Skip to main content
govconCyber — Federal Cybersecurity Law Reference

Research

DFARS 252.204-7012 and CMMC: Related, Not Identical

DFARS 252.204-7012 is the obligation; CMMC is the verification that you met it. They share a control set but do different jobs — and you can satisfy one while failing the other.

On this page
  1. Two Clauses, Two Jobs
  2. The Shared Core: NIST SP 800-171
  3. Where They Diverge
  4. The Bridge: SPRS
  5. What This Means for You
  6. Source Notes

Takeaway: DFARS 252.204-7012 has required DoD contractors to safeguard covered defense information and report cyber incidents since 2017. CMMC adds an independent check that you actually did. They reference the same security controls, but treating them as the same thing is a common and costly mistake.

Two Clauses, Two Jobs

DFARS 252.204-7012 is a performance obligation. If your DoD contract includes it and you handle covered defense information, you are contractually required — today, on every covered contract — to implement a security standard, report cyber incidents within 72 hours, preserve affected images, and flow the clause down to subcontractors. None of that depends on CMMC.

CMMC, implemented through DFARS 252.204-7021, is a verification and eligibility mechanism. It does not invent new safeguards; it requires you to demonstrate, at a defined assurance level, that the safeguards are in place — and it makes that demonstration a condition of award.

The Shared Core: NIST SP 800-171

Both point to the same control catalog: the 110 requirements of NIST SP 800-171. Importantly, DoD locked DFARS 7012 compliance to Revision 2 by a class deviation in May 2024, and that remains the operative standard even though Revision 3 has been finalized. CMMC Level 2 assesses that same Revision 2 control set.

Where They Diverge

  • Proof. Under 7012 you assert implementation. Under CMMC Level 2 you may have to prove it to a Certified Third-Party Assessor Organization (C3PAO).
  • Eligibility. A weak posture under 7012 is a performance and False Claims Act risk. Under CMMC, failing to meet the required level can make you ineligible for award.
  • Timing. 7012 obligations apply now. CMMC obligations phase into contracts following the acquisition rule's November 10, 2025 effective date, with Level 2 certification expectations arriving in new and renewing contracts over the following period.

The Bridge: SPRS

DFARS 252.204-7019 and -7020 connect the two worlds. They require contractors to post a NIST SP 800-171 self-assessment score to the Supplier Performance Risk System (SPRS) and let DoD conduct higher-assurance assessments. SPRS is where your asserted posture becomes visible to the government before CMMC certification applies.

What This Means for You

Do not wait for CMMC to take 7012 seriously — the obligation and its enforcement exposure already exist. Build to NIST SP 800-171 Revision 2 now, keep an accurate SPRS score, and treat CMMC as the verification layer on a house you have already built. A high SPRS score with no supporting evidence is exactly the gap that enforcement actions exploit.

Source Notes

Primary sources: DFARS 252.204-7012, -7019, -7020, and -7021; NIST SP 800-171 Rev 2; DoD class deviation locking 7012 to Rev 2 (2024); and 32 CFR Part 170 (CMMC program rule). Status summarized as of the review date and subject to change. Educational analysis, not legal advice.

Was this page helpful?