Two Frameworks, One Mission: Protecting CUI in the Defense Industrial Base
If you are a defense contractor navigating the current cybersecurity compliance landscape, you have almost certainly encountered both DFARS 252.204-7012 and CMMC 2.0. Many compliance managers treat these as interchangeable or assume that satisfying one automatically satisfies the other. That assumption creates serious contractual and legal exposure.
These two frameworks share a common foundation—NIST SP 800-171 and the protection of Controlled Unclassified Information (CUI)—but they operate differently, carry different enforcement mechanisms, and impose different obligations on your organization. Understanding exactly where they align and where they diverge is not an academic exercise. It is a prerequisite for maintaining contract eligibility and avoiding False Claims Act liability.
What DFARS 252.204-7012 Actually Requires
DFARS 252.204-7012, titled "Safeguarding Covered Defense Information and Cyber Incident Reporting," has been a mandatory clause in DoD contracts since 2017. It is a contract clause—not a certification program—meaning its requirements flow automatically into any covered contract without your organization having to seek external validation.
At its core, DFARS 252.204-7012 requires contractors to do three things:
- Implement adequate security. Contractors must apply the 110 security requirements in NIST SP 800-171 to all covered contractor information systems that process, store, or transmit Covered Defense Information (CDI).
- Report cyber incidents. Any cyber incident affecting a covered system must be reported to the DoD within 72 hours through the DIBNet portal. This includes preserving images of compromised systems and submitting relevant malware.
- Flow down requirements. Contractors must include the clause in subcontracts where subcontractors will process or store CDI, ensuring the obligation extends throughout the supply chain.
Critically, DFARS 252.204-7012 relies on self-attestation. Contractors self-assess their NIST SP 800-171 implementation, calculate a score using the DoD scoring methodology, and submit that score to the Supplier Performance Risk System (SPRS). There is no mandatory third-party validation under the clause itself.
What this means in practice: your organization can be legally obligated under DFARS 252.204-7012 right now, regardless of where you stand in the CMMC rulemaking timeline.
What CMMC 2.0 Requires and How It Differs
CMMC 2.0 is a certification program, not simply a contract clause. Developed by the Office of the Under Secretary of Defense for Acquisition and Sustainment, it was designed to address a fundamental weakness in the DFARS self-attestation model: the lack of independent verification.
Under CMMC 2.0, defense contractors must achieve a specific certification level before they can bid on or perform certain DoD contracts. The program is structured around three levels:
- Level 1 (Foundational): Covers 17 basic cyber hygiene practices aligned with FAR 52.204-21. Annual self-assessment with senior official affirmation is sufficient.
- Level 2 (Advanced): Aligns directly with all 110 practices of NIST SP 800-171. Most contracts involving CUI will require Level 2. For most organizations, this requires a triennial third-party assessment conducted by a Certified Third-Party Assessor Organization (C3PAO).
- Level 3 (Expert): Based on a subset of NIST SP 800-172 controls. Reserved for contractors supporting the most critical DoD programs. Assessed by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
Unlike DFARS 252.204-7012, CMMC 2.0 results in a formal certification that is tracked and verified through the CMMC eMASS portal. Contractors cannot self-certify at Level 2 (with limited exceptions for certain low-risk programs) and cannot begin a contract requiring CMMC certification without having achieved that certification in advance.
Where the Two Frameworks Overlap
The overlap between DFARS 252.204-7012 and CMMC 2.0 is substantial, and this is where some contractors get confused into thinking they are the same thing.
NIST SP 800-171 is the shared technical spine. Both frameworks require implementation of NIST SP 800-171's 110 security requirements across 14 control families. If your organization is genuinely implementing those controls—access control, audit and accountability, configuration management, incident response, risk assessment, and the rest—you are building the technical foundation that both frameworks demand.
The System Security Plan (SSP) is required under both. DFARS 252.204-7012 requires contractors to develop and maintain an SSP. CMMC 2.0 assessors will examine your SSP as a primary artifact during a C3PAO assessment. A well-constructed SSP and POA&M serves both obligations simultaneously.
