DFARS Clauses Field Guide for CMMC Contractors 2026
Posted: May 21, 2026 to Compliance.
DFARS is the most misunderstood three-letter acronym in DoD contracting. Most contractors first encounter it as a paragraph reference buried inside a flowdown clause from their prime, often something like "Contractor shall comply with DFARS 252.204-7012", and immediately try to figure out what that means in plain English. By the time they finish, they have also discovered references to DFARS 252.204-7008, 7019, 7020, and 7021. Each of those clauses sits in a different spot in the contracting lifecycle. Each one points to a different obligation. Together, they form the legal scaffolding that makes CMMC enforceable across the Defense Industrial Base.
This 2026 field guide walks through every DFARS cybersecurity clause a Department of Defense contractor is likely to see in a contract today. We cover what each clause requires, how the clauses chain together, how they map to CMMC Level 1, Level 2, and Level 3, where Covered Defense Information (CDI) differs from Controlled Unclassified Information (CUI) and Federal Contract Information (FCI), how the 72-hour cyber incident reporting workflow actually plays out at the Defense Industrial Base Network (DIBNet) portal, and how the Supplier Performance Risk System (SPRS) score under 7019 and 7020 ties into your CMMC Level 2 self-assessment posture. We end with the five to seven failure patterns we see most often inside Petronella Technology Group engagements and a plain-English mapping of what to do about them.
Craig Petronella, the founder of Petronella Technology Group, holds the CMMC Registered Practitioner (CMMC-RP) credential, the Cisco Certified Network Associate (CCNA), the Certified Wireless Network Expert (CWNE), the Digital Forensics Examiner (DFE #604180), and is MIT-Certified in Artificial Intelligence and Blockchain. Petronella Technology Group is a Cyber AB Registered Provider Organization, RPO #1449, with the entire delivery team holding the CMMC-RP credential. We have spent more than two decades sitting beside DoD contractors as the DFARS clause stack evolved from the 2013 interim rule through the 2017 NIST SP 800-171 deadline, the 2020 interim DFARS rule introducing 7019 through 7021, and the CMMC 2.0 program finalized in the 32 CFR Part 170 rulemaking that took effect December 16, 2024. The clauses below are the load-bearing pieces of that history.
What Is DFARS?
DFARS is the Defense Federal Acquisition Regulation Supplement. It is published at 48 CFR Chapter 2 and it supplements the broader Federal Acquisition Regulation (FAR) at 48 CFR Chapter 1. Where the FAR governs federal acquisitions across all civilian and defense agencies, DFARS adds Department of Defense specific requirements, including unique cybersecurity, supply chain, and intellectual property terms. The Department of Defense publishes DFARS as a coordinated set of clauses, provisions, and subparts inside the Defense Acquisition Regulations System.
For contractors, DFARS shows up two ways. The first is as a "provision" in a solicitation (an RFP or RFQ), where the provision is read by the bidder before award and may require a representation or certification as part of the proposal. The second is as a "clause" in the awarded contract, where the clause creates a binding obligation that flows down to subcontractors as the prime sees fit. The cybersecurity clauses you will care about are nearly all 252.204 series clauses. The series number 252 means "DFARS clauses and provisions", and 204 means the subject is "Administrative and Information Matters". The third number after the dash is the clause sequence.
The DFARS cybersecurity stack interacts with three other regimes you will see referenced inside DoD contracts. The first is the International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR), which control the export of defense articles and dual-use technologies. The second is NIST SP 800-171 Revision 2 (and, as of 2024 final, Revision 3 for new contracts), the security framework that DFARS 7012 incorporates by reference. The third is CMMC 2.0, the certification program that DFARS 7021 incorporates by reference. DFARS sits in the middle of all three. It is the legal connective tissue.
DFARS 252.204-7008: Compliance with Safeguarding Covered Defense Information Controls
DFARS 252.204-7008 is a solicitation provision, not a clause. It appears in DoD solicitations expected to result in a contract that will include 7012. By submitting an offer in response to a solicitation containing 7008, a contractor represents that it will implement the security requirements in NIST SP 800-171 by the time of contract award, and that any deviations from the 800-171 baseline have been formally requested in writing and approved by the DoD Chief Information Officer.
