NEW WEBSITE – Overview of DFARS and CMMC

Overview of DFARS and CMMC Cyber Regulation

Cybersecurity has been regulated by the U.S DoD, which introduced DFARS 252.204-7012 to secure Controlled Unclassified Information (CUI) across the Defense Industry Base (DIB) in 2017. The DoD has developed cybersecurity regulation further with the introduction of the Cybersecurity Maturity Model Certification program, which will become enforceable in DoD contracts from November 10th, 2025. DoD contractors and subcontractors should be aware that CMMC is a DFARS regulation. CMMC is defined under DFARS 252.204-7021 (“DFARS 7021”) and simply extends existing and regulated regulations DFARS 252.204-7012 (“DFARS 7012”), DFARS 252.204-7019 (“DFARS 7019”), and DFARS 252.204-7020 (“DFARS 7020”) for the ‘Safeguarding Covered Defense Information and Cyber Incident reporting’. DFARS 7019, 7020, and 7021 rely on the foundations of DFARS 7012.

DFARS 7012 is an important clause for the safeguarding of Controlled Unclassified Information (CUI). It requires covered contractors to implement the 110 cybersecurity practices as a minimum, defined in NIST SP 800-171, across contractor-covered information systems that create, store, process, or transmit covered defence technical information defined as Controlled Unclassified Information (CUI)

DFARS 7012 is a Solicitation provision and contract clause defined in 48 CFR § 204.7304. Title 48, Code of Federal Regulations, Chapter 2 – ‘Defense Acquisition Regulations systems, Department of Defense‘, Part 204 ‘Administrative and Information matters‘, Sub-Part 204.7303 ‘Solicitations provisions and contract clauses’. Meaning that the DoD includes DFARS 7012 in contracts, and has done so since December 31st, 2017. DFARS 7012 is a clause that requires defense contractors to ‘flow-down’ to their subcontractors, where the performance of a subcontract involves covered defense information. DoD contractors were required to self-attest compliance to DFARS 7012 before November 30th, 2020. However, as part of the process for the DoD to implement the CMMC program, the DoD released an interim final ruling creating DFARS 7019 and DFARS 7020. Requiring DoD contractors and subcontractors to assess their compliance against NISP 800-171A, submit their scores directly to the DoD Supplier Performance Risk System (SPRS) to be considered for a DoD contract or subcontract, and to provide U.S government contractors access to their facilities, systems, and personnel for the DoD to conduct follow-up assessments of compliance. DFARS regulations that are being applied today.

DFARS 252.204-7012

Under DFARS 252.204-7012, DIB contractors and their subcontractors are expected to comply with 110 NIST (SP) 800-171 ‘Safeguarding Covered Defense Information and Cyber Incident Reporting’ practices. NIST SP 800-171 practices are required to be applied across all Covered Contractor Information Systems. Covered Defence Information, that is created, stored and transmitted from Covered Contractor Information systems.

Covered Contractor Information Systems: Are defined as unclassified information system that are owned, or operated by or for, a contractor and that process, store, or transmits covered defense information.

Covered Defense Information: Is defined as unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies,

Technical information: Means technical data or computer software, as those terms are defined in the clause at DFARS 252.227-7013, Rights in Technical Data—Other Than Commercial Products and Commercial Services, regardless of whether or not the clause is incorporated in this solicitation or contract. Examples of technical information include research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses, and related information, and computer software executable code and source code.

Adequate security: Contractors shall provide adequate security on all covered contractor information systems. To provide adequate security for information systems that are NOT operated on behalf of the government, the contractor shall implement, at a minimum, NIST SP 800-171, as soon as practical, but not later than December 31, 2017.

Cyber Incidents: When the Contractor discovers a cyber incident that affects a covered contractor information system or the covered defense information residing therein, or that affects the contractor’s ability to perform the requirements of the contract that are designated as operationally critical support and identified in the contract, the Contractor shall, if covered defence information has been compromised, or provide operational critical support Rapidly report cyber incidents to DoD at https://dibnet.dod.mil.

Flow Down: The Contractor shall include the DFARS 252.204-7012 clause in subcontracts, or similar contractual instruments, for operationally critical support, or for which subcontract performance will involve covered defense information, including subcontracts for commercial products or commercial services, without alteration, except to identify the parties.

CMMC Interim Final Rule (2020): In late 2020 the DoD published the interim DFARS rule 2019-D041, Assessing Contractor Implementation of Cybersecurity Requirements. The interim rule implemented the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 DoD Assessment Methodology, the provision of DFARS 252.204-7019 and DFARS 252.204-7020 for contractor oversight and assurance by the DoD (now DoW), and the phasing in of DFARS 252.204-7021 (CMMC).

The DoD had until September 2025 to implement a phased roll-out of CMMC.

DFARS 2021, the ‘CMMC clause’, has now been formally added to the U.S Federal register. From November 10th 2025 the CMMC Clause DFARS 252.204-7021 can be used by DoD Program manages to add CMMC requirement to DoD contracts. But irrespective of this, DFARS 7012, 7019 and 7020 are contractual requirements that are enforceable by the DoD as of late 2017 and 2020.