DFARS 252.204-7012 vs. CMMC: What Contractors Must Understand

If you’re a DoD contractor, you’ve probably heard both acronyms thrown around DFARS 252.204-7012 and CMMC. Many companies confuse the two or assume they’re interchangeable. In reality, they’re related but distinct requirements, and understanding the difference is critical to staying compliant and competitive.

What is DFARS 252.204-7012?

DFARS 252.204-7012 is a clause in the Defense Federal Acquisition Regulation Supplement (DFARS). It has been in place since 2017 and requires contractors to:

• Implement the security controls in NIST SP 800-171 to protect Controlled Unclassified Information (CUI).

• Report cyber incidents to the DoD within 72 hours.

• Flow down these requirements to subcontractors that handle CUI.

In short, DFARS 7012 made self-attestation the standard: contractors had to claim they were following NIST 800-171, but there was little enforcement.

What is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) is the DoD’s effort to enforce those same requirements and add accountability. CMMC v2.0 ties NIST 800-171 compliance directly to DoD contracts. Instead of self-attestation, most contractors handling CUI must now undergo a third-party audit by a C3PAO to prove compliance.

Key Differences

1. Attestation vs. Certification

   • DFARS 7012: Self-attestation. Contractors simply state they comply.

   • CMMC: Independent verification by a C3PAO for Level 2.

2. Enforcement

   • DFARS 7012: Limited enforcement until recently.

   • CMMC: Pass/fail certification tied directly to contract eligibility.

3. Scope

   • DFARS 7012: Focuses on NIST 800-171 controls for CUI.

   • CMMC: Expands requirements to include maturity processes and verification.

4. Impact on Subcontractors

   • Both DFARS and CMMC flow down requirements, but under CMMC, primes must ensure subs are actually certified—not just claiming compliance.

What Contractors Must Do

If you’re compliant with DFARS 7012 today, you’ve already implemented NIST 800-171. That puts you on solid ground for CMMC, but don’t assume you’re ready:

• Verify your System Security Plan (SSP) and Plan of Action & Milestones (POA&M) are up to date.

• Collect and organize evidence for each control. C3PAOs will ask for proof.

• Scope your environment carefully so you know exactly where CUI resides.

• Consider using a GRC platform to centralize compliance and prepare for an audit.

Final Thoughts

Think of DFARS 7012 as the foundation and CMMC as the enforcement mechanism. The DoD isn’t adding brand-new requirements, it’s ensuring contractors actually implement what’s been required for years.

For DIB contractors, the key takeaway is simple: you can’t stop at claiming compliance anymore. You must be able to prove it. That’s where preparation, documentation, and the right tools make all the difference.