Every CMMC clause,
explained in plain English.

FAR 52.204-21 requires every federal contractor that has Federal Contract Information (FCI) on its systems to implement 15 basic safeguarding requirements covering access control, identification and authentication, media protection, physical protection, system and communications protection, and system and information integrity. It is the entire substantive content of CMMC Level 1.

FAR 4.1901 is the regulatory definition section that defines "Federal Contract Information" (FCI) for the entire federal acquisition system. It is the source contractors should cite when determining whether information they hold qualifies as FCI and therefore triggers FAR 52.204-21.

FAR 4.1903 directs contracting officers to insert the FAR 52.204-21 safeguarding clause into solicitations and contracts when the contractor or subcontractor at any tier may have Federal Contract Information residing in or transiting through its information system. This is the procedural mechanism by which FAR 52.204-21 lands in nearly every federal contract.

DFARS 252.204-7012 requires DoD contractors that handle Covered Defense Information (CDI) to implement the security requirements of NIST SP 800-171, report cyber incidents to DoD within 72 hours via the DIBNet portal, and use FedRAMP Moderate (or equivalent) cloud services for CDI. It has been the contractual basis for NIST 800-171 across the defense industrial base since 2017.

DFARS 252.204-7008 is the solicitation provision that requires offerors on DoD procurements involving Covered Defense Information to represent that, by submission of the offer, they will implement the security requirements of NIST SP 800-171 as required by DFARS 252.204-7012. It is the offer-stage companion that makes -7012 binding at award.

DFARS 252.204-7019 requires offerors on DoD solicitations involving CUI to have a current NIST SP 800-171 self-assessment score posted in the Supplier Performance Risk System (SPRS) before they are eligible for award. The score must not be more than three years old at the time of the offer.

DFARS 252.204-7020 is the contract clause companion to -7019: once awarded, the contractor must maintain a current NIST SP 800-171 assessment in SPRS, allow DoD access to verify it, and flow the requirement down to subcontractors that will handle CUI. It binds the obligation throughout contract performance, not just at offer.

DFARS 252.204-7021 is the contract clause that makes a current CMMC certification or self-assessment at the level specified in the contract a material condition of award and continued performance. It triggers the annual senior-official affirmation obligation under 32 CFR 170.22 and is the contractual hook that turns CMMC from a DoD policy into an enforceable requirement.

DFARS 252.204-7024 notifies offerors that DoD will use SPRS risk assessments and supplier performance information in the source selection process for solicitations above the simplified acquisition threshold. It is the formal acknowledgment that SPRS data — including CMMC and 800-171 scores — is a source-selection input.

32 CFR 170.15 sets the procedural requirements for CMMC Level 1: an annual self-assessment against the 15 safeguarding requirements of FAR 52.204-21, scored on a binary MET / NOT MET basis with no POA&Ms permitted, followed by an annual affirmation posted in SPRS by a senior official with authority to bind the organization.

32 CFR 170.16 governs the subset of CMMC Level 2 work that DoD allows to be self-assessed (rather than certified by a C3PAO). It requires a triennial self-assessment against all 110 NIST SP 800-171 controls, supplemented by an annual senior-official affirmation, for the specific programs DoD designates as eligible for self-assessment.

32 CFR 170.17 specifies the procedural requirements when CMMC Level 2 must be verified by a CMMC Third-Party Assessment Organization (C3PAO) rather than self-assessed. It defines the triennial assessment cadence, the role of the Certified CMMC Assessor (CCA), the use of NIST SP 800-171A objectives, and the conditions for issuing a Final Level 2 Certification Assessment.

32 CFR 170.18 establishes the requirements for CMMC Level 3 certification, which is reserved for DoD programs involving CUI of the highest priority. It requires implementation of all 110 NIST SP 800-171 controls plus 24 enhanced controls drawn from NIST SP 800-172, with the certification assessment performed by the DoD's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

32 CFR 170.22 requires a named Affirming Official — a senior representative of the contractor with authority to bind the organization — to electronically affirm in SPRS at least every 12 months that the contractor continues to meet the CMMC security requirements for its level. A knowingly false affirmation is the explicit target of the Department of Justice Civil Cyber-Fraud Initiative under the False Claims Act.

The 48 CFR CMMC Acquisition Rule is the September 10, 2025 final rule that amended the DFARS to add the CMMC clause (DFARS 252.204-7021) to DoD solicitations on a phased rollout that began November 10, 2025 and continues through November 10, 2028. It is the rule that converts CMMC from a program rule (32 CFR 170) into an enforceable contract obligation.

31 U.S.C. § 3729, the False Claims Act, imposes civil liability — including treble damages and per-claim penalties — on anyone who knowingly presents a false or fraudulent claim for payment to the federal government. "Knowingly" includes actual knowledge, deliberate ignorance, and reckless disregard, which is why a knowingly false CMMC senior-official affirmation can trigger FCA exposure.