If you work with the U.S. Department of Defense (DoD), you’ve probably encountered both DFARS 252.204-7012 and the Cybersecurity Maturity Model Certification (CMMC) framework. They’re two of the most important cybersecurity requirements for defense contractors and subcontractors, and they’re so closely linked that they often get confused with each other.

At a high level, DFARS 252.204-7012 tells contractors what they need to protect, while the CMMC program provides a way to prove they’ve actually done it.

This guide walks through what DFARS 252.204-7012 requires, how it connects to NIST SP 800-171 and CMMC 2.0, and the steps you’ll need to take to move from DFARS clause compliance to formal CMMC certification.

What is DFARS 252.204-7012?

DFARS 252.204-7012, formally titled “Safeguarding Covered Defense Information and Cyber Incident Reporting,” is a clause in the Defense Federal Acquisition Regulation Supplement (DFARS). It was added to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) handled by defense contractors and their subcontractors, and it’s been a requirement in nearly all DoD contracts since 2017.

The purpose of the clause is straightforward: to make sure that sensitive government information remains protected against cyber threats, even when it’s handled by private companies.

To achieve that, DFARS 7012 requires contractors to follow the security controls defined in NIST SP 800-171, a standard created by the National Institute of Standards and Technology. This framework outlines 110 safeguards for protecting CUI across 14 control families and sets the baseline for all DoD cybersecurity mandates.

DFARS 7012 also includes additional requirements beyond NIST 800-171:

• Contractors must report cyber incidents to the DoD within 72 hours of discovery.
• Any subcontractors that handle CUI must also comply with the same security requirements.
• If CUI is stored or processed in the cloud, the cloud service provider must meet FedRAMP Moderate security standards or equivalent.

In short, DFARS 7012 sets the foundation for consistent cybersecurity standards across the defense supply chain. It ensures that anyone who handles CUI, whether they’re a prime contractor or a subcontractor, is implementing standardized, government-approved protections to maintain adequate security across their information systems.

What is Covered Defense Information (CDI) and how does it relate to CUI?

Covered Defense Information (CDI) is a central concept in DFARS 252.204-7012 and one that often causes confusion.

CDI is a subset of CUI that’s relevant to DoD contracts. DFARS defines CDI as CUI that falls within four main categories:

• Controlled Technical Information (CTI): Technical data or computer software with military or space applications that is subject to access or dissemination controls. This can include things like engineering drawings, design specifications, and source code.
• Critical Information: Data identified by the DoD as vital to operations, missions, or systems.
• Export-Controlled Information: Information governed by laws like ITAR (International Traffic in Arms Regulations) or EAR (Export Administration Regulations).
• Other CUI: Any other unclassified information provided by or generated for the DoD that falls under a category designated in the CUI Registry and is marked or identified in the contract.

CDI triggers compliance obligations under DFARS 252.204-7012. In most cases, that means implementing NIST  SP 800-171 and meeting CMMC Level 2 requirements. However, CDI that is more sensitive or critical to national security may require the enhanced protections outlined in NIST SP 800-172 and CMMC Level 3. 

If your organization handles CDI, you’re automatically within scope of DFARS 252.204-7012 and the CMMC program, and the applicable level will depend on data sensitivity and your contractual requirements. 

How DFARS 252.204-7012 requirements overlap with CMMC 2.0

If your organization is already compliant with DFARS 7012, you’ve completed much of the heavy lifting for CMMC Level 2. Both require full implementation of NIST SP 800-171 controls, meaning the technical and procedural safeguards are the same.

Still, there are a few important distinctions that determine whether you’re fully ready for CMMC certification.

Verification and assessment

Under DFARS 7012, you’ve likely been completing NIST 800-171 self-assessments and submitting your Supplier Performance Risk System (SPRS) score as required under DFARS 252.204-7019 and DFARS 252.204-7020. You assign your organization a score based on how many NIST 800-171 controls you’ve implemented, with a maximum of 110 points.

CMMC Level 2 takes that same requirement and formalizes it through an independent third-party assessment. Instead of asserting that your controls are in place, you’ll need to demonstrate them to a Certified Third-Party Assessor Organization (C3PAO). This assessment validates your evidence, verifies your SSP and POA&M, and issues an official certification valid for three years.

If your current DFARS implementation is strong, you’re already well-positioned for this next step. The main preparation will involve ensuring your documentation is complete, your evidence is organized, and any open POA&M items have been remediated.

System Security Plan (SSP) and Plan of Action & Milestones (POA&M)

DFARS 7012 requires contractors to maintain an up-to-date System Security Plan (SSP) that describes how your organization implements each NIST 800-171 control, as well as a Plan of Actions & Milestones (POA&M) to track any remaining gaps. These are the two documents CMMC auditors will scrutinize in detail. They’ll look for specific evidence that controls are implemented, validated, and effective.

If your SSP or POA&M is incomplete or outdated, you’ll need to refresh them before your CMMC assessment.

Flowdown requirements

Both DFARS 7012 and CMMC require flowdown clauses to ensure your subcontractors are also compliant. Under DFARS, primes are responsible for including the same security requirements in all subcontracts where CUI is involved.

Under CMMC, this responsibility continues, but the enforcement becomes stricter. Each subcontractor handling CUI will need to obtain its own CMMC Level 2 certification. Prime contractors can’t “cover” their subs under their own certification, but they should verify that subs are certified or have a plan to achieve certification before awarding work.

Cloud services and CUI storage

If you’re storing or processing CUI in the cloud, DFARS 7012 requires that your cloud service provider meet FedRAMP Moderate standards. CMMC doesn’t introduce new requirements here, but it does enforce that expectation. That means your cloud environments must already align with FedRAMP Moderate or equivalent to remain compliant with both DFARS and CMMC Level 2.

Continuous monitoring

It’s also worth noting that while DFARS doesn’t specify ongoing monitoring, CMMC expects organizations to maintain compliance continuously, not just at the time of certification. That means staying proactive about vulnerability management, access control reviews, and keeping your SSP, POA&M, and other policies and procedures up-to-date between assessments.

If you’re DFARS Clause 252.204-7012 compliant, how close are you to CMMC Level 2?

If you’ve fully implemented NIST SP 800-171 and have an accurate, high SPRS score, you’re likely very close to CMMC Level 2 compliance. The biggest gap is verification. CMMC certification formalizes what you’ve already been doing through a third-party assessor and certification.

Before you schedule your assessment, make sure your:

• SSP, network diagrams, and POA&M are complete and current.
• Evidence for each control is organized and easily accessible.
• Internal policies and procedures are clearly documented.
• Subcontractors are compliant and requirements properly flowed down.
• Cloud environments meet FedRAMP Moderate or equivalent standards.
• CUI, Security Protection Assets, and other assets are properly categorized and scoped.

Many contractors discover during assessment prep that while their security program is strong, their documentation and evidence collection need refinement. That’s where automation can make a major difference.