The historical context matters. When DFARS 7012 was first finalized in 2016, the Department of Defense was concerned that contractors would discover NIST 800-171 obligations for the first time after award and would not have time to implement controls before performance started. The 7008 provision forces the conversation forward, into the pre-award stage, so that contractors can ask for variances or alternative measures before the contract is binding. In practice, 7008 is often skimmed by contractors because the language is dry and the offeror does not have to attach any artifact to the proposal. Treat it more carefully than that. The representation made under 7008 is a contractual statement about your security posture at the moment of award.
The 7008 provision is functionally a gate. It conditions eligibility for the award on a representation that the offeror either already implements 800-171 or has formally negotiated deviations. If you have a current Plan of Action and Milestones (POA&M) that materially deviates from 800-171, that POA&M does not automatically satisfy 7008. You may need to file a written deviation request with the DoD CIO before submitting the proposal, and you should document that decision inside your System Security Plan (SSP).
DFARS 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting
DFARS 252.204-7012 is the famous one. When DoD contractors say "DFARS compliance" without further qualification, they usually mean 7012. The clause carries two distinct obligations stacked on top of each other.
The first obligation is to provide "adequate security" on any contractor information system that processes, stores, or transmits Covered Defense Information (CDI). The clause defines adequate security as implementation of NIST SP 800-171 in its current published revision, with deviations only as approved through the 7008 process. The 800-171 baseline currently contains 110 security requirements organized into 14 control families ranging from Access Control and Audit and Accountability through Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, and System and Information Integrity.
The second obligation is the cyber incident reporting requirement. When a contractor discovers a cyber incident that affects a covered contractor information system, the CDI on that system, or the contractor's ability to perform contract requirements that are designated as operationally critical support, the contractor must rapidly report the incident to the Department of Defense within 72 hours of discovery. Reports are filed through the Defense Industrial Base Network (DIBNet) portal at dibnet.dod.mil. The report itself follows a structured format that captures the affected system, the type of compromise, the CDI involved, the assessment of impact, and the contractor's response actions to date.
DFARS 7012 also imposes a forensic preservation obligation. When a cyber incident is reported, the contractor must preserve and protect images of all known affected information systems for at least 90 days from the submission of the incident report. The contractor must provide DoD with access to additional information and equipment to conduct a forensic analysis if requested. In practice this means that you cannot wipe and rebuild an affected workstation or server without retaining a forensic image first. We have seen contractors mishandle this step by reimaging endpoints during initial response and inadvertently destroying evidence that DoD later requested.
A third element of 7012 that surprises contractors is the cloud computing requirement. If the contractor uses an external cloud service provider to store, process, or transmit any CDI in performance of the contract, the cloud service provider must meet security requirements equivalent to the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline. For most commercial cloud workloads this means using a FedRAMP Moderate authorized service, such as Microsoft 365 GCC High, Microsoft Azure Government, AWS GovCloud, or Google Workspace assured controls offerings that have achieved FedRAMP Moderate or higher. Standard commercial Microsoft 365 (the "commercial" or "GCC" mid-tier) does not meet the equivalency requirement for many CDI workloads, and this is one of the most common sources of confusion we see inside SSPs.
Finally, 7012 contains an explicit flowdown clause. The prime contractor must include the substance of 7012 in subcontracts (including subcontracts for the acquisition of commercial items, other than commercially available off-the-shelf items) where subcontract performance will involve covered defense information. The flowdown is not optional. A prime contractor that fails to flow the clause down to a CDI-handling subcontractor is in breach of its own DFARS obligation.
DFARS 252.204-7019: Notice of NIST SP 800-171 DoD Assessment Requirements
DFARS 252.204-7019 is a solicitation provision that took effect with the November 30, 2020 interim rule. It tells offerors that, before contract award, they must have a current NIST SP 800-171 DoD Assessment on record in the Supplier Performance Risk System (SPRS). "Current" means the assessment is not more than three years old, unless the contract specifies a different recency requirement.
The 7019 provision does not by itself require the contractor to perform any new assessment activity beyond what 7012 already implied. What it requires is that the offeror's most recent NIST 800-171 Basic Assessment score, calculated using the DoD Assessment Methodology, be posted to SPRS as a precondition for award. The methodology assigns a starting score of 110 to a perfectly compliant environment and subtracts one, three, or five points per unimplemented requirement depending on the severity weighting assigned to that control. The lowest possible score is negative 203.