The cyber incident reporting obligation persists under both. Even after achieving CMMC certification, the 72-hour reporting requirement under DFARS 252.204-7012 remains independently in force. Certification does not extinguish the contractual clause.
Subcontractor flow-down applies to both. If you are a prime contractor, you must ensure that subcontractors handling CUI satisfy both the DFARS clause and, when CMMC is required in your contract, the applicable CMMC level. This has significant implications for supply chain management and vendor vetting.
Where They Diverge: The Differences That Matter
Understanding the differences is where the practical compliance work gets complicated.
Verification Method
DFARS 252.204-7012 relies on self-assessment and self-attestation submitted to SPRS. CMMC 2.0 Level 2 requires independent third-party assessment by an accredited C3PAO for most contractors. A passing SPRS score does not equal CMMC certification, and CMMC certification does not replace the SPRS submission requirement.
Timing and Contract Applicability
DFARS 252.204-7012 is already embedded in your existing contracts. CMMC 2.0 certification requirements are being phased in as contracts are awarded or renewed under the new rulemaking. This means some organizations are simultaneously obligated under the older DFARS clause while preparing for CMMC requirements that will appear in future contracts.
Scope of Covered Information
DFARS 252.204-7012 applies to "Covered Defense Information," which includes CUI and operationally critical support information. CMMC 2.0's scope is determined by whether your contract involves Federal Contract Information (FCI) or CUI, with the level required tied to the sensitivity of that information. These definitions are not identical, and mapping your information environment against both is a necessary step in any compliance program.
Incident Response and Malware Submission
The incident reporting obligations under DFARS 252.204-7012 are specific and operational: 72-hour reporting, system image preservation, and potential malware submission. CMMC 2.0 addresses incident response as a control domain requiring policies, procedures, and tested capabilities—but the specific contractual reporting obligation lives in the DFARS clause, not the CMMC standard itself.
Cloud Service Requirements
DFARS 252.204-7012 requires that cloud service providers used to process CDI meet FedRAMP Moderate equivalency or higher. CMMC 2.0 assessors will examine your cloud environment for compliance with the applicable NIST SP 800-171 controls, but the FedRAMP Moderate equivalency requirement is a DFARS-specific obligation that requires separate verification.
Practical Implications for Your Compliance Program
The bottom line for compliance managers and executives is this: you cannot treat DFARS 252.204-7012 compliance and CMMC 2.0 readiness as separate workstreams. But you also cannot collapse them into a single checklist without missing obligations that belong to one framework and not the other.
A defensible approach requires:
- Maintaining a current, accurate SPRS score that reflects your actual NIST SP 800-171 implementation—not an aspirational assessment
- Building an SSP and POA&M that will satisfy both the DFARS clause auditor and a C3PAO assessor
- Establishing documented incident response procedures that meet the 72-hour reporting requirement, not just the CMMC incident response control family
- Verifying that all cloud services touching CDI or CUI meet FedRAMP Moderate equivalency
- Reviewing subcontractor agreements to ensure both DFARS flow-down and applicable CMMC requirements are addressed
- Preparing for your CMMC assessment as a separate milestone from your ongoing DFARS compliance obligations
Organizations in the federal and defense contracting space that are proactively aligning their programs now—rather than waiting for a specific contract to trigger action—are the ones that will maintain competitive positioning as CMMC requirements expand across the defense industrial base.
Our CMMC, CUI & DFARS compliance services are specifically designed to help contractors navigate both frameworks simultaneously, building a unified compliance posture that satisfies current DFARS obligations while positioning your organization for CMMC certification. If you are unsure how your current program maps against both requirements, a structured gap assessment is the right first step.
Take the Next Step
Cleared Systems works with defense contractors, subcontractors, and suppliers across the defense industrial base to build compliance programs that hold up under scrutiny—whether that scrutiny comes from a contracting officer reviewing your SPRS submission or a C3PAO assessor conducting a formal CMMC Level 2 assessment. If you are ready to close the gap between where your program is today and where it needs to be, request a quote or explore our engagement models to find the right fit for your organization's size, timeline, and risk profile.