A Defense Contractor’s Guide to CMMC, DFARS, and FAR Requirements

Authored by:
      Scott Singer, CEO, CyberNINES and
      Nicole Vele, Of Counsel, Holland & Hart LLP

Cyber-attacks against America’s defense industrial base are becoming more sophisticated and more frequent. To reduce the risk of sensitive national security information landing in the hands of bad actors, the Department of Defense requires all defense contractors and subcontractors to protect their networks with specified network security requirements._[1] So, whether your company stores Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) or merely transmits it via your company’s unclassified information system, you are required to comply with the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) Program._[2]

Finalized on December 16, 2024, and anticipated to be written into contracts starting in September 2025, the DoD’s CMMC Program has three certification levels: (1) CMMC Level 1 (Self-Assessment); CMMC Level 2 (Self-Assessment) & (2) CMMC Level 2 (Certification); and (3) CMMC Level 3 (Certification). The CMMC Level required of your information system is based on your company’s contracts. Upon release this fall of the contract clause associated with CMMC, companies will initially be required to self-attest to either CMMC Level 1 or Level 2. DoD will have the option to require CMMC Level 2 certification in the first year, but after that it will be phased over time into all contracts.

• If your awards require you (or your subcontractor) to process, store, or transmit only FCI in your information system, the appropriate assessment requirement is CMMC Level 1 (Self-Assessment)._[3]
• If your contract involves covered defense information (CDI) to include CUI, that will be processed, stored, or transmitted on your information system, then your system will need a CMMC Level 2 certification._[4]
• CMMC Level 3 assessments are required when your contract contains CUI associated with mission critical or unique technologies and programs that are processed, stored, or transmitted on your information system and DoD policy requires the application of National Institute of Standards and Technology (NIST) Special Publication (SP) 800-172._[5]

As important as these rules are, it’s not always easy to navigate them. To ensure you are ready to meet CMMC’s rigorous standards, this article will highlight the Federal Acquisition Regulations (FAR) and Defense Federal Acquisition Regulations Supplement (DFARS) clauses in your contracts that govern CMMC, provide some practical advice for understanding the basics of compliance under each clause, and discuss the risks associated with non-compliance.

Despite the complexities associated with effective cybersecurity, you will only find a handful of clauses in your federal contracts that discuss the safeguarding requirements and procedures for contractor-owned or -operated information systems. The first clause we will discuss is FAR 52.204-21. This clause became effective June 15, 2016, and it, along with FAR 4.19_[6], set the baseline safeguarding requirements for all contractor-owned or -operated information systems that process, store, or transmit FCI_[7].    

FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems 

Per FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, there are fifteen security controls (figure 1) that covered contractors and subcontractors must employ to safeguard their information systems if they want to work with the federal government. These requirements were meant to include the most basic safeguards that a prudent businessperson would exercise even if a federal regulation did not exist. 

_{Figure 1 - FAR 52.204-21 Security Controls}

DFARS 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting

Around the same time FAR 52.204-21 was implemented, the National Archives and Records Administration (NARA) issued its final rule on CUI,_[8] and NARA worked with NIST to develop guidelines for how CUI should be protected when not under direct federal control._[9] These guidelines are found in NIST SP 800-171. Based on NARA’s CUI rules, the DoD implemented DFARS 252.204-7012, which requires contractors to implement NIST 800-171 for all information systems they own or operate that handle Covered Defense Information (CDI).

