While the phased rollout of CMMC requirements in federal contracts hasn’t begun yet, that doesn’t mean you can delay your CMMC readiness efforts. If you’re waiting until the 48 CFR CMMC Acquisition rule is finalized, then you misunderstand the CMMC program and its relationship to DFARs and FAR clauses. 

Starting in 2016 and 2017, defense contractors should have been compliant with the FAR clause 52.204-21 and DFARS clause 252.204-702. CMMC is a framework designed to verify compliance with these requirements, not to alter them. So if you haven’t yet implemented the appropriate measures to protect sensitive information entrusted by the federal government, then you’re not ahead of the CMMC compliance deadline—you’re years behind. 

To close the readiness gap, let’s cover what DFARs is, how it relates to FAR and the CMMC program, and how you can comply fast.

What is the Defense Federal Acquisition Regulation Supplement (DFARS)?

The Defense Federal Acquisition Regulation Supplement (DFARS) is a set of rules issued by the Department of Defense (DoD) that implements and supplements the Federal Acquisition Regulation (FAR). While FAR provides the primary set of rules governing all federal procurement, DFARS defines the requirements for contractors working with the Department of Defense (DoD) specifically and covers everything from procurement and logistics to safeguarding sensitive data.

The DFARS provides requirements and guidelines specifically tailored to the DoD and its contractors that are not comprehensively covered by the FAR. For example, DFARS focuses on national security, classified information, intellectual property rights in the defense sector, and cybersecurity requirements, among other areas.

DFARS’s cybersecurity requirements have focused particularly on contractors that process Controlled Unclassified Information (CUI). These requirements, along with FAR 52.204-21, have formed the foundation of the CMMC program. 

FAR, DFARS, and CMMC: How are these rules related?

To understand how FAR, DFARS, and CMMC are intertwined, we have to go back in time. In 2016, the DoD partnered with the General Services Administration (GSA) and National Aeronautics and Space Administration (NASA) to release the FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, in response to increases in cyber threats aimed at the Defense Industrial Base (DIB). 

Soon after, DFARS clause 252.204-7012 was released, requiring defense contractors and subcontractors to provide adequate security for all covered defense information. Later, they clarified that “adequate security” meant contractors must implement all 110 NIST 800-171 Revision 2 requirements prior to contract award. 

However, neither FAR clause 52.204-21 nor DFARS clause 252.204-7012 required the DoD to verify a contractor's implementation of those security requirements prior to contract award. So by signing a defense contract, vendors were essentially self-attesting that they met those security requirements. 

This turned out to be an issue. In 2020, the DoD reviewed the DIB and found widespread noncompliance with the FAR and DFARS requirements. In fact, many contractors had Plans of Action and Milestones that wouldn’t have brought them into full compliance with NIST 800-171 until 2099.

To replace this self-attestation model of security, the DoD introduced the DFARS Interim Rule in 2020 to verify contractor implementation of cybersecurity requirements and enhance the protection of unclassified information within the DoD supply chain. The DFARS Interim Rule, formally known as the Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements, introduced three new DFARS clauses (7019, 7020 and 7021) to increase compliance with DFARS 7012. 

Let’s take a closer look at the four DFARS clauses that make up the DFARS 70 series below.

DFARS 7019

DFARS clause 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements, amends DFARS 7012 to include a new requirement. Contractors must perform a Basic self-assessment using the NIST SP 800-171 DoD Assessment Methodology and submit their score to the Supplier Performance Risk System (SPRS) prior to contract award.

How is the SPRS score calculated? The DoD Assessment Methodology assigns each NIST 800-171 requirement a score of one (1), three (3), or five (5) points. So organizations start with the lowest score possible, -203, and earn between one and five points for each requirement they meet for a maximum score of 110. If an organization does not meet all NIST 800-171 requirements and gets a score below 110, they must create a Plan of Action and Milestones (POA&M) to explain how they’ll fill those security gaps. 

During an assessment, an Organization Seeking Certification (OSC) can POA&M their scores to no lower than 88 in order to pass their audit. However, they must remediate all POA&Ms within 180 days and get to a final score of 110 to get CMMC authorized.

While the DoD doesn’t specify a minimum SPRS score for contract award, they will likely consider companies with lower scores a higher security risk and opt to work with companies with the highest scores and least risk. 

