Small defense contractors hear “DFARS” and “CMMC” from different consultants, in different contexts, on different invoices — and it's easy to come away thinking they're two competing frameworks. They aren't. They're two layers of the same stack. This post explains exactly how they relate, what each one demands, and which one you actually need to act on first.
TL;DR — which is which
| DFARS 252.204-7012 | CMMC | |
|---|---|---|
| What it is | A contract clause (the rule) | An assessment program (the audit) |
| In effect since | December 2017 | Rule final 2024, contract flow-down began 2025 |
| Triggered by | Contracts involving CUI | FCI (Level 1) or CUI (Level 2 / 3) |
| What it requires | Implement NIST SP 800-171 + 72-hour incident reporting | A certified assessment proving you meet the controls |
| How you comply | Self-attestation under contract | Self-assessment (L1), C3PAO assessment (L2), DIBCAC (L3) |
| Who enforces | DoD contracting officers + DOJ (False Claims Act) | The Cyber AB (accreditation body) + DoD CIO |
What DFARS 252.204-7012 actually says
DFARS 7012 is one clause buried in the Defense Federal Acquisition Regulation Supplement, but it carries the entire DoD's pre-CMMC cybersecurity regime. The clause has three substantive obligations:
1. Implement NIST SP 800-171
You must provide “adequate security” for systems that hold Covered Defense Information — defined as implementing the 110 security requirements in NIST Special Publication 800-171. These cover access control, audit logging, configuration management, incident response, media protection, personnel security, physical protection, and more.
2. Report cyber incidents within 72 hours
If you discover a cyber incident affecting a covered system or CUI, you must report it to DoD Cyber Crime Center (DC3) within 72 hours of discovery. This is a hard deadline. The report goes to dibnet.dod.mil.
3. Submit malicious software
If you isolate malicious software in connection with the incident, you submit it to DC3 for analysis — encrypted and through their portal.
What CMMC actually is
CMMC stands for Cybersecurity Maturity Model Certification. It is a certification program codified in 32 CFR Part 170 (the substance) and flowed into contracts through DFARS 252.204-7021 (the clause). The DoD's Q&A is unambiguous: CMMC is the verification mechanism for the same NIST 800-171 controls DFARS 7012 has required since 2017.
CMMC has three levels, tiered to the sensitivity of the information involved:
| Level | What it covers | Who assesses | Typical cost |
|---|---|---|---|
| Level 1 | 15 basic safeguarding requirements (FAR 52.204-21). Protects FCI. | Self-assessment + annual SPRS affirmation | $0–$5k (DIY) · $249/mo guided |
| Level 2 | 110 controls from NIST SP 800-171 Rev 2. Protects CUI. | C3PAO (third-party) assessment every 3 years | $20k–$80k year 1 |
| Level 3 | Level 2 + a subset of NIST SP 800-172 enhancements. High-priority CUI. | DIBCAC (government) assessment | $100k+ year 1 |
How DFARS 7012 and CMMC fit together
Picture it as a two-story building. DFARS 7012 is the foundation; CMMC is the inspector that signs off on the foundation.
- Same controls.CMMC Level 2 = the 110 NIST SP 800-171 controls that DFARS 7012 has required since 2017. You aren't doing new security work for CMMC; you're proving what you should have been doing.
- Added enforcement.CMMC adds a tiered, audited certification — replacing the SSP+POAM self-attestation that DFARS 7012 alone allowed.
- Layered, not replaced. Both clauses flow into modern DoD contracts. You comply with DFARS 7012 obligations and hold the CMMC certification.
- Level 1 contractors get a break.If your contracts involve FCI only (no CUI), DFARS 7012 doesn't apply to you. You only owe CMMC Level 1 — 15 requirements, self-assessed.
The 7012 / 7019 / 7020 / 7021 family
DFARS 7012 doesn't live alone — it sits in a family of four cybersecurity clauses that have stacked up since 2020. Here's what each one does:
| Clause | Year | What it requires |
|---|---|---|
| DFARS 252.204-7012 | 2017 | Implement NIST SP 800-171 + 72-hour incident reporting. |
| DFARS 252.204-7019 | 2020 | Upload a current NIST 800-171 self-assessment score to SPRS before contract award. |
| DFARS 252.204-7020 | 2020 | Allow DoD (specifically DIBCAC) to conduct higher-confidence verification assessments. |
| DFARS 252.204-7021 | 2024-25 | Hold the appropriate CMMC certification (L1/L2/L3) at time of contract award. |
For a CUI contractor: 7012 is the substantive rule, 7019 is the “tell us your score,” 7020 is the “let us verify,” and 7021 is the “hold the cert.”
