DFARS
Several Defense Federal Acquisition Regulation Supplement (DFARS) clauses are directly related to CMMC (Cybersecurity Maturity Model Certification) and the protection of Controlled Unclassified Information (CUI).
These DFARS clauses mandate that contractors meet certain cybersecurity requirements and, in some cases, obtain CMMC certification. Here are the most relevant DFARS clauses:
1. DFARS 252.204-7012 – Safeguarding Covered Defense Information and Cyber Incident Reporting
This clause requires defense contractors to provide "adequate security" for covered defense information (CDI), including CUI, by implementing NIST SP 800-171 security requirements.
It also mandates that contractors report cyber incidents to the DoD and includes the requirement to flow these obligations down to subcontractors handling CDI.
While this clause does not explicitly require CMMC, compliance with NIST SP 800-171 forms the foundation for CMMC Level 2.
2. DFARS 252.204-7019 – Notice of NIST SP 800-171 DoD Assessment Requirements
This clause mandates that contractors conduct a self-assessment against the 110 security requirements of NIST SP 800-171, scoring their compliance and uploading the results to the Supplier Performance Risk System (SPRS).
Contractors must conduct this self-assessment as a prerequisite for contract awards, and the results are used in part to assess the contractor's cybersecurity readiness, which ties into CMMC certification.
3. DFARS 252.204-7020 – NIST SP 800-171 DoD Assessment Requirements
This clause requires that the DoD or its authorized third-party assessors conduct assessments of the contractor’s compliance with NIST SP 800-171. This assessment could be a Basic, Medium, or High level, depending on the nature of the contract.
This clause is a step towards ensuring contractors meet the requirements of CMMC Level 2, which is built on NIST SP 800-171 Rev 2.
4. DFARS 252.204-7021 – CMMC Requirements
This clause is specific to CMMC and requires that defense contractors achieve the appropriate CMMC certification level for the contract they are bidding on.
The CMMC level required will depend on the type of information handled (e.g., FCI or CUI). Certification must be verified by a CMMC Third-Party Assessment Organization (C3PAO) before contract award.
This clause also requires that CMMC compliance flow down to any subcontractors involved in the contract who handle CUI or FCI.
These DFARS clauses establish the foundation for cybersecurity compliance, with DFARS 252.204-7021 being the core clause specific to CMMC certification requirements.