Cybersecurity, Department of Defense

Understanding the Philosophy and Complementary Nature of DFARS and CMMC 2.0

With each passing year, new cybersecurity challenges arise with growing impact and complexity. The federal government and military in particular must be extremely attentive to combat these threats. In response to increased hacker attacks, the Department of Defense (DoD) has formulated several information management and cybersecurity standards, such as DFARS and CMMC, to reduce the risk of system compromises. By complying with these guidelines, government contractors partner with the DoD to mitigate security breaches.


The Defense Federal Acquisition Regulation Supplement (DFARS) expands on the standards that companies must follow to begin or renew a contract with the DoD. These regulations in Clause 252.204-7012 (7012), “Safeguarding Covered Defense Information and Cyber Incident Reporting,” revolve around protecting Controlled Unclassified Information (CUI) from falling into the wrong hands through unauthorized access or disclosure.[1] DFARS was initiated in 2016 as requirements for contractors within the Defense Industrial Base (DIB)[ 2] to increase their data education, physical security, cybersecurity measures, cyber-attack reports and alerts to the DoD. The requirements in Clause 7012 allow patterns to be assessed and more adequately countered through refined regulations.[3] Through enhancing security in these areas, the DoD strives to protect the national economy and sensitive data by reducing vulnerabilities and monitoring threats.

To achieve DFARS Clause 252.204-7012 compliance, companies must develop security standards in 14 areas by conducting a gap analysis to identify the company’s current standing and protocols, establishing a remediation plan to align with DFARS standards, continuously tracking suspicious activity and reporting security breaches. Finally, contractors must complete a National Institute of Standards and Technology (NIST) SP 800-171 DoD Basic Assessment and document their compliance on the Supplier Performance Risk System (SPRS).[3]

In 2020, the DoD launched the Cybersecurity Maturity Model Certification (CMMC) and initially announced it as a replacement to DFARS. The DoD later clarified that CMMC was an additional but complementary framework.[4] Any prime or subcontractor handling national security information and seeking to work with the DoD must follow both DFARS Clause 7012 cybersecurity standards and the appropriate level of CMMC to match the degree of their information sensitivity.


Because of the initial confusion surrounding CMMC, in November 2021, the DoD released CMMC 2.0 to clarify the original specifications. This update reduced the original five maturity levels to three and made compliance more feasible for small businesses by not requiring third-party assessments for the first tier. CMMC 2.0 also provides additional flexibility in the compliance timeline.[5]

In the new version, the tiers build on each other and include:

  • Level 1 – Foundational: requires the fulfillment of 17 best practices verified through annual self-assessment
  • Level 2 – Advanced: incorporates NIST SP 800-171 standards plus an additional 110 best practices. Some are verified through annual self-assessment, and others are verified through triennial third-party assessment (determined per contract)
  • Level 3 – Expert: aligns with NIST SP 800-172 standards as well as over 110 best practices verified through triennial third-party assessment

The distinction with these levels allows companies to comply with the tier that matches their involvement with CUI. This level also dictates what contracts companies are permitted to bid on. Companies that already comply with DFARS have a head start in achieving CMMC 2.0 compliance.[2]

The NIST SP 800-172 document describes three goals for these frameworks to prevent malicious activity from compromising CUI:

  • Develop infiltration-resistant systems
  • Install damage-limiting procedures
  • Promote cyber resiliency and attack survivability[6]

With this new release, the DoD aims to streamline the process and lower the barrier of entry to save contractors’ resources. Allowing companies to create Plans of Action & Milestones (POA&Ms) as a placeholder enables them to work towards compliance while still receiving contract awards.[5]

CMMC 2.0 is expected to be officially published in March 2023 followed by a 60-day feedback period. After the targeted finalization date of May 2023, contracts will begin requiring bidders to attain a specific maturity level before applying. While the CMMC 2.0 program will have an extended rolled out, companies should start initiating their journey towards compliance. The Cyber Accreditation Body (Cyber AB) estimates 8-12 weeks for the average maturity level assessment to process.[2] Companies’ compliance costs depend on the gap in their existing organization cybersecurity posture and the desired CMMC level. In some cases, the DoD notes that cybersecurity contracts can cover contractor upgrades under “allowable costs.”[7]


