logged in SPRS, which contracting officers consult during source selection. Contractors must achieve a minimum SPRS score — calculated against the 110 NIST SP 800-171 controls, with a maximum score of 110 and a minimum possible score of negative 203 — before contract award for covered acquisitions.
Common scenarios
The compliance requirements a contractor faces depend on contract type, the information environment, and subcontractor relationships.
Prime contractors with CUI access: A defense manufacturer holding a prime contract that processes technical drawings or program data classified as CUI falls under DFARS 252.204-7012 immediately upon contract execution and must pursue CMMC Level 2 certification before that requirement is contractually enforced in the relevant solicitation.
Subcontractors in the supply chain: DFARS 252.204-7012 flows down to subcontractors at all tiers when CUI is shared. A sub-tier supplier receiving engineering specifications from a prime inherits the same 110-control obligation under NIST SP 800-171, regardless of the subcontract dollar value. Prime contractors bear responsibility for ensuring their subcontractors hold required CMMC levels before sharing CUI.
Small businesses and cloud services: Contractors using external cloud service providers to process, store, or transmit CUI must ensure those providers meet FedRAMP Moderate baseline authorization or an equivalent security posture, as required under DFARS 252.204-7012(b)(2). A small business using a commercially available cloud storage service that lacks FedRAMP authorization is out of compliance regardless of its own NIST SP 800-171 implementation status.
Research and development programs: Contractors on DoD research contracts may encounter CUI even when no production work is involved. Controlled technical information (CTI), a CUI subcategory, is frequently generated during R&D phases and triggers DFARS obligations from the point of generation.
Decision boundaries
CMMC and DFARS compliance obligations are not universal across all federal contracting — they are specific to DoD acquisitions and do not apply to civilian agency contracts governed by FAR 52.204-21 alone, which covers only basic safeguarding of FCI without the 110-control NIST SP 800-171 requirement.
Key distinctions between framework tiers:
| Requirement | CMMC Level 1 | CMMC Level 2 | CMMC Level 3 |
|---|---|---|---|
| Control baseline | 17 FAR 52.204-21 practices | 110 NIST SP 800-171 controls | 110 + 24 NIST SP 800-172 controls |
| Assessment type | Self-assessment | C3PAO or self-assessment | DIBCAC government assessment |
| Affirmation required | Yes (annual) | Yes (triennial) | Yes (triennial) |
| Primary information type | FCI | CUI (standard programs) | CUI (highest priority programs) |
CMMC requirements do not apply retroactively to existing contracts unless a contract modification introduces a CMMC clause. Contractors performing on legacy contracts without a CMMC clause remain bound by DFARS 252.204-7012 but are not required to obtain formal CMMC certification until it appears in a new solicitation or modification.
The Smart Security listings directory identifies cybersecurity service providers with documented experience in CMMC assessment preparation, CUI boundary scoping, and SPRS scoring remediation. The purpose and scope of this resource explains how providers are categorized within the directory framework. Organizations evaluating compliance readiness can reference the full directory of listed providers to locate firms with verifiable DIB sector experience.
CMMC does not replace or supersede DFARS 252.204-7012 — both operate in parallel. A contractor may achieve CMMC Level 2 certification and still face DFARS obligations independently, including the 72-hour incident reporting requirement and the obligation to maintain a System Security Plan (SSP) and Plan of Action and Milestones (POA&M) as living documents throughout the contract period of performance.
References
- NIST SP 800-171 Rev. 3 — Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
- NIST SP 800-172 — Enhanced Security Requirements for Protecting CUI
- DFARS 252.204-7012 — eCFR
- FAR 52.204-21 — Basic Safeguarding of Covered Contractor Information Systems
- DoD CMMC Program — Office of the Under Secretary of Defense for Acquisition and Sustainment
- Cyber AB — CMMC Accreditation Body
- NARA CUI Registry — Executive Order 13556
- [FedRAMP — Federal Risk and