This is where the SPRS calculator on our site fits in. Most contractors first learn about SPRS scoring when they read 7019 in a solicitation, do the math on their current control gaps, and discover their score is negative. A negative SPRS score does not automatically disqualify the offer (the score is "informational" for contracting officers in most acquisitions), but it does create a visible record of cybersecurity posture that the contracting officer can weight in the source selection decision. A contractor responding to a competitive solicitation with a negative SPRS score and no POA&M is in a measurably weaker competitive position than one with a positive score and a written remediation plan.
The 7019 provision also distinguishes among three types of NIST 800-171 DoD Assessments. A Basic Assessment is a contractor self-assessment, scored against the DoD methodology, posted to SPRS by the contractor. A Medium Assessment is performed by DoD personnel and includes documentation review. A High Assessment is performed by DoD personnel and includes on-site verification. For most Level 2 environments, the Basic self-assessment posted to SPRS is what 7019 expects. For programs identified as priority acquisitions or for contractors flagged by DoD risk management, a Medium or High Assessment may be required and is performed by DCMA DIBCAC (the Defense Contract Management Agency Defense Industrial Base Cybersecurity Assessment Center).
DFARS 252.204-7020: NIST SP 800-171 DoD Assessment Requirements
DFARS 252.204-7020 is the contract clause that pairs with the 7019 provision. Where 7019 sits in the pre-award stage (a representation made by the offeror), 7020 sits in the executed contract (an ongoing obligation during performance). The clause requires the contractor to maintain the SPRS posting, update it as the security posture changes, and provide DoD access to its facilities, systems, and personnel if a Medium or High Assessment is conducted during the contract.
The 7020 clause also imposes a subcontractor flowdown. Before awarding a subcontract or other contractual instrument that involves covered defense information, the prime contractor must ensure that the subcontractor has a current NIST SP 800-171 DoD Assessment posted to SPRS. The prime does not have to verify the subcontractor's score in any particular range, but the prime does have to confirm that an assessment exists and is current. This subcontractor flowdown requirement has driven a lot of supply chain visibility work that did not exist before 2020. Primes now routinely include SPRS confirmation as a pre-award step in their subcontractor onboarding workflow.
One operational nuance worth flagging is that the SPRS posting under 7020 is a contractor-level record, not a contract-level record. A contractor that holds multiple DoD contracts posts one current NIST 800-171 Assessment that covers all systems in scope for any of those contracts. The score is recalculated when the contractor's security posture materially changes. There is no per-contract SPRS score. This creates an incentive to define the assessment scope correctly the first time, because every DoD contract you hold is reading the same SPRS record.
DFARS 252.204-7021: Contractor Compliance with the CMMC Level Requirement
DFARS 252.204-7021 is the clause that legally connects CMMC to DoD contracts. The clause requires that contractors and subcontractors maintain the CMMC certification level specified in the solicitation throughout the life of the contract. The 7021 clause was reserved during the CMMC 2.0 rulemaking and is being phased into DoD contracts under the implementation timeline that started after the December 16, 2024 effective date of 32 CFR Part 170.
Three things are worth understanding about 7021. First, the clause incorporates the CMMC Level by reference. The actual scoping (Level 1, Level 2, or Level 3) is set in the solicitation itself, not in the clause text. The clause is the legal hook. The Level decision lives in the acquisition strategy of the buying activity. Second, the clause flows down to subcontractors that will receive Federal Contract Information (for Level 1) or Controlled Unclassified Information (for Level 2 or Level 3). The subcontractor must achieve the same Level (or, in some cases, a tailored lower Level appropriate to the information it actually handles). Third, the clause makes CMMC certification a continuing obligation, not a one-time event. A contractor that loses certification mid-contract is in breach.
The CMMC Level system itself is documented in our CMMC compliance guide and in the per-Level breakdowns under CMMC compliance. The short version is that Level 1 covers 15 basic safeguarding controls drawn from FAR 52.204-21, applicable when a contractor handles only Federal Contract Information. Level 2 covers all 110 NIST SP 800-171 controls and is required when a contractor handles Controlled Unclassified Information. Level 3 covers Level 2 plus a subset of NIST SP 800-172 enhanced security requirements and is required for contractors supporting programs facing advanced persistent threat actors. Level 1 is a self-assessment. Level 2 is split between self-assessment (for some non-prioritized acquisitions) and third-party assessment by a Certified Third Party Assessment Organization (C3PAO). Level 3 is a government-led assessment by DCMA DIBCAC.
