Cybersecurity Maturity Model Certification (CMMC)

Services

DFARS 252.204-7012, 7019, and 7020 are not new requirements for the Global Defence Industry Base.  They form the foundation for CMMC (DFARS 252.204-7021) compliance.

For organisations that are part of the global DIB, cybersecurity posture is a significant compliance risk when evaluated against the need to comply with Defense Acquisition Regulatory Supplement (“DFARS”) requirements for cybersecurity.  Specifically, compliance with DFARS 252.204-7012, 7019, 7020, and 7021 and NIST SP 800 171 (“NIST 171”).  

From November 2025, covered defence contractors are required to comply with DFARS 252.204-7021 (CMMC).  In addition to the self-assessment and score of DFARS 252.204-7012, and their NIST 171 control compliance.  They must be prepared to demonstrate compliance to the protection of Federal Contract Information, under FAR 52.204-21, existing self-assess compliance under DFARS 7012, and submit a certificate of compliance to NIST SP 800-171 if required.  Submitting confirmation of compliance as required to the DoW, as part of new contract and options awards.

Preparation Reviews: 
Compliance with NIST 171 has been a formal requirement for contractors and subcontractors who are covered under DFARS 252.204 – 7012 (“DFARS 7012”) since December 31st, 2017. Requiring covered DIB contractors and their subcontractors to comply with 110 NIST (SP) 800-171 ‘Safeguarding Covered Defense Information and Cyber Incident Reporting’ practices, across contractor information systems that create, process, store or transmit Controlled Unclassified Information (CUI). Compliance requires covered companies to self-assess, score their compliance for the protection of Controlled Unclassified Information (CUI), and submit their compliance score to the DoW SPRS System.  Under DFARS 252.204-7021, covered contractors must also be prepared, and if required, submit a certificate of compliance to NIST SP 800-171 security practices. We work with clients to
Education, Awareness:

In our experience, organisations may not be aware they may have had to comply with DFARS 252.204-7012, 7019 or 7020 as part of their obligations to their contractors and to their subcontractors.  They are now faced with a decision on compliance with DFARS 252.204-7021, known as CMMC.

As plank members of the DoW CMMC Program from 2020, and recipients of a Presidential Volunteer Services award for our work.  We are well-placed to support clients on the DFARS and now CMMC journey.  We bring knowledge and experience of both DFARS compliance, CMMC, and cybersecurity compliance.   Support clients in taking the first important steps in compliance.

  1. Educate boards on DFARS requirements as they relate to the protection of Controlled Unclassified Information (CUI).  Specifically, DFARS 252.204-7012, DFARS 252.204-7019, and DFARS 252.204-7020.
  2. Educate Boards on compliance requirements laid out in DFARS 252.204-7021, also known as CMMC.
  3. Mentor Board members on cybersecurity compliance.
CUI Strategy and Compliance: 
DFARS 252.204 – 7012, Safeguarding Covered Defence Information and Cyber Incident Reporting, is applied to ‘Covered Defence Information’. “Covered defence information” means unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies.  We support contractors.
  1. Work with General Counsel and the Leadership team to identify applicable contracts that require the protection of FCI and CUI.
  2. Identify and document the CUI applicable to those contracts and consider the principles for handling CUI as documented in DoDi 5200.48. For the control of CUI data created, stored, transmitted, or processed in fulfilment of the contract by the contractor and associated subcontractors.
  3. Identify and document the systems that the contractor uses to create, store, and transmit CUI in the fulfillment of the contract.
  4. Confirm with the contractor what is agreed as CUI and mark it accordingly. Pass on this information to subcontractors,
Assessment of NIST SP 800-171 compliance: 

Contractors and subcontractors covered by DFARS 252.204-7012 are required to self-attest their compliance with NIST SP 800171, using NIST SP 800-171A. DFARS Clause 252.204-7020 requires contractors and subcontractors to complete a ‘basic’ assessment of NIST SP 800-171compliance. Providing the DoD with the assessment results in the Supplier Performance Risk Systems (SPRS) to be considered for an award. Contractors must ensure that subcontractors have a NIST SP 800-171assessment on record before they award subcontracts. DFARS 7020 requires contractors and subcontractors to provide the Government access to their facilities, systems and personnel when necessary for the DoD to conduct an assessment of NIST SP 800171 compliance.

The self-assessment of NIST compliance is based on a review of the system security plan/s (SSP) associated with covered contractor information systems (s). The SSP provides a high-level description of processes and protections used to protect CUI and other sensitive company data and the systems used to process, store or transmit that data. 

An assessment of NIST compliance is conducted in accordance with the NIST SP 800 – 171 DAM (DoD Assessment Methodology) and NIST SP 800-171A (Assessing Security Requirements for Controlled Unclassified Information). The DAM and 171 assessment guides describe how the company complies with the security requirements. It is therefore important that contractors or subcontractors.   We support contractors.

  1. Identify current cybersecurity compliance.
  2. Map the NIST SP 800-171practices to the organisation’s applicable systems and evaluate compliance using the NIST SP 800-171A assessment guide.
  3. Document gaps in compliance between the current organisation state for NIST SP 800–171 compliance and that required by NIST SP 800 – 171A and the DAM.
  4. Formulate a Plan of Action with Milestones to Close gaps in compliance.

© 2025 CMMC Europe. Created for free using WordPress and Colibri