Bottom line: a contractor or subcontractor working directly or indirectly with the DoD that handles CDI must protect it. Per DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, DoD contractors are required to:

• Meet the 110 controls specified in NIST SP 800-171. These are the same requirements that must be met to achieve CMMC Level 2 certification and above._[10]
• Contractors and subcontractors must flow-down this clause when sharing CDI needed for their subcontractor to perform against a contract.
• Subcontractors who handle CDI for DoD contractors must meet the same NIST SP 800-171 requirements, and Cloud Service Providers (CSPs) who handle CDI must meet FedRAMP moderate or equivalent standards or higher.
• Contractors must report cybersecurity incidents affecting CDI to the DoD within 72 hours of discovery and work with the DoD to analyze the incidents and remediate the causes.
• Subcontractors must provide the prime contractor (or next higher-tier subcontractor) with the incident report number as soon as practicable when reporting a cyber incident to DoD.
• If malicious software is discovered on a system used for DoD contract work, it must be submitted to the DoD Cyber Crime Center. **Do NOT send malicious software to the Contracting Officer.**

DFARS 252.204-7019: Notice of NIST SP 800-171 DoD Assessment Requirements

The next clause we will discuss is DFARS 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements. This clause requires DoD contractors and subcontractors to review the solicitation to determine whether they are required to implement NIST SP 800-171 to be considered for award. If so, contractors and subcontractors must have a current assessment for each covered contractor information system relevant to the offer, contract, task order, or delivery order and submit their results to the DoD’s Supplier Performance Risk System (SPRS).

• A self-assessment (Basic-level assessment) is required to be submitted to SPRS. Medium or High-level assessments must be completed by DIBCAC.
• Contractors must verify their summary level scores of a current NIST SP 800-171 DoD Assessment are posted in SPRS. **This must include an indication of how many of the 110 NIST SP 800-171 requirements have been met.**
• If a contractor’s score is less than 110, then the contractor’s SPRS posting must include a date by which all 110 requirements are expected to be met. CMMC requires a Plan of Action and Milestones (POA&M) detailing how and when the remaining requirements will be met.

DFARS 252.204-7020: NIST SP 800-171 DoD Assessment Requirements

Contractors may also be subject to DFARS 252.204-7020, NIST SP 800-171 DoD Assessment Requirements. If so, contractors must ensure their facilities, systems, and personnel are available for Government assessors to conduct a Medium or High NIST SP 800-171 DoD Assessment.

• Contractor’s may submit, via encrypted email, summary level scores of Basic Assessments for posting to SPRS.
• DoD will post Medium and/or High Assessment summary level scores to SPRS for each system security plan assessed.
• Contractors are offered the opportunity to rebut and adjudicate the assessment summary level scores prior to having them posted in SPRS.
• Contractors are not allowed to award a subcontract supporting a prime contract subject to the implementation of NIST SP 800-171 security requirements UNLESS the subcontractor has completed, within the last three years, at least a Basic NIST SP 800-171 DoD Assessment for all covered contractor information systems relevant to its offer that are not part of an information technology service or system operated on behalf of the Government.
• Contractors must flow down DFARS 252.204-7020 in ALL subcontracts.

DFARS 252.204-7021: CMMC Requirements (expected by fall of 2025)

Finally, DFARS 252.204-7021, Cybersecurity Maturity Model Certification Requirements, outlines what CMMC certification level DoD contractors must achieve and maintain to be eligible for a DoD contract. CMMC certifications must be renewed every three years, and contractors must maintain yearly self-affirmations that all requirements applicable to the certification level are maintained.

• For contractors handling FCI only, Level 1 certification is required.
• For contractors handling CUI, Level 2 certification is required. The contract will specify whether the CMMC Level 2 certification must be self-assessed or C3PAO-assessed, and contractors must comply with all 110 NIST SP 800-171 security requirements.
• Contractors handling CUI deemed highly critical must have CMMC Level 3 certification. This certification is DIBCAC-assessed and requires compliance with the 110 NIST SP 800-171 security requirements as well as 24 additional requirements outlined in NIST SP 800-172.
• This clause must be flowed down to ALL **Subcontractors may require a lesser CMMC certification level depending on the type of data they will handle in support of the prime contract.**
• Subcontractors without the appropriate CMMC certification level will NOT be allowed to do business with prime contractors subject to this clause.