Both the DFARS and CMMC frameworks center around data protection through security controls; however, they differ in their compliance assessment. With DFARS Clause 252.204-7012, organizations monitor their own systems without external inspection or verification of proper data generation, storage and transmission. CMMC 2.0 combines self-assessment and assessments by Third Party Assessment Organizations (3PAOs) who determine an organization’s eligibility for a specific maturity level.[8]

Another difference between DFARS and CMMC are the levels included in CMMC. DFARS Clause 7012 contains only one tier that lays out ground-rules for handling CUI and increasing security in the DIB. CMMC differs from DFARS in that it institutes maturity levels to classify the extent of cybersecurity protective measures. The first CMMC 2.0 maturity level contains less requirements than the NIST SP 800-171, which is the basis for DFARS Clause 7012. Level 2 is identical to NIST SP 800-171 and nearly the same as DFARS Clause 7012 with the exception of additional assessments, while the final CMMC level requires more guardrails.[2]

Although similar in some respects, DFARS Clause 252.204-7012 and CMMC are not interchangeable standards. Qualifying for one does not instantly precipitate qualification and compliance with the other.


Implementing DFARS Clause 252.204-7012 and CMMC guidelines not only meet DoD requirements for contracting, the guidelines also strive to protect national security and the economy as well as develop a solid foundation for data and cyber health for organizations which establishes their credibility and furthers their reputation in the field.

These standards have a large impact on the DoD contracting industry with the integration of DFARS Clause 7012 and CMMC affecting an estimated 100,000 companies.[9] In FY2020, the DoD spent over $665 billion on contracts.[10] According to the US Council of Economic Advisors, the national economy could lose over $1 trillion by 2026 because of cyber-attacks. By following regulations such as DFARS Clause 7012 and CMMC, contractors can do their part to fortify their data security and strengthen national security.[3]

Instituting adequate cyber hygiene such as server health checks, multi-factor authentication, and zero trust user profiles, not only enables companies to meet DoD mandates, they also safeguard organizations from increased hacking.

While CMMC 2.0 is expected to have a 5-year phase-in process and is not an immediate requirement across the board, it is imperative that contractors begin investigating their compliance status and initiate the pre-cursory work to meet the requirements of their desired maturity level. By planning in advance and starting the process now, organizations can adequately budget for compliance and have a proactive advantage by being ready before all contracts officially shift to requiring CMMC compliance.

Failure to comply can result in major consequences for companies including fines, a halt on current contracts and a future ban on working with the DoD. An organization’s disqualification from contracts would also cause revenue loss and harm their reputation in the field.[3] A lack of cybersecurity information management standards could also expose companies to serious data breaches and repair costs.


Executing a strong, proactive cybersecurity approach is crucial. DFARS and CMMC standards offer guidance in implementing a flexible operational strategy and threat response sufficient to withstand attacks. Together these programs provide safeguards for sensitive information, increase DIB cybersecurity to address advancing threats, institute accountability measures while maintaining a streamlined process, and encourage public trust through good ethics. While DFARS and CMMC are different, they complement each other in protecting national interests and ultimately promoting contractors’ best interests as well.

Visit Carahsoft’s CMMC resource hub and find out how we can help companies meet CMMC and NIST 800-171 and 800-172 guidelines. Carahsoft partners with great companies and subject matter experts that can help you prepare for CMMC assessment and remediate gaps to compliance in your environment.


[1] “Implementation of DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting,” Office of the Under Secretary of Defense,

[2] “Understanding the Relationship Between DFARS and CMMC,” SCA Security,

[3] “What Is DFARS? (+ Your Compliance Checklist),” SCA Security,

[4] “Fundamentals of Cybersecurity Maturity Model Certification (CMMC) 2.0,” Apptega,

[5] “CMMC 2.0: What You Need to Know About the Latest Version,” SCA Security,

[6] “Your Guide to the New CMMC 2.0 Levels,” SCA Security,

[7] “What Is CMMC?” CISCO,

[8] “What is the Difference Between CMMC and DFARS?” FTP Today,,government%20agencies%20they%20partner%20with

[9] “DFARS Interim Rule Compliance 101: What You Need to Know,” SCA Security,

[10] “The Importance of CMMC And Its Impact,” SeaGlass Technology,

Related Articles