DFARS 7012 and CMMC 2.0: Understanding Overlapping Security Requirements

Defense contractors face a frustrating reality: you're juggling two overlapping cybersecurity frameworks that seem to require the same work twice. The Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 sets contractual security requirements, while the Cybersecurity Maturity Model Certification (CMMC) 2.0 verifies you've actually implemented them—but the relationship between the two creates confusion about what you actually have to do.

This guide breaks down how DFARS and CMMC overlap, where they differ, and how to prepare for both without duplicating effort.

DFARS 7012 and CMMC 2.0 Explained

If you're a Department of Defense (DoD) contractor, you've probably heard both Defense Federal Acquisition Regulation Supplement (DFARS) and Cybersecurity Maturity Model Certification (CMMC) thrown around. The confusion between the two is real, and it's one of the biggest pain points contractors face when trying to figure out what they actually have to do.

Here's the simplest way to think about it:

• DFARS sets the cybersecurity requirements you agree to follow when you sign a DoD contract.
• CMMC is the certification that proves you're actually meeting those requirements.

Essentially, DFARS is the rulebook; CMMC is the referee checking that you're playing by the rules.

Defining DFARS 252.204-7012

DFARS 252.204-7012 is a contract clause that lays out cybersecurity requirements for protecting Controlled Unclassified Information (CUI). CUI is sensitive government information that isn't classified but still requires protection—technical drawings, personnel data, procurement details, anything marked with a CUI banner.

When this clause appears in your contract, you're agreeing to implement specific security controls based on National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. You're also required to self-report your compliance score in the Supplier Performance Risk System (SPRS). It's essentially an honor system where you assess your own cybersecurity and report the results.

The Goal of the Cybersecurity Maturity Model Certification

CMMC exists to close the self-attestation gap that DFARS created. Contractors were reporting their compliance scores, but the DoD had no way to verify those claims. Investigations revealed significant gaps between what contractors reported and what they'd actually implemented.

CMMC introduces third-party verification through Certified Third-Party Assessor Organizations (C3PAOs). Independent assessors evaluate your cybersecurity practices and issue certifications that confirm you've implemented the required controls. Instead of trusting contractors to grade their own homework, the DoD now requires an independent check.

Why the DoD Requires Both Frameworks

The shift from DFARS to CMMC reflects a hard lesson: self-reporting doesn't adequately protect the defense supply chain. DFARS established what contractors needed to do, but it relied entirely on contractors to police themselves. That model proved insufficient as cyber threats intensified and audits revealed widespread compliance issues.

Protecting Controlled Unclassified Information

CUI encompasses a wide range of sensitive information that flows through defense contracts:

• Technical specifications and engineering drawings
• Export-controlled technical data
• Personnel records and security clearance information
• Procurement-sensitive details and pricing

When CUI gets compromised, adversaries gain insight into U.S. defense capabilities, technologies, and operations. The challenge is that CUI doesn't just sit with prime contractors. It flows throughout the supply chain to subcontractors and vendors, which means a single weak link anywhere can expose sensitive information.

Closing the Self-Attestation Gap

Self-reported compliance scores in SPRS ranged widely, but audits revealed that many contractors had significantly overstated their cybersecurity maturity. Some organizations reported perfect scores while lacking basic security controls like multi-factor authentication or encryption. That's a problem when national security depends on accurate information.

Third-party verification through CMMC creates accountability. When an independent assessor evaluates your security controls, the DoD gets confidence that you've actually implemented the protections you claim to have, not just checked boxes on a self-assessment form.

Key Differences Between DFARS 7012 and CMMC 2.0

The distinctions between DFARS and CMMC matter because they affect how you plan your compliance work.

DFARS 252.204-7012

• Purpose - Contractual cybersecurity requirements
• Assessment - Self-attestation through SPRS
• Structure - Single standard based on NIST SP 800-171
• Status - Currently in effect
• Recertification - Update SPRS when posture changes

CMMC 2.0

• Purpose - Certification framework that verifies compliance
• Assessment - Third-party verification by C3PAOs (Levels 2-3)
• Structure - Three-tiered levels aligned with information sensitivity
• Status - Being phased into new contracts
• Recertification - Every three years for certified levels

Scope of Data and Systems

DFARS 252.204-7012 specifically applies to systems that process, store, or transmit CUI. You can limit your compliance scope by defining a clear boundary around those systems, though that boundary has to include all related infrastructure and connections.

