CMMC and DFARS — How They Relate

CMMC is verification; DFARS is enforcement

It is easy to talk about CMMC and DFARS as if they are separate programs. They are not. CMMC is the Department of Defense's certification framework. DFARS — the Defense Federal Acquisition Regulation Supplement — is the set of contract clauses that actually imposes CMMC (and the NIST SP 800-171 controls beneath it) on defense contractors. Without DFARS, CMMC is a program on paper. With DFARS, CMMC is an enforceable requirement that can kill a contract award.

This page walks through the DFARS clauses that matter for CMMC, how they relate, and what each one obliges you to do.

DFARS 252.204-7012: the foundation

DFARS 252.204-7012 — "Safeguarding Covered Defense Information and Cyber Incident Reporting" — has been in effect since December 31, 2017. It applies to any DoD contract that involves covered defense information (essentially CUI as the DoD defines it) and it does two things:

1. Requires implementation of NIST SP 800-171. Contractors must implement the 110 security requirements in NIST SP 800-171 Rev 2 to protect covered defense information processed, stored, or transmitted on non-federal systems.
2. Requires cyber incident reporting within 72 hours. If a cyber incident affects covered defense information or the systems handling it, the contractor must report to the DoD through the DoD Cyber Crime Center (DC3) within 72 hours of discovery.

7012 also flows down to subcontractors at every tier that process covered defense information. That flow-down language — unchanged since 2017 — is why primes have a long-established responsibility to require NIST SP 800-171 compliance from their subs.

What 7012 did not do was verify compliance. Contractors self-attested. There was no audit. There was no score. That gap is exactly what CMMC closed.

DFARS 252.204-7019 and -7020: the scoring clauses

In November 2020, the DoD added DFARS 252.204-7019 ("Notice of NIST SP 800-171 DoD Assessment Requirements") and DFARS 252.204-7020 ("NIST SP 800-171 DoD Assessment Requirements"). Together, they imposed a new obligation on contractors with 7012 in their contracts: conduct a NIST SP 800-171 self-assessment and post the score to the Supplier Performance Risk System (SPRS).

The mechanics:

• The self-assessment uses the DoD Assessment Methodology — the same scoring method CMMC Level 2 self-assessments use today.
• Scoring starts at 110 and subtracts points for unmet requirements.
• The score is posted to SPRS and is visible to contracting officers during source selection.
• Scores more than three years old are considered expired.

7019 and 7020 were the bridge between 7012 and CMMC. They introduced the scoring methodology, they stood up SPRS as the authoritative repository, and they normalized the idea that a specific numerical measure of NIST SP 800-171 compliance would factor into contract decisions. When CMMC 2.0 arrived, it could plug into the mechanism 7019 and 7020 had already built.

DFARS 252.204-7021: the CMMC clause

DFARS 252.204-7021 — "Cybersecurity Maturity Model Certification Requirements" — is the clause that makes CMMC a contract requirement. Originally published in 2020 (briefly, under CMMC 1.0), it was revised and republished alongside the CMMC 2.0 program rule and took effect November 10, 2025.

7021 does four things:

1. Requires a current CMMC certification at contract award. Before an award can be made, the contractor must hold a valid CMMC certification at the level specified in the solicitation. No certification, no award.
2. Requires the certification to remain current. Certifications must not expire during performance, and annual affirmations must be submitted on time.
3. Requires flow-down. The CMMC requirement flows to subcontractors at the level appropriate for the covered information they will handle.
4. Specifies the assessment type. The solicitation identifies whether the required certification is Level 1 self, Level 2 self, Level 2 C3PAO, or Level 3 DIBCAC.

7021 does not replace 7012, 7019, or 7020. All four clauses operate simultaneously. A contractor with a Level 2 C3PAO contract is subject to 7012 (safeguarding and incident reporting), 7019 and 7020 (scoring and SPRS), and 7021 (certification before award). Each clause addresses a different mechanism of the same program.