How the DFARS Clauses Chain Together
The five clauses above are not independent. They form a chain that runs from solicitation to award to performance to renewal. Reading them together makes more sense than reading them individually.
| Stage | Clause | What it does |
|---|---|---|
| Pre-award (solicitation) | 252.204-7008 | Offeror represents that it implements NIST 800-171 or has approved deviations |
| Pre-award (solicitation) | 252.204-7019 | Offeror confirms a current NIST 800-171 DoD Assessment is posted to SPRS |
| Performance (contract clause) | 252.204-7012 | Contractor implements 800-171, reports cyber incidents within 72 hours, preserves forensics, uses FedRAMP Moderate equivalent cloud |
| Performance (contract clause) | 252.204-7020 | Contractor maintains SPRS posting, allows DoD access for Medium and High Assessments, flows down to CDI subcontractors |
| Performance (contract clause) | 252.204-7021 | Contractor maintains CMMC certification at the Level specified in the solicitation throughout the contract |
Read top to bottom, the chain is intuitive. The solicitation sets the cybersecurity bar (7008, 7019). The contract enforces the bar during performance (7012, 7020, 7021). The contractor proves compliance through SPRS posting (7019, 7020), incident reporting (7012), and CMMC certification (7021). The certification under 7021 is the highest-confidence artifact in the chain because it is third-party assessed for Level 2 and government-assessed for Level 3.
One practical consequence of the chain is that SPRS scoring and CMMC certification are not redundant. SPRS is a self-asserted snapshot of NIST 800-171 implementation. CMMC is a periodically renewed third-party (or government) attestation. The two coexist. A contractor with a strong SPRS score and no CMMC certification cannot satisfy a 7021 contract clause. A contractor with a current CMMC certification but a stale SPRS posting can still be in breach of 7020.
CDI vs CUI vs FCI: The Terminology Reconciliation
The terminology around protected information inside DoD contracts is messier than it needs to be. Three terms come up most often and they overlap but are not identical.
Federal Contract Information (FCI) is defined in FAR 52.204-21 as information not intended for public release that is provided by or generated for the government under a contract to develop or deliver a product or service. FCI is the broadest category. Any non-public information that a federal contract gives you, or that you generate in performance of the contract, is FCI by default. CMMC Level 1 was scoped to FCI.
Controlled Unclassified Information (CUI) is defined in 32 CFR Part 2002 and managed by the National Archives and Records Administration (NARA) under Executive Order 13556. CUI is a government-wide designation for information that requires safeguarding or dissemination controls under law, regulation, or government-wide policy but is not classified. The CUI Registry at archives.gov/cui defines categories such as Controlled Technical Information, Defense Critical Infrastructure Security Information, Export Controlled, and dozens of others. CMMC Level 2 was scoped to CUI.
Covered Defense Information (CDI) is the DFARS-specific term used in 7012. CDI is defined as unclassified controlled technical information or other information described in the CUI Registry that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies, and that is provided to the contractor by or on behalf of DoD in connection with the performance of the contract, or that is collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
In practical terms, CDI is the DoD subset of CUI. A piece of information is CDI if it is CUI and it touches a DoD contract. The 7012 clause uses CDI rather than CUI for historical reasons (7012 predates the finalized CUI program), but the overlap is nearly complete. We recommend that contractors handling DoD work treat CDI and CUI as functionally identical for compliance scoping purposes, recognizing that there is a small population of information that is CDI but does not appear in the NARA CUI Registry (mostly legacy Controlled Technical Information designations).
The flowdown logic is easier when you keep the three terms straight. FCI flows down with FAR 52.204-21. CDI flows down with DFARS 252.204-7012. CUI is the regulatory parent category that captures both, depending on context. If you are a Level 2 contractor and you are asked whether your environment handles CUI, the answer is almost always yes if you also handle CDI under a DoD contract. The reverse is not necessarily true (some CUI is held outside DoD contracting), but for Defense Industrial Base purposes the two terms point to the same data set.
The 72-Hour Cyber Incident Reporting Walkthrough
The 72-hour reporting requirement under DFARS 7012 is one of the most misunderstood obligations in the clause. The clock starts at "discovery", which the clause defines as the moment the contractor identifies a cyber incident that affects a covered contractor information system, the CDI on that system, or the contractor's ability to perform contract requirements that are designated as operationally critical support. Discovery is a knowledge standard, not a confirmation standard. As soon as the contractor's security team has reason to believe an incident has occurred, the 72-hour window opens.