CMMC takes a broader organizational view. While the core focus remains on CUI protection, assessors evaluate your overall cybersecurity program—governance, policies, how security practices extend across your organization. CMMC assessments often examine more of your environment than a narrow DFARS self-assessment might.

Assessment and Certification Method

With DFARS, you complete a self-assessment, calculate your score based on which NIST SP 800-171 controls you've implemented, and submit that score to SPRS. The assessment is internal, and while you're expected to be honest, there's no independent verification.

CMMC replaces self-assessment with C3PAO evaluations for Level 2 and Level 3 certifications. Assessors review your documentation, test your controls, interview your staff, and issue a certification that's valid for three years. Level 1 still allows for self-assessment, but Levels 2 and 3 require independent verification.

Where DFARS 7012 and CMMC 2.0 Overlap

Here's the good news: DFARS and CMMC aren't separate, unrelated requirements. CMMC builds directly on the DFARS foundation, which means compliance work you've already done for DFARS translates directly to CMMC preparation.

Shared NIST SP 800-171 Controls

Both frameworks center on the 110 security controls defined in NIST SP 800-171. The controls cover 14 security domains:

• Access control: Limiting system access to authorized users
• Incident response: Detecting and responding to security events
• System and communications protection: Securing data in transit and at rest
• Risk assessment: Identifying and managing security risks

If you've already implemented NIST SP 800-171 controls for DFARS compliance, you've completed the technical foundation for CMMC Level 2. The additional work for CMMC involves formalizing your documentation, implementing continuous monitoring, and preparing for third-party assessment.

Incident Reporting Expectations

Both DFARS and CMMC require you to report cyber incidents to the DoD within 72 hours. The reporting process flows through the DoD Cyber Crime Center, and you're required to preserve incident-related information for potential forensic analysis.

The overlap means you can develop a single incident response plan that satisfies both requirements. Your plan will include detection capabilities, response procedures, reporting workflows, and evidence preservation protocols that meet DoD expectations, security, and compliance expectations.

System Security Plan Requirements

Both frameworks require a documented System Security Plan (SSP) that describes your information systems, security boundaries, and how you've implemented required controls. The SSP serves as the authoritative document that assessors use to evaluate your compliance, whether that's internal for DFARS or external for CMMC.

You can maintain one SSP that satisfies both DFARS and CMMC requirements. The key is making sure your SSP is comprehensive, current, and accurately reflects your actual security implementations rather than aspirational goals.

Mapping DFARS Controls to CMMC Practices and Levels

CMMC's tiered structure helps the DoD match security requirements to the sensitivity of information. Understanding how DFARS controls map to CMMC levels clarifies what additional work you might face.

Level 1 Mapping

CMMC Level 1 covers basic cyber hygiene practices drawn from Federal Acquisition Regulation (FAR) clause 52.204-21. This level applies to contractors who only handle Federal Contract Information (FCI)—information provided by or generated for the government that isn't intended for public release but doesn't rise to the level of CUI.

Level 1 includes 17 practices focused on foundational security like using antivirus software, limiting system access, and ensuring physical security. Organizations can self-assess for Level 1, making it the least burdensome certification level.

Level 2 Mapping

Level 2 is where DFARS and CMMC align most directly. This level requires implementation of all 110 NIST SP 800-171 controls, organized into CMMC's practice and capability structure. Most defense contractors will pursue Level 2 certification since CUI is common throughout the supply chain.

If you've fully implemented NIST SP 800-171 for DFARS compliance, you've already addressed the technical requirements for Level 2. The additional CMMC work involves documenting your practices, establishing management processes, and preparing for C3PAO assessment.

Level 3 Mapping

Level 3 adds advanced practices beyond NIST SP 800-171, drawing from NIST SP 800-172. This level is reserved for contractors working on high-value assets or programs that face advanced persistent threats. Requirements include enhanced threat hunting, advanced incident response capabilities, and more sophisticated security monitoring.

Only a small percentage of contractors will need Level 3 certification. The DoD will specifically identify which contracts require this level.

Steps to Prepare for Dual Compliance

The overlap between DFARS and CMMC means you can prepare efficiently without duplicating work. A strategic approach helps you satisfy both frameworks while minimizing compliance burden.

1. Conduct a Readiness Gap Analysis

Start by assessing your current DFARS compliance against CMMC Level 2 requirements. Map your existing controls to CMMC practices, identify gaps in implementation or documentation, and prioritize remediation based on risk and assessment timelines.

A thorough gap analysis reveals exactly where you stand and what work remains. The clarity helps you budget accurately and set realistic timelines.