How the clauses work together

Think of the DFARS cyber clauses as a stack:

• 7012 sets the control standard. NIST SP 800-171. Incident reporting within 72 hours. Flow-down to subs.
• 7019 and 7020 introduce scoring. DoD Assessment Methodology. SPRS submission. Visibility during source selection.
• 7021 adds certification. A formal CMMC credential at the right level, verified at award.

Each clause is additive. 7012 still requires 800-171 implementation. 7019 and 7020 still require SPRS scoring. 7021 adds the requirement that your scoring translate into a recognized CMMC certification before a DoD agency can put contract dollars behind you.

NIST SP 800-171 is the common thread

Every DFARS cyber clause points back to the same underlying control standard: NIST SP 800-171 Rev 2. The 14 control families and 110 security requirements are what you actually implement. Everything else — the scoring methodology, the SPRS entry, the C3PAO certification — is downstream machinery for verifying your NIST SP 800-171 posture.

This is why investing in a strong NIST SP 800-171 program is the highest-leverage move a defense contractor can make. It satisfies DFARS 252.204-7012. It produces the score for SPRS under 7019 and 7020. It is the pre-work for any CMMC Level 2 assessment under 7021. One control implementation, four DFARS obligations satisfied.

Contractual enforcement: what happens when you miss

The DFARS clauses are not advisory. Enforcement mechanisms include:

• Contract ineligibility. Under 7021, no CMMC certification means no award. The contracting officer cannot legally make the award.
• Stop-work or termination. A certification that lapses mid-contract can trigger cure periods or, in the worst case, termination for default.
• False Claims Act exposure. A misrepresented SPRS score under 7019 or 7020 is a false claim. Multiple defense contractors have settled FCA cases tied to inflated NIST SP 800-171 scores, with settlements in the hundreds of thousands to tens of millions of dollars.
• Suspension and debarment. Egregious cybersecurity failures can trigger suspension or debarment from federal contracting.
• Incident reporting failures. Under 7012, missing the 72-hour reporting window is itself a contractual breach, independent of any underlying cybersecurity posture.

How this fits into your CMMC program

The DFARS clauses give you a concrete obligations map. Every CMMC readiness activity should be traceable to one or more of them:

• SSP development → 7012 (NIST SP 800-171 implementation).
• SPRS score submission → 7019 and 7020.
• C3PAO assessment → 7021 at Level 2.
• DIBCAC assessment → 7021 at Level 3.
• Incident response program → 7012 (72-hour reporting).
• Subcontractor flow-down → 7012 and 7021 flow-down language.

Using the clauses as the organizing frame makes the obligations tangible. "Because DFARS 252.204-7012 requires 72-hour incident reporting, we need an incident response plan that can meet a 72-hour clock" is a more actionable statement than "we need an incident response plan."

Common mistakes

• Assuming CMMC replaces the older clauses. It does not. 7012, 7019, and 7020 all continue to apply.
• Ignoring 7012 incident reporting. Many contractors focus on controls and forget that 7012 also requires rapid reporting to DC3. Missing the 72-hour window is its own breach.
• Treating SPRS as optional. Under 7019 and 7020, an SPRS score is a prerequisite for being considered for many DoD contracts. Organizations without scores are self-disqualifying.
• Flowing down 7021 without the data to justify it. CMMC clauses should flow to subcontractors based on the information actually shared. Overflow creates unnecessary subcontractor obligations; underflow is an enforcement risk.
• Confusing CUI scope with contract scope. The DFARS clauses apply because of how covered information flows, not because of the contract's dollar value. A small contract with CUI triggers the clauses; a large contract without CUI may not.

How episki helps

episki maps each DFARS obligation to the specific NIST SP 800-171 controls and CMMC practices that satisfy it. When a new DFARS clause is modified or a new solicitation cites a specific requirement, the platform shows you exactly what you already have coverage for and what you still need. Incident response workflows are pre-configured to meet the 72-hour reporting clock under 7012, and SPRS score submissions under 7019 and 7020 are generated from the same control evidence that feeds your CMMC assessment. Start a free trial to align your DFARS obligations in one workspace.