The report is filed through the Defense Industrial Base Network at dibnet.dod.mil. To file, the contractor must have a DoD-approved medium assurance certificate (an external certificate authority credential issued by an approved provider such as IdenTrust or DigiCert). Provisioning the medium assurance certificate takes several business days, which means contractors that wait until they have an active incident to start the provisioning process will miss the 72-hour window. The remediation is to provision the certificate during initial DFARS 7012 implementation, not during incident response. Every contractor that processes CDI should have at least two people with active DIBNet credentials and a documented incident reporting playbook before any incident occurs.
The DIBNet incident report itself captures structured fields including the contract number, the affected information system, the date and time of incident discovery, the date and time of incident occurrence (if known), the type of compromise (unauthorized access, malware, data exfiltration, denial of service, other), the CDI involved (with a description and an estimated volume), the impact assessment (operational impact and information impact), and the response actions taken to date. The report can be updated as the investigation progresses. The initial 72-hour report does not need to be complete, but it must be filed.
After the report is filed, DoD may request additional information. The contractor must preserve forensic images of affected systems for 90 days following the report submission, in case DoD wants to conduct its own forensic analysis. If DoD requests access to the system or images, the contractor must provide it. The Defense Cyber Crime Center (DC3) is the typical analytical entity that consumes incident reports.
One nuance is that the 72-hour clock applies to the initial report, not to the resolution of the incident. A contractor that files a complete report within 72 hours of discovery has satisfied the clause even if the investigation continues for months. Conversely, a contractor that resolves the incident inside 72 hours but does not file the DIBNet report is in breach. The reporting obligation and the response obligation are separate.
Coverage of incident response services under our portfolio assumes that contractors will need help with all three phases: the pre-incident preparation (medium assurance certificate provisioning, playbook development, tabletop exercises), the 72-hour reporting itself (DIBNet form preparation, structured intake), and the post-report forensic preservation (90-day chain of custody, DoD coordination, DC3 follow-up). Each phase has different staffing and tooling requirements, and trying to compress all three into one workflow during an active incident is how contractors miss the reporting window.
SPRS Scoring Under 252.204-7019 and 7020
The DoD Assessment Methodology assigns scoring weights to each of the 110 NIST SP 800-171 requirements. The starting score is 110. Each unimplemented requirement subtracts 1, 3, or 5 points depending on the severity weighting. The methodology categorizes requirements by their relative impact on the security of the overall system. Five-point requirements are the highest-impact controls (think multifactor authentication for privileged accounts, FIPS-validated cryptography for CUI in transit and at rest, comprehensive audit logging). Three-point requirements are moderate-impact controls. One-point requirements are still important but less central to overall security posture.
The lowest possible score is negative 203. The math is straightforward: if every requirement is unimplemented, the deductions sum to 313 points, subtracted from the starting 110, yielding negative 203. In practice, contractors that complete an honest self-assessment for the first time often land between negative 50 and positive 50, which surprises them because most DoD contractors believe they are in better shape than they are.
The DoD Assessment Methodology also includes a "Plan of Action" allowance. A contractor with an unimplemented requirement that is on a documented POA&M with a target completion date can still post a score above zero by counting the planned remediation. The POA&M is itself a deliverable. It must identify the unimplemented requirement, the specific deficiency, the remediation steps, and the target completion date. Some requirements are not POA&M-eligible under the methodology (the highest-impact controls must be implemented, not planned). The CMMC 2.0 program limits POA&M closeout windows to 180 days following the assessment date and prohibits POA&Ms for certain critical controls entirely.
For Level 2 self-assessment contractors, the SPRS posting is also the certification record. The contractor uploads a current score, an assessment date, a CAGE code list covering the in-scope assets, and a date by which the next assessment will be performed. For Level 2 C3PAO-assessed contractors and Level 3 DIBCAC-assessed contractors, the assessment artifact comes from the assessor and is posted to SPRS as a separate certification record. The 7019 provision and 7020 clause both reference the SPRS record as the authoritative source.
The SPRS calculator on our site walks contractors through a structured 110-requirement scoring exercise, surfaces the highest-impact gaps first, and generates a working draft of the SPRS posting and the supporting POA&M. The calculator is intentionally non-trivial because the methodology itself is non-trivial. A contractor that posts a score without doing the underlying assessment work is taking on enforcement risk under the False Claims Act if the score is later challenged.