What this means for a small contractor
If you handle FCI only (no CUI)
DFARS 7012 does notapply to you. The 7019, 7020, 7021 clauses with respect to NIST 800-171 do not apply either — they ride on the same CUI trigger. Your obligation is the simpler one: CMMC Level 1. Fifteen requirements. A self-assessment. A one-page annual SPRS affirmation. You can finish in a week.
If you handle CUI
DFARS 7012 applies in full. You must implement NIST SP 800-171 across the systems that touch CUI, be ready to report incidents within 72 hours, and post a current self-assessed SPRS score. On top of that, when DFARS 7021 flows down (the schedule is rolling through 2026–2028), you'll need a current CMMC Level 2 certification before contract award.
Your next move
- Pull your last three DoD contracts. Search for the strings
DFARS 252.204-7012,7019,7020, and7021. The clauses that flow down to you tell you exactly what you owe. - Determine whether you hold CUI. See our CUI vs FCI breakdown for the one-question test.
- Pick your starting level.FCI only → CMMC Level 1. CUI → DFARS 7012 + CMMC Level 2.
- If you're Level 1: start here. The free printable checklist and the 4-minute SPRS quiz will tell you in under an hour where you stand.
Frequently asked questions
Is DFARS 7012 the same as CMMC?
No. DFARS 252.204-7012 is the contract clause that has required DoD contractors to safeguard CUI under NIST SP 800-171 since 2017. CMMC is a newer assessment program (codified at 32 CFR Part 170 and 48 CFR DFARS 252.204-7021) that verifies compliance with those same NIST controls through a tiered, audited certification. DFARS 7012 sets the rule; CMMC enforces the rule.
Do I still need to comply with DFARS 7012 if I have CMMC certification?
Yes. CMMC does not replace DFARS 7012 — it builds on it. DFARS 7012 still flows down through DoD contracts and still requires you to implement NIST SP 800-171, report cyber incidents within 72 hours, and submit malicious software to DC3. CMMC adds the certification, the audited assessment, and the SPRS posting requirement on top.
Does DFARS 252.204-7012 apply to all DoD contractors?
It applies to any DoD contract or subcontract that involves Covered Defense Information (a category that includes CUI). It does not apply to commercial-off-the-shelf (COTS) items, and it does not apply to contracts that involve only FCI (no CUI). If your DoD contracts include CUI — typically signaled by a CUI marking or a DFARS 7012 clause in the contract — it applies.
What's the difference between DFARS 7012, 7019, 7020, and 7021?
DFARS 7012 (since 2017) requires you to implement NIST SP 800-171 to protect CUI. DFARS 7019 (since 2020) requires you to upload a self-assessed SPRS score reflecting your NIST 800-171 implementation. DFARS 7020 (since 2020) requires you to allow the DoD to conduct a verification assessment. DFARS 7021 (since 2024, finalized 2025) is the CMMC clause that requires the formal certification at Level 1, 2, or 3 depending on the contract.
If I only handle FCI, does DFARS 7012 apply?
No. DFARS 7012 protects CUI, not FCI. If you only handle FCI (the routine, unmarked non-public information of doing federal business), DFARS 7012 does not flow down to you and CMMC Level 1 — not Level 2 — is what you owe. The trigger for DFARS 7012 is CUI; the trigger for CMMC Level 1 is FCI alone.
Has DFARS 7012 changed in 2025 or 2026?
The 7012 clause itself has been stable since 2017, but the surrounding ecosystem has changed substantially. DFARS 252.204-7021 (the CMMC clause) finalized in 2025 and now flows into contracts on a rolling schedule. DoD has also clarified enforcement against false self-assessments via the DOJ Civil Cyber-Fraud Initiative. The substantive obligation under 7012 — implement NIST 800-171, report incidents in 72 hours — is unchanged.