Skip to main content
govconCyber

Cybersecurity Requirements for the Defense Industrial Base (DIB)

IndustriesReferencepublishedEffective: November 10, 2025

CMMC 2.0, DFARS 252.204-7012, NIST SP 800-171, SPRS scoring, and C3PAO assessments for DoD contractors.

Last reviewedJune 4, 2026Version v1

Overview

Defense contractors face the most rigorous cybersecurity regime in federal contracting. If you handle Department of Defense information, three things drive your obligations: the DFARS clauses, NIST SP 800-171, and CMMC 2.0. This page ties them together.

DFARS 252.204-7012

The cornerstone clause. If you process, store, or transmit Covered Defense Information (CDI), you must:

  • provide "adequate security," implementing NIST SP 800-171 on covered systems;
  • report cyber incidents to DoD within 72 hours of discovery;
  • preserve affected media and support DoD damage assessment; and
  • flow the clause down to subcontractors at all tiers handling CDI.
As of 2026, DFARS 7012 remains tied to NIST SP 800-171 Revision 2 (110 controls) through a DoD class deviation, even though Revision 3 has been published. DoD has issued organization-defined parameters preparing to adopt Rev 3 — watch your contract language for the transition.

NIST SP 800-171 and Your SPRS Score

You must assess your environment against the 110 Rev 2 controls and post a summary score in the Supplier Performance Risk System (SPRS). Under DFARS 252.204-7019/7020, a current assessment (generally within three years) is a condition of award on covered DoD contracts. A perfect score is 110; missing controls subtract weighted points and must be tracked in a Plan of Action and Milestones (POA&M).

*(Note: the 2025–2026 "Revolutionary FAR Overhaul" is renumbering and revising several DFARS clauses, including the 7019/7020 assessment clauses. Confirm the exact clause numbers and self-assessment requirements in your current solicitation.)*

CMMC 2.0: Levels and Rollout

CMMC verifies your NIST 800-171 implementation. The contractual rule took effect November 10, 2025, and requirements phase into solicitations as follows:

PhaseBeginsWhat it requires
Phase 1Nov 10, 2025Level 1 and Level 2 self-assessments in select solicitations
Phase 2Nov 10, 2026Level 2 third-party (C3PAO) certification for most CUI
Phase 3Nov 10, 2027Level 3 assessments added
Phase 4Nov 10, 2028CMMC required on essentially all applicable DoD contracts

The levels: Level 1 covers basic FCI safeguarding (annual self-assessment). Level 2 covers full NIST 800-171 (self-assessment for a limited set; C3PAO certification for most CUI). Level 3 adds selected NIST SP 800-172 enhanced controls, assessed by the government.

C3PAO: a CMMC Third-Party Assessment Organization accredited to perform Level 2 certification assessments.

What to Do Now

1. Determine whether your contracts involve FCI, CUI, or both. 2. Complete a NIST 800-171 self-assessment and post an honest SPRS score. 3. Document gaps in a POA&M and remediate the highest-weighted items first. 4. If you handle CUI, plan now for a Level 2 C3PAO assessment ahead of Phase 2 (November 2026) — assessor capacity is limited.

Use the Self-Assessment Checklists to score yourself against 800-171, and Find My Requirements to confirm your full obligation set.

Sources

  • DFARS 252.204-7012/7019/7020/7021 (acquisition.gov); 32 CFR Part 170; NIST SP 800-171 & 800-172 (csrc.nist.gov); SPRS (sprs.csd.disa.mil)
Was this page helpful?