DFARS to CMMC Level 1, Level 2, and Level 3 Mapping
The DFARS clauses do not map one-to-one to CMMC Levels, but the chain is consistent. Here is the explicit mapping.
| CMMC Level | Information Scope | DFARS Clauses In Play | Assessment |
|---|---|---|---|
| Level 1 | Federal Contract Information (FCI) only | FAR 52.204-21 is the primary control set. DFARS 7021 may flow down if the contract scope includes Level 1. | Annual self-assessment, no third party |
| Level 2 | Controlled Unclassified Information (CUI) and Covered Defense Information (CDI) | DFARS 7008, 7012, 7019, 7020, and 7021. NIST SP 800-171 R2 (transitioning to R3) is the control baseline. | Self-assessment for non-prioritized acquisitions, C3PAO assessment for prioritized acquisitions (every 3 years) |
| Level 3 | CUI and CDI on programs facing advanced persistent threat actors | DFARS 7008, 7012, 7019, 7020, and 7021. NIST SP 800-171 R2 plus a subset of NIST SP 800-172 enhanced requirements. | Government-led DCMA DIBCAC assessment (every 3 years) |
Two operational notes are worth flagging. First, the DFARS clauses themselves do not change between Level 2 and Level 3. The same five clauses apply. What changes is the underlying control baseline (800-171 alone for Level 2, 800-171 plus 800-172 enhancements for Level 3) and the assessment regime (self or C3PAO for Level 2, DIBCAC for Level 3). The 7021 clause is the only clause that explicitly references the Level. Second, Level 1 contractors who handle FCI only and never touch CUI or CDI are not subject to 7012. The 7012 clause is CDI-triggered. A pure Level 1 environment does not need DIBNet credentials, FedRAMP Moderate cloud, or 800-171 implementation. The 7021 clause may still apply if the contract specifies Level 1, but the operational obligations are much lighter.
For most DoD contractors handling CDI, the practical answer is Level 2. Level 2 is the workhorse certification of the CMMC program, and the DFARS clause stack (7008, 7012, 7019, 7020, 7021) was designed to enforce it. Level 3 is reserved for a small subset of high-priority programs, typically those involving advanced weapons systems, missile defense, nuclear command and control, or other programs identified by DoD as facing APT-level adversaries. If you are not sure which Level applies, read the solicitation carefully and ask the contracting officer.
Common DFARS Compliance Failures
Across more than two decades of DoD contractor engagements at Petronella Technology Group, we see the same categories of DFARS failure repeat across environments of all sizes. The list below is not exhaustive, but it captures the patterns that show up most often during gap analysis and pre-assessment readiness reviews.
Failure 1: Treating commercial Microsoft 365 as FedRAMP Moderate equivalent. The Microsoft 365 commercial offering, including the standard Business Premium and Enterprise E3 or E5 SKUs in the commercial cloud, does not meet the FedRAMP Moderate equivalency requirement in DFARS 7012 for most CDI workloads. The required path for CDI on Microsoft is either GCC High or, in some cases, Azure Government with appropriate CUI controls. Contractors that migrate to commercial Microsoft 365 without checking the FedRAMP equivalency of the underlying service have created a 7012 compliance gap. The remediation is a Microsoft 365 tenant migration, which is expensive and disruptive. Far better to catch this in the SSP scoping phase than during a C3PAO assessment.
Failure 2: Missing DIBNet medium assurance certificates. Contractors that have never filed a DIBNet incident report often discover during a tabletop exercise that no one on the team has an active medium assurance certificate. Provisioning the certificate takes one to two weeks under best-case conditions. During an active incident, that delay would push past the 72-hour reporting window. The remediation is to provision certificates for at least two members of the incident response team during initial DFARS 7012 implementation, not later. Annual recertification should be on the calendar.
Failure 3: Stale SPRS postings. The SPRS posting under 7020 must reflect the current security posture. Contractors that posted a score in 2022 and never updated it as controls were added, decommissioned, or modified are out of compliance even if the current posture is stronger than the stale score. The remediation is to re-assess at least annually and to push updated scores to SPRS as material changes occur. The DoD Assessment Methodology supports incremental updates.
Failure 4: Forensic image destruction during initial response. Incident response teams trained on commercial breach playbooks often reimage affected endpoints quickly to restore productivity. Under DFARS 7012, the forensic preservation obligation requires images of affected systems to be retained for 90 days following the incident report. Reimaging without first capturing the forensic image is a clause violation. The remediation is to add a forensic imaging step to the incident response playbook and to train operations staff that "preserve before remediate" applies in any incident involving a system that processes CDI.