2. Build or Update the System Security Plan

Your SSP is the foundation for both DFARS and CMMC compliance. Make sure it comprehensively documents your security boundary, asset inventory, control implementations, and how you've addressed each required practice.

Assessors will rely heavily on your SSP during evaluations. Investing time in creating a detailed, accurate SSP upfront streamlines the assessment process and reduces back-and-forth with auditors.

3. Remediate High-Risk Gaps

Prioritize controls that protect against the most significant threats or that appear in both DFARS and CMMC requirements. Focus on foundational capabilities like multi-factor authentication, encryption, access controls, and logging before moving to more advanced practices.

Addressing high-risk gaps first improves your actual security posture while demonstrating progress toward compliance.

4. Automate Continuous Evidence Collection

Manual compliance tracking through spreadsheets creates ongoing burden and increases the risk of missing control failures. Automated monitoring tools continuously test controls, collect evidence, and alert you to issues before they become assessment findings.

Continuous monitoring transforms compliance from periodic scrambles into ongoing readiness. When your assessment date arrives, you'll have current evidence readily available rather than scrambling to gather documentation.

Ready to streamline your DFARS and CMMC compliance? Book a demo to see how Drata automates evidence collection and continuous monitoring for defense contractors.

Common Pitfalls That Delay Certification

Even well-prepared organizations encounter obstacles during CMMC assessments. Knowing common pitfalls helps you avoid delays and additional costs.

Incomplete Asset Scoping

Failing to properly define your assessment boundary is one of the most frequent issues assessors identify. Your scope includes all systems that process, store, or transmit CUI, plus any systems that connect to or support those systems.

Scoping too narrowly leaves gaps that assessors will identify. Scoping too broadly increases your compliance burden unnecessarily. Work with experienced professionals to define a defensible boundary that protects CUI without encompassing your entire enterprise.

Manual Evidence Collection

Organizations that rely on spreadsheets and manual evidence gatheringOrganizations that rely on spreadsheets and manual evidence gathering struggle to maintain current documentation. They often face assessment delays when they can't produce required evidence quickly. Manual processes also make it difficult to demonstrate continuous compliance between assessments.

Automated evidence collection eliminates bottlenecks. When your platform continuously monitors controls and collects evidence, you maintain audit readiness rather than scrambling during assessment windows.

Neglecting Subcontractor Flow-Down

Prime contractors are responsible for ensuring their subcontractors meet CMMC requirements when those subcontractors handle CUI. Failing to flow down requirements or verify subcontractor compliance creates supply chain vulnerabilities that can jeopardize your own certification.

Establish a vendor risk management program that tracks subcontractor certifications, monitors expiration dates, and confirms contract language properly flows down CMMC requirements.

Turn Overlap Into a Business Advantage With Drata

The overlap between DFARS and CMMC creates an opportunity: compliance work you do for one framework directly supports the other. Rather than viewing dual compliance as doubled burden, you can build a unified program that satisfies both requirements efficiently.

Drata's continuous compliance platform helps defense contractors automate evidence collection, monitor controls in real-time, and maintain assessment readiness across DFARS, CMMC, and other frameworks. By centralizing compliance activities and automating manual work, Drata transforms overlapping requirements from a cost center into a competitive advantage.

Book a demo to see how Drata helps defense contractors achieve and maintain DFARS and CMMC compliance with less manual effort and greater confidence.

FAQs About DFARS CMMC Compliance

Does ITAR require CMMC certification?

International Traffic in Arms Regulations (ITAR) has separate requirements focused on export control of defense articles and services. While ITAR and CMMC address different regulatory objectives, they often overlap in practice for defense contractors who handle both ITAR-controlled technical data and CUI. ITAR doesn't explicitly require CMMC certification, but contractors subject to both regimes will find that strong CMMC compliance supports ITAR obligations around access control and information protection.

Will DFARS 7012 be removed after CMMC 2.0 takes effect?

DFARS 252.204-7012 will remain in effect as the contractual requirement that establishes what contractors agree to do. CMMC changes how compliance is verified by shifting from self-attestation to third-party assessment, but it doesn't eliminate the underlying DFARS clause. Both frameworks will coexist, with CMMC serving as the verification mechanism for DFARS requirements.

How much can we expect to budget for a CMMC Level 2 assessment?

Assessment costs vary significantly based on organization size, system complexity, and the scope of your environment. While C3PAO fees typically range from $15,000 to $50,000 or more, the total cost of certification includes preparation work, gap remediation, and ongoing maintenance. Many organizations find that preparation and remediation costs exceed assessment fees, particularly if significant control gaps exist.