What is DFARS 252.204-7012 and how does it relate to CMMC 2.0 Level 2?

Few things are as opaque or Byzantine as cybersecurity—especially for DoD (Department of Defense) contractors and subcontractors that handle CUI (Controlled Unclassified Information) and need to worry about compliance with DoD regulations.

What is DFARS 7012? DFARS 7012 is a mandatory clause included in all DoD contracts (excluding COTS items) that requires contractors and subcontractors to protect CUI and CDI (Covered Defense Information). In effect since December 31, 2017, it mandates the implementation of NIST SP 800-171. DFARS 7012 also requires reporting cyber incidents within 72 hours, providing system access for forensic analysis, and including these requirements in all downstream subcontracts (flow-down). It applies to unclassified contractor systems and distinguishes between systems operated on behalf of the government (Type 1, which must meet NIST SP 800-53 controls) and internal contractor systems (Type 2, which must meet NIST SP 800-171).

Cloud systems storing or transmitting CUI under DFARS must meet the FedRAMP Moderate baseline or an equivalent standard. In a 2023 memo, the DoD clarified that equivalency is no longer loosely interpreted—contractors are now responsible for ensuring their Cloud Service Providers (CSPs) meet full FedRAMP Moderate baseline authorization or an officially recognized equivalent, significantly impacting compliance costs and complexity.

CMMC 2.0 Level 2 is a newer framework introduced to formalize and validate the same NIST SP 800-171 requirements outlined in DFARS 7012. Rather than replacing DFARS, CMMC builds upon it by adding an enforcement mechanism through assessments. For Level 2 contractors, handling CUI typically requires a third-party certification every three years by a certified C3PAO. In some less critical cases, annual self-assessment with affirmation may be allowed. CMMC 2.0 is currently in the rulemaking phase and is expected to be enforced in late 2025 or 2026, becoming a precondition for contract awards involving sensitive information.

The main difference between DFARS 7012 and CMMC 2.0 Level 2 lies in attestation versus verification. DFARS relies on contractors’ self-attestation of compliance—essentially a trust-based model—while CMMC introduces a “trust, but verify” approach by requiring formal assessments to prove implementation of controls. Both frameworks share scope (DoD contractors with CUI), control standards (NIST SP 800-171), and flow-down obligations to subcontractors. DFARS remains legally binding and active, while CMMC acts as the audit-ready overlay.

For DoD contractors, compliance with DFARS 7012 is a current contractual obligation, and CMMC Level 2 certification will soon become a requirement to bid on or win contracts involving CUI. Organizations must be prepared to meet both frameworks: DFARS ensures they are doing the work, and CMMC ensures they can prove it.