Failure 5: Subcontractor flowdown gaps. Primes that fail to flow 7012, 7020, and 7021 down to CDI-handling subcontractors are in breach of their own clauses. The flowdown obligation is explicit and is enforced in DCMA reviews. The remediation is to embed the DFARS clause flowdown into the subcontractor onboarding checklist and to verify the subcontractor's SPRS posting before any CDI is shared. The Defense Counterintelligence and Security Agency's supply chain risk assessments increasingly look for this.
Failure 6: POA&M items that never close. The DoD Assessment Methodology allows certain unimplemented requirements to count as planned under a POA&M. Contractors sometimes treat the POA&M as a permanent shelter for difficult controls. Under CMMC 2.0, POA&M closeout is capped at 180 days following the assessment, and certain controls are not POA&M-eligible at all. A POA&M with line items that have rolled forward for two or three years will not survive a C3PAO assessment. The remediation is to track POA&M aging and close items aggressively, not to keep adding new ones.
Failure 7: Scoping the environment too narrowly. Contractors sometimes carve out a small "CUI enclave" inside a larger network and assume only the enclave is in scope. The 800-171 boundary analysis requires that any system that processes, stores, or transmits CDI, plus any system that provides security functions to such systems (logging, monitoring, identity, configuration management), is in scope. Identity providers, SIEM platforms, backup systems, and remote access infrastructure are commonly underscoped. The remediation is to perform a rigorous scoping analysis at the SSP build phase and to revisit it whenever the architecture changes.
Petronella Technology Group DFARS and CMMC Services
Petronella Technology Group is a Cyber AB Registered Provider Organization, RPO #1449, headquartered at 5540 Centerview Dr., Suite 200, Raleigh, NC 27606. Our entire CMMC delivery team holds the CMMC Registered Practitioner credential. Craig Petronella, the founder, holds the CMMC-RP, CCNA, CWNE, DFE #604180, and MIT-Certified credentials in Artificial Intelligence and Blockchain. We have been delivering DoD contractor cybersecurity work since 2002 and have been Better Business Bureau A+ rated since 2003.
For DFARS and CMMC engagements we offer three main service paths. The first is gap analysis and SSP build, where we map your current environment against NIST SP 800-171 R2 (or R3 for newer contracts), produce a System Security Plan, build the supporting Plan of Action and Milestones, and post your initial SPRS score under DFARS 7019 and 7020. This work typically runs 8 to 14 weeks depending on environment complexity and is delivered as a fixed-fee engagement.
The second is policy and procedure automation through ComplianceArmor, our SaaS platform for compliance documentation. ComplianceArmor generates SSPs, POA&Ms, incident response plans, configuration management plans, and all other policy artifacts required under 800-171 and CMMC. The platform pulls from a curated library of DoD-aligned templates and customizes them for your environment. ComplianceArmor pricing starts From $497/mo for the entry tier and scales with the size of your in-scope environment.
The third is private AI infrastructure for CUI workloads. Most commercial AI services (ChatGPT, Microsoft Copilot, Google Gemini, Anthropic Claude through public endpoints) are not authorized for CUI under DFARS 7012 because they do not meet FedRAMP Moderate equivalency for the underlying inference infrastructure. Petronella Technology Group operates a private AI cluster on our own hardware that keeps CUI on-premises and out of public LLM endpoints. This matters increasingly as contractors want to use AI for tasks like RFP response drafting, technical analysis, and engineering documentation that touch CUI. The private AI offering integrates with our managed XDR services and our incident response practice.
We are not the largest CMMC RPO in the country, and we are honest about that. What we are is a 24-year cybersecurity firm with full-team CMMC-RP certification, proprietary compliance tooling, and private AI capable of handling CUI without sending it to a public model. For DoD contractors that value practitioner continuity, fixed-fee scoping, and drivable Southeast and Mid-Atlantic coverage, we are designed for you. For more details, call (919) 348-4912 or reach our team through contact.
Frequently Asked Questions
What is the difference between DFARS 7012 and DFARS 7021?
DFARS 252.204-7012 requires implementation of NIST SP 800-171 and 72-hour cyber incident reporting through DIBNet. DFARS 252.204-7021 requires maintenance of the CMMC certification Level specified in the solicitation. Both clauses can apply to the same contract. 7012 is the operational and reporting clause. 7021 is the certification clause. A Level 2 contractor must comply with both.
