Defense contractors keep asking the same question: "Do I follow DFARS 7012 or CMMC?" The answer is both — and understanding the difference is the fastest way to stop second-guessing your compliance program.
DFARS 252.204-7012 is the baseline. It's been mandatory in most DoD contracts since December 2017. It says you must safeguard Covered Defense Information and report cyber incidents to the DoD within 72 hours. It's the rule that drove every defense contractor to read NIST SP 800-171 for the first time.
CMMC is what enforces it. Before CMMC, contractors self-attested compliance with 800-171. Most were lying. CMMC adds third-party assessment, a formal maturity model, and contract-level verification. It's not a replacement for DFARS 7012 — it's the enforcement mechanism.
The Quick Comparison
| DFARS 252.204-7012 | CMMC (DFARS -7021) | |
|---|---|---|
| Requirement | Implement NIST 800-171, safeguard CUI, report incidents in 72 hours. | Achieve Level 1, 2, or 3 certification aligned to contract risk. |
| Authority | Defense Federal Acquisition Regulation Supplement. | 32 CFR Part 170 (final rule, Oct 2024) and 48 CFR contract clause. |
| Verification | Self-attestation plus SPRS score submission. | Self-assessment (L1) or C3PAO third-party assessment (L2/L3). |
| Applicability | Any contract handling Covered Defense Information / CUI. | Phased rollout starting Nov 2025; contract-by-contract. |
| Enforcement | False Claims Act exposure, contract termination. | No award without required certification. |
Where the Two Overlap
The 110 controls in NIST 800-171 are the heart of CMMC Level 2. If you already implemented them under DFARS 7012, you've done most of the work CMMC will ask you to prove. The gap most contractors discover: your self-attested implementation wasn't as complete as your SPRS score claimed.
If you filed an SPRS score of 110 (perfect compliance) but your actual environment has seven controls on a POA&M, you have a problem. The DOJ's Civil Cyber-Fraud Initiative has already collected multi-million-dollar settlements from contractors who misrepresented DFARS compliance.
Where the Two Differ
DFARS 7012 is a contractual obligation you attest to. CMMC is a verified condition of award. Three practical differences:
- Proof burden. DFARS asks you to implement. CMMC asks you to prove — with artifacts, interviews, and on-site assessment.
- Scoping rigor. DFARS leaves boundary definition largely to you. CMMC expects a clean, defensible CUI enclave your assessor can walk through.
- Consequences. DFARS non-compliance is discovered during disputes or litigation. CMMC non-compliance blocks your award on day one.
Which Applies to You?
If you have an active DoD contract with the 7012 clause, you already have cybersecurity obligations in place today. That's not going away.
CMMC phases in based on contract award date. The Office of the Under Secretary of Defense began enforcing CMMC clause inclusion in new solicitations on November 10, 2025. Expect the CMMC clause to appear in substantially all CUI-relevant contracts by late 2027.
Short answer: if you hold or pursue DoD work touching CUI, both rules apply. Treat DFARS 7012 as the ongoing obligation and CMMC as the verification gate you'll walk through before your next contract is awarded.
Practical Action Items
- Pull your most recent SPRS score and compare it to your actual 800-171 implementation. If they don't match, fix the gap before your C3PAO engagement.
- Review your current contracts for the 7012, 7019, 7020, and 7021 clauses. Flow-downs to subs apply the same way.
- Start scoping your CUI enclave now. Boundary definition is the single biggest source of CMMC delays.
- Plan for a C3PAO assessment timeline of 9-12 months from the day you start remediating.
- If you also handle FCI only and no CUI, you may only need Level 1 self-assessment — but confirm that against your contract requirements, not assumption.
Need help figuring out which rule applies to which contract in your portfolio? Our CMMC Compliance Services include a DFARS/CMMC gap workshop that maps every applicable clause to its required controls. Read our related post on preparing for your 2026 CMMC assessment, or contact our team for a scoping conversation.