The Relationship Between CMMC and DFARS

Key Takeaways

• DFARS is the legal requirement; CMMC verifies you followed it.
• Both are built on NIST 800-171, but enforcement is different.
• You can pass a CMMC audit and still fail DFARS compliance.
• CMMC 2.0 introduced flexibility but raised the bar.

The Relationship Between CMMC and DFARS

The relationship between DFARS and CMMC is often misunderstood. One is a legal mandate; the other is an enforcement model layered on top of it. But both are rooted in the same problem: too much sensitive information flowing through too many insecure systems. This blog unpacks how DFARS and CMMC work together and why federal contractors need to understand both to stay compliant.

What is DFARS?

DFARS stands for the Defense Federal Acquisition Regulation Supplement. It’s not a cybersecurity framework; it’s a set of rules the U.S. Department of Defense (DoD) attaches to its contracts. These rules are legally binding for any organization doing business with the DoD.

Think of it as an extension to the Federal Acquisition Regulation (FAR). If FAR is the general rulebook for federal contracting, DFARS is the DoD’s custom chapter.

Why Was DFARS Created?

Modern warfare isn’t just on the battlefield. Sensitive defense information is constantly flowing through commercial systems and cloud storage platforms. DFARS was created to make sure that any contractor handling that information protects it properly.

How Do Companies Know if DFARS Applies to Them?

If you’re a contractor or subcontractor bidding on or performing a DoD contract, the contract will include specific DFARS clauses. You don’t have to guess.

Look for these in your contract:

• DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting)
  
• DFARS 252.204-7019 (Notice of NIST SP 800-171 DoD Assessment Requirements)
  
• DFARS 252.204-7020 (NIST SP 800-171 DoD Assessment Requirements)
  

If those are in your contract, you’re required to meet the cybersecurity requirements they outline.

What Does DFARS Require You To Do?

If your company handles Controlled Unclassified Information (CUI) as part of a defense contract, you must implement all 110 security controls from NIST SP 800-171. These controls cover everything from access controls and multifactor authentication to incident response and personnel training.

But it doesn’t stop there:

• You must score yourself against the DoD’s defined scoring methodology and submit that score to the Supplier Performance Risk System (SPRS).
  
• You must be prepared for a DoD-conducted assessment, especially if your contract includes the right language.
  
• And if you experience a cyber incident, you must report it within 72 hours and preserve all affected systems for investigation.
  

Falsifying your SPRS score or failing to safeguard CUI can lead to loss of contract, false claims liability, or worse.

Where does CMMC come in?

The Cybersecurity Maturity Model Certification (CMMC) was created to address a problem: the DoD didn’t fully trust self-attestation.

CMMC adds a certification process on top of DFARS. You still have to implement NIST 800-171, but now, in many cases, you need a third-party auditor to verify that you’ve actually done the work.

The DoD designed CMMC to do three things:

1. Enforce the existing DFARS rules more reliably
   
2. Raise the bar for higher-risk contractors
   
3. Create a tiered model so small businesses aren’t held to the same standard as defense primes

That tiered model is key to understanding how CMMC works.

The Three Levels of CMMC 2.0

CMMC 2.0 introduced three certification levels:

Level	Applies To	Requirements
Level 1	Contractors handling Federal Contract Information (FCI)	17 basic security practices, self-assessed annually
Level 2	Contractors handling Controlled Unclassified Information (CUI)	110 NIST 800-171 controls, third-party audit required in most cases
Level 3	Mission-critical contractors	Advanced controls + government-led assessment

CMMC Level 2 is where most of the defense industrial base (DIB) will land. 

Do DFARS and CMMC require the same thing?

Yes and no.

At their core, both frameworks are built around NIST SP 800-171. That means the technical DFARS cybersecurity requirements (the 110 controls) are mostly the same. But the way you prove you’ve implemented them is different.

Requirement	DFARS	CMMC
Use NIST SP 800-171	✅ Yes	✅ Yes
Submit a score	✅ Yes, to SPRS	✅ Yes, if seeking Level 2 certification
Get audited	❌ Only if the DoD requests it	✅ Yes, for most Level 2 and all Level 3
Certification	❌ No official cert	✅ Yes, certified by an accredited assessor (C3PAO)

CMMC doesn’t change what’s required. It changes how it’s enforced.