The Costs of Noncompliance

Now that you know the cybersecurity clauses to look for in your federal contracts, it is just as important to understand the risks of noncompliance. Data shows that defense contractors are increasingly the target of recurrent and progressively sophisticated cyberattacks._[11] These attacks can have several severe consequences, including the loss of contracts, financial damage, reputational harm, and disruptions to national security._[12] And if the threat of those consequences fails to deter your company from noncompliance, there is also the threat of civil False Claims Act liability and suspension or debarment.

In 2021, the Department of Justice (DOJ) instituted a Cyber-Fraud initiative and began pursuing False Claims Act cases against companies and individuals who fail to abide by the cybersecurity requirements in government contracts._[13] Under this program, the DOJ has initiated multiple civil actions against corporations and universities for violations of cybersecurity requirements. In fiscal year 2024, those actions resulted in more than $14M in recoveries._[14] Additionally, agencies have started pursuing suspension and debarment actions against contractors for willful failures of cybersecurity requirements._[15] Given the gravity of what is at stake, defense contractors and subcontractors cannot afford to disregard their contractual cybersecurity requirements. Not only does their business depend on it, but so does our national security.

Still have questions?

Please feel free to contact CyberNINES or Holland and Hart for more information on how we can help you with CMMC compliance or with your questions on federal contracts.

[1] See DoD Instruction 8582.01, Security of Non-DoD Information Systems Processing Unclassified Nonpublic DoD Information.

[2] See 32 C.F.R. § 170.

[3] See Office of the Secretary of Defense Memorandum Implementing the Cybersecurity Maturity Model Certification (CMMC) Program: Guidance for Determining Appropriate CMMC Compliance Assessment Levels and Process for Waiving CMMC Assessment Requirements, Attachment 1, dated January 17, 2025.

[4] Id.

[5] Id.

[6] FAR 4.1903 requires contracting officers to include FAR 52.204-21 in solicitations and contracts when the contractor or a subcontractor at any tier may have FCI residing in or transiting through its information system.

[7] Federal contract information is defined as information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as that necessary to process payments.

[8] Wallace, Janel C., “Safeguarding Federal Data,” Defense Acquisition Magazine, November-December 2017, accessed on April 28, 2025, at Safeguarding Federal Data | www.dau.edu.

[9] Id.

[10] CMMC and DFARS 252.204-7012 overlap significantly in that CUI, which requires CMMC certification at Level 2 or higher, is a subset of CDI and must be protected.

[11] Faver, Alan D., “Cybersecurity in the Defense Industrial Base: Evolving Cybersecurity Regulations for Defense Contractors,” Deloitte, accessed on May 1, 2025, at Cybersecurity in Defense: New Approaches for Contractors | Deloitte US.

[12] Id.

[13] “Deputy Attorney General Lisa O. Monaco Announces New Civil Cyber-Fraud Initiative,” U.S. Department of Justice, Press Release Number: 21-971, October 6, 2021, accessed on May 1, 2025, at Office of Public Affairs | Deputy Attorney General Lisa O. Monaco Announces New Civil Cyber-Fraud Initiative | United States Department of Justice.

[14] “False Claims Act Settlements and Judgments Exceed $2.9B in Fiscal Year 2024,” U.S. Department of Justice, Press Release Number: 25-58, January 15, 2025, accessed on May 1, 2025, at Office of Public Affairs | False Claims Act Settlements and Judgments Exceed $2.9B in Fiscal Year 2024 | United States Department of Justice.

[15] “Miller, Dustin, Risks of Non-Compliance and Lack of Risk Management for CMMC Companies,“ March 11, 2025, Sikich, accessed on May 1, 2025, at Risks of CMMC Non-Compliance and Lack of Risk Management - Sikich.

Additional Resources

• https://dodcio.defense.gov/CMMC/About/
• https://dodcio.defense.gov/CMMC/Resources-Documentation/
• https://www.nist.gov/system/files/documents/2018/10/18/cui18oct2018-104501145-dod_dfars-michetti-thomas.pdf