If you are currently working on behalf of the DoD as a prime or subcontractor, then your contract includes DFARS 7019 requirements. 

These requirements strengthen DFARS 7012 in two key ways: 

• By providing a metric (the SPRS score) for the DoD to assess that contractors actually implemented NIST 800-171 requirements.
• By requiring assessments and SPRS scores to be updated at least every three years to remain eligible for new contract awards.

DFARS 7021

DFARS clause 252.204-7021, Cybersecurity Maturity Model Certification Requirements, formally requires CMMC certification as a condition for contract award. When this clause goes into effect, contractors will need to:

• Obtain the CMMC level specified in the contract.
• Maintain that certification throughout the contract period.
• Flow down the applicable CMMC level to any subcontractors handling FCI, CUI, Security Protection Data (SPD), and/or Covered Defense Information (CDI).
• Ensure subcontractors have the appropriate CMMC level prior to awarding a contract.

DFARS 7021—eg. CMMC requirements—are not yet included and enforced in DoD contracts. They will be once the 48 CFR CMMC Acquisition rule is final, which is expected to happen sometime in 2025. At this time, the CMMC phased rollout will begin. 

By enforcing independent validation of the implementation of the DFARS 7012 rule, DFARS 7021 clause will officially shift DFARS compliance from a self-attestation model of security to a verification-based model of security. This is the vision for the CMMC program.

DFARS compliance checklist​

In order to prepare for the CMMC 2.0 compliance deadline, contractors must meet the requirements of DFARS 7012, 7019, 7020, and 7021. We’ve created a high-level checklist to simplify compliance with the DFARS 70 series requirements and help accelerate your path to CMMC certification.

How Secureframe can help you achieve and maintain DFARS and CMMC compliance

Secureframe simplifies compliance for all contractors across the DIB, helping them meet the technical and documentation requirements of CMMC 2.0, NIST SP 800-171, and the DFARS 252.204-7000 series.

With hundreds of integrations to federal cloud services and other tools and pre-built mappings between requirements, controls, and tests, Secureframe helps you:

• Automate evidence collection: Secureframe integrates with over 300 tools, including the CMMC assessment-relevant softwares and tools you use every day, to automatically collect evidence and map it to NIST 800-171 and CMMC requirements.
• Automate gap assessments: Secureframe automates the gap assessment process, identifying what gaps exist in your controls and policies and how to fill them to get CMMC ready. 
• Generate and maintain audit-ready SSPs, POA&Ms, and other key documentation: With Secureframe, you can automate SSP and POA&M generation to simplify control documentation and remediation tracking. Secureframe provides additional policy templates and policy management features that enable you to meet all CMMC documentation requirements more effectively.
• Prepare for self, C3PAO, or DoD assessments: As you work through the CMMC framework and complete activities within the Secureframe platform, it will update showing your progress percentage toward compliance, ensuring you have peace of mind going into your CMMC assessment.
• Simplify the assessment process: Secureframe makes the process of collecting and transferring evidence to your assessor easy and straightforward, saving you both from the back-and-forth of submitting additional evidence or manually re-testing controls. Secureframe also has established relationships with highly regarded C3PAOs that are deeply familiar with the Secureframe platform. That means faster assessments with fewer headaches for everyone.
• Maintain CMMC certification: The Secureframe platform also makes it easier to maintain continuous compliance. Rather than scrambling to resolve issues in the weeks before an assessor shows up at your door, you can use Secureframe to centrally manage tasks across teams, monitor control performance, and maintain visibility into every aspect of your CMMC 2.0 posture.
• Generate and track SPRS score: Your SPRS score plays a critical role in maintaining CMMC compliance and eligibility for federal contracts. Secureframe automatically calculates your score based on control implementation and keeps it up to date with system changes so you can stay contract-eligible and demonstrate federal readiness with a trusted, real-time score.
• Navigate your compliance journey with expert support: Our team of former federal auditors and compliance experts has deep experience with NIST 800-171 and CMMC 2.0 and can support you at every step of the compliance journey, from scoping your assessment and identifying gaps to keeping your entire compliance program running smoothly. 

Need to get CMMC compliant fast? Request a demo to see how we can help accelerate your path to CMMC certification.