Why CMMC Became Necessary

DFARS was introduced in 2016. But within a few years, the DoD realized that self-assessments weren’t enough. Companies were scoring themselves inaccurately—or not implementing controls at all. Sensitive data kept leaking.

CMMC DFARS was the DoD’s answer. Instead of relying on promises, it introduced real audits and certificates. But early versions of CMMC were too burdensome, especially for small businesses. That’s why CMMC 2.0 was released in late 2021 and finalized in 2024.

What Is NIST SP 800-171?

NIST Special Publication 800-171 is a document issued by the National Institute of Standards and Technology. It outlines 110 specific cybersecurity controls across 14 control families, ranging from access control to incident response.

These controls are designed to help non-federal organizations secure CUI. DFARS 7012 requires contractors to implement all 110 of these controls.

Key documents you’ll need to meet this requirement:

• System Security Plan (SSP) – Describes how each control is implemented
• Plan of Actions and Milestones (POA&M) – Outlines how you’ll address any gaps

Under DFARS, companies self-attest to their compliance and submit a score to the Supplier Performance Risk System (SPRS).

CMMC is The Enforcement Layer

In 2020, the DoD introduced the Cybersecurity Maturity Model Certification (CMMC) as an enforcement mechanism layered on top of DFARS. The original version of CMMC introduced five maturity levels and required independent certification.

CMMC wasn’t about creating new requirements. it was about verifying the old ones. Specifically, CMMC Level 3 aligned with NIST 800-171, plus 20 “delta” controls.

But the rollout of CMMC 1.0 ran into resistance:

• It required third-party assessments for all levels
• It imposed new costs, especially on small contractors
• It lacked clarity around scope and expectations

The Shift to CMMC 2.0

By late 2021, the DoD announced CMMC 2.0, a simplified version of the model with fewer levels, a clarified scope, and a reduced burden:

• Level 1: 17 basic safeguarding requirements (from FAR 52.204-21), self-assessed annually
• Level 2: All 110 controls from NIST 800-171, self-assessed or third-party audited based on contract risk
• Level 3: Based on NIST 800-172, for highly sensitive work; government-led assessments only

CMMC 2.0 was designed to phase in gradually through 2025–2026, with DFARS clause 252.204-7021 introducing CMMC requirements into contracts.

Key difference: Under CMMC 2.0, not all Level 2 contracts require third-party certification. If the DoD determines your contract is low-risk, a self-assessment may still be accepted. But the bar is rising.

How CMMC and DFARS Work Together

Let’s break it down:

• DFARS 7012: Requires you to implement NIST 800-171
• DFARS 7019: Requires submission of your SPRS score
• DFARS 7020: Requires contractors to provide access to evidence and audits
• DFARS 7021: Triggers the need for CMMC DFARS certification when specified in contracts

In short:

• DFARS defines the rules
• NIST 800-171 contains the technical controls
• CMMC verifies implementation

Being CMMC-certified is not equivalent to full DFARS compliance. DFARS includes additional requirements such as:

• Mandatory 72-hour incident reporting
• Flow-down of requirements to all subcontractors

What You Need to Do

If your contract includes DFARS 7012, you must:

• Implement all 110 NIST 800-171 controls
• Maintain an up-to-date SSP and POA&M
• Report cyber incidents
• Submit your SPRS score if DFARS 7019 applies

If your contract also includes DFARS 7021, you must obtain CMMC certification at the corresponding level.

Note: Your prime contractor may require CMMC certification even if your own contract doesn’t explicitly mention it.

Can You Be CMMC-Certified and Still Violating DFARS?

Yes. And this is where the audit/certification model breaks down if misunderstood.

• CMMC assessors are not auditing your DFARS 7012 clauses (e.g., incident response reporting to DIBNet)
• You can technically pass a Level 2 audit and still violate federal contract requirements
• DFARS compliance is broader than just technical controls. It includes legal responsibilities

Pro insight: C3PAOs might choose to point out DFARS violations to help clients avoid False Claims Act exposure, but they aren’t required to. 

Simplifying Compliance with Centraleyes

Whether you’re preparing for a CMMC audit or maintaining your DFARS obligations, having visibility into your controls and documentation is critical. Centraleyes makes it easier to:

• Map and manage all NIST 800-171 controls
• Generate SSPs, POA&Ms, and SPRS scores
• Prepare for CMMC assessments with audit-ready evidence
• Track real-time risk and compliance posture

Because in defense contracting, clear proof is everything.