The four DFARS cyber clauses, in order
DFARS 252.204-7012
2017Safeguarding Covered Defense Information and Cyber Incident Reporting
Requires contractors handling CUI to implement NIST SP 800-171 and report cyber incidents to DoD within 72 hours.
DFARS 252.204-7019
2020Notice of NIST SP 800-171 DoD Assessment Requirements
Requires contractors to perform a NIST SP 800-171 self-assessment and post the score to the Supplier Performance Risk System (SPRS).
DFARS 252.204-7020
2020NIST SP 800-171 DoD Assessment Requirements
Authorises DoD to conduct higher-level assessments (Medium, High) of contractor 800-171 implementation when warranted.
DFARS 252.204-7021
2020 / phasedCybersecurity Maturity Model Certification Requirements
The CMMC clause itself — requires contractors to hold the appropriate CMMC certification level. Phasing in 2025–2028.
How they relate
Think of it as four progressive layers:
- 7012 sets the bar. If you handle CUI, you must implement the 110 NIST 800-171 controls and report incidents to DoD in 72 hours. This has been law since 2017.
- 7019 makes you self-report your score. Self-assess against 800-171, calculate a score (out of 110, with weights), and post it to SPRS.
- 7020 gives DoD audit authority. DoD can show up and verify your self-assessment when contracts warrant it. Most small subcontractors haven't experienced this directly — primes have.
- 7021 (CMMC) adds independent verification. Self-attestation is replaced with C3PAO certification for most Level 2 contracts. This is the transition through 2028.
What CMMC actually changes
CMMC doesn't introduce new technical requirements. The 110 controls were already required under 7012. What changes:
- Self-attestation → third-party assessment. For Level 2 contracts above a certain priority, a C3PAO must verify the implementation.
- Verification before contract award. Today you can win a contract under 7012 and discover you don't actually meet 800-171 after the fact. Under CMMC, the certificate is a prerequisite to bidding.
- Programme maturity, not just controls. CMMC assessment looks at whether your security programme is operating — SSP, POAM, change control, control owners — not just whether the controls technically exist.
- Three-year recertification cycle. You stay in the system; you can't drift.
What to do today while the transition plays out
Three categories of action depending on where your contracts sit:
- If your contracts have 7012 but not yet 7021 (CMMC): Implement 800-171 in earnest. Score honestly. Post to SPRS. Your obligations are real and being enforced through DOJ's Civil Cyber-Fraud Initiative. Don't wait for CMMC.
- If your contracts have 7021 (CMMC) clauses:Start the Level 2 readiness programme now. C3PAO scheduling is already running 4–9 months out in some regions. Don't schedule the C3PAO until you're actually ready; do schedule the readiness work today.
- If your contracts have neither yet: CMMC clauses are coming. Speak to your prime contractor about flow-down expectations. Most primes are already asking subcontractors for CMMC plans during qualification, even before the clause appears in the PO.
The 72-hour reporting obligation people forget
DFARS 7012 requires you to report cyber incidents to DoD via DIBNet within 72 hours of discovery. This obligation exists today — not after CMMC takes effect. Many small subcontractors don't have a documented process for this and would miss the window in an actual incident.
On the SPRS score
Sort the clause stack honestly
We map your active contracts to the DFARS/CMMC clause stack, score you against 800-171, and tell you what's actually due now vs what's coming. Free assessment.
Book the free assessment