Do I need to comply with DFARS 7012 if I only handle Federal Contract Information?
No. DFARS 7012 is triggered by Covered Defense Information, which is a DoD subset of Controlled Unclassified Information. Contractors handling only Federal Contract Information (FCI) under FAR 52.204-21 are not subject to 7012. They may still be subject to DFARS 7021 if the contract specifies CMMC Level 1, but the operational obligations are much lighter than Level 2.
How is the SPRS score calculated under the DoD Assessment Methodology?
The starting score is 110. Each unimplemented NIST SP 800-171 requirement subtracts 1, 3, or 5 points depending on the severity weighting assigned to that control in the DoD Assessment Methodology. The lowest possible score is negative 203. POA&M items can count as partially implemented under the methodology, but CMMC 2.0 limits POA&M closeout to 180 days and prohibits POA&Ms for certain critical controls. The SPRS calculator walks through the math.
Does commercial Microsoft 365 meet DFARS 7012 cloud requirements?
For most CDI workloads, no. DFARS 7012 requires that any cloud service used to store, process, or transmit CDI meet FedRAMP Moderate or higher baseline equivalency. Commercial Microsoft 365 (the standard Business Premium or Enterprise E3 or E5 SKUs in the commercial cloud) does not meet that bar for CDI. The required path is typically Microsoft 365 GCC High or Azure Government with CUI-appropriate controls.
How long do I have to report a cyber incident under DFARS 7012?
72 hours from the moment of discovery, where discovery is defined as the contractor identifying a cyber incident that affects a covered contractor information system, the CDI on that system, or operationally critical support. Reports are filed through dibnet.dod.mil using a DoD-approved medium assurance certificate. The 72-hour clock applies to the initial report. The investigation may continue beyond 72 hours, and the report can be updated as new information emerges.
Is DFARS 7021 the same as CMMC 2.0?
No. CMMC 2.0 is the certification program itself, established under 32 CFR Part 170 and managed by the Cyber AB and DCMA. DFARS 252.204-7021 is the contract clause that makes CMMC certification a binding obligation under DoD contracts. Think of 7021 as the legal hook that pulls CMMC into the acquisition lifecycle. The certification standard lives in CMMC 2.0. The contractual enforcement lives in 7021.
Can I be a prime contractor without the same CMMC Level as my subcontractors?
In some cases, yes. The CMMC scoping rules allow tailoring at the subcontract level. A prime certified at Level 2 may have subcontractors at Level 1 if those subcontractors only handle FCI and never receive CUI or CDI from the prime. The flowdown obligation under DFARS 7021 is keyed to the information actually shared with the subcontractor, not to the prime's overall Level. The prime is responsible for confirming the subcontractor's certification before sharing CDI.
How does DFARS interact with FAR 52.204-21?
FAR 52.204-21 is the government-wide basic safeguarding clause for Federal Contract Information. It applies to all federal contracts (DoD and civilian agencies). DFARS layers DoD-specific cybersecurity requirements on top of the FAR baseline. A DoD contractor handling FCI complies with FAR 52.204-21. A DoD contractor handling CDI complies with FAR 52.204-21 plus DFARS 7012, 7019, 7020, and 7021. The two regimes coexist, with DFARS adding the DoD-specific layer.
Next Step: Map Your DFARS Posture to a CMMC Level
If you are reading this guide because a DoD prime asked for your DFARS or CMMC posture, the fastest first step is the SPRS calculator. The calculator surfaces your current NIST SP 800-171 score under the DoD Assessment Methodology, identifies the highest-impact gaps, and generates the starting draft of an SSP and POA&M. From there, you have an evidence-backed conversation to have with your prime, with a contracting officer, or with a C3PAO assessor.
If you want a fixed-fee engagement to take you from initial scoping through CMMC Level 2 certification, Petronella Technology Group can quote that work directly. Call (919) 348-4912 or reach our team through the contact form. We will set up a free 30-minute scoping call, review your current contracts, and tell you honestly whether Level 2 self-assessment or Level 2 C3PAO is the right target for your portfolio.
For deeper reading, see our CMMC compliance guide, the per-Level breakdowns at CMMC compliance, our NIST 800-171 implementation playbook, and the policy automation overview at ComplianceArmor. DFARS compliance is a multi-year program, not a one-week project. The contractors that handle it best treat it as part of their operating rhythm, not as an annual scramble.
