Cyber Security

The Regulatory Stack: How CMMC, DFARS, NIST, and FAR Fit Together

Discover essential security compliance regulations for defense contractors to enhance cybersecurity.

Alex Fuerst

Alex Fuerst

10 min read
The Regulatory Stack: How CMMC, DFARS, NIST, and FAR Fit Together

Executive Summary

Key takeaways: - FAR, DFARS, NIST 800-171, and CMMC are distinct layers of a regulatory stack — each one has a different source, a different enforcement mechanism, and a different trigger - FAR 52.204-21 applies to any contractor handling Federal Contract Information (FCI) — 15 basic practices, self-enforced - DFARS 252.204-7012 applies to DoD contractors handling Covered Defense Information (CDI/CUI) — requires NIST 800-171 implementation and 72-hour incident reporting - NIST SP 800-171 Rev 2 is the technical standard that DFARS 7012 points to — it's a NIST publication that becomes contractually binding through the DFARS clause - CMMC adds a certification layer on top of DFARS 7012 — same 110 requirements, but now requiring third-party verification instead of self-attestation - Subcontractors are not exempt: the flowdown requirement means every subcontractor who handles CUI at any tier inherits the same obligations as the prime

If you ask five defense contractors how these regulations relate to each other, you'll get five different answers — most of them partially wrong. The confusion is understandable. These are four distinct legal and technical instruments that were developed by different organizations over different timeframes, and they layer on top of each other in ways that aren't obvious from reading any one of them in isolation.

This article establishes the stack clearly: what each layer is, where it comes from, what it requires, and how they connect.

The Foundation: Federal Contract Information and CUI

Before the regulations, the definitions. Two categories of government information drive different compliance obligations:

Federal Contract Information (FCI) — information provided by or generated for the government under a contract to develop or deliver a product or service. This is the broader category. If you have a federal contract and you're generating or receiving any non-public government information under that contract, it's probably FCI.

Controlled Unclassified Information (CUI) — a specific category of FCI (and other federal information) that the government has designated as requiring protection under law, regulation, or government-wide policy. Not all FCI is CUI, but all CUI is sensitive FCI. CUI is the trigger for the more demanding requirements.

The CUI program was established by Executive Order 13556 in November 2010, replacing a patchwork of agency-specific "sensitive but unclassified" designations. The National Archives and Records Administration (NARA) administers the program through 32 CFR Part 2002 and maintains the CUI Registry at archives.gov/cui — the authoritative list of what qualifies as CUI and which category it falls under.

Controlled Technical Information (CTI) is the most common CUI category in the defense industrial base — technical documents, engineering drawings, specifications, and research data generated under DoD contracts. Export-controlled technical data is another common category. Your contract or Statement of Work should identify whether the work involves CUI, though contractors sometimes have to make that determination themselves based on the information they're handling.

Why this distinction matters: FCI triggers one set of obligations. CUI triggers a substantially larger set. If you handle only FCI (no CUI), FAR 52.204-21 may be your only cybersecurity obligation. If you handle CUI, DFARS 252.204-7012 and, when phased in, DFARS 252.204-7021 (CMMC) apply on top.

Layer 1: FAR 52.204-21 — The Baseline for Everyone

The Federal Acquisition Regulation (FAR) is the primary regulation governing all federal procurement. It applies to every federal contractor, across all agencies. FAR 52.204-21 — "Basic Safeguarding of Covered Contractor Information Systems" — became effective in 2016.

FAR 52.204-21 applies when a contractor's information system processes, stores, or transmits FCI. It requires implementation of 15 basic safeguarding requirements derived from NIST SP 800-171. These 15 practices are not a subset chosen arbitrarily — they're the practices NIST identified as the most fundamental baseline for any contractor system.

The 15 requirements cover: access control basics (limit access to authorized users, control connections), identification and authentication (identify users and devices), media sanitization, physical access controls, secure configurations, incident reporting to the government, malware protection, software updates, and information system boundary controls.

FAR 52.204-21 is self-policed. There's no certification requirement, no third-party assessment, and no submission to a federal database. You certify compliance through your standard representations and certifications in SAM.gov. A false certification is a false claim — which creates exposure under the False Claims Act, with potential penalties of treble damages plus penalties per claim. The Department of Justice has pursued contractors under the False Claims Act for cyber compliance misrepresentations.

Who it applies to: Any contractor with a federal contract involving FCI. This includes civilian agency contractors, not just DoD. If you have a GSA schedule contract, an HHS contract, or any other federal award involving non-public government information, FAR 52.204-21 applies.

Layer 2: DFARS 252.204-7012 — The DoD Addition

The Defense Federal Acquisition Regulation Supplement (DFARS) supplements FAR with requirements specific to DoD contracting. For cybersecurity, the key clause is DFARS 252.204-7012 — "Safeguarding Covered Defense Information and Cyber Incident Reporting."

DFARS 7012 applies when DoD systems or information are involved. "Covered Defense Information" (CDI) is DoD's term for the CUI they're most concerned about — unclassified information that requires protection under law, regulation, or policy and is collected, developed, received, transmitted, used, or stored under a DoD contract.

DFARS 7012 has two core requirements:

1. Implement NIST SP 800-171 on all systems that process, store, or transmit CDI. This is the full 110-requirement standard, not just the 15 FAR 52.204-21 practices. The clause includes a grace period mechanism — if you can't fully implement a control, you document it in a Plan of Action and Milestones (POA&M) with completion dates.

2. Report cyber incidents within 72 hours. If a cyber incident "may have occurred" on your systems handling CDI, you must report to DoD through the DIBNet portal within 72 hours of discovery. You must also preserve and protect images of compromised systems and provide access to DoD for forensic analysis if requested. The 72-hour clock starts when you discover the potential incident — not when you confirm it.

DFARS 7012 also includes a cloud computing requirement: any cloud services used to process, store, or transmit CDI must meet the security requirements in the DoD Cloud Computing Security Requirements Guide (SRG) at FedRAMP Moderate or higher. This means if your MSP or cloud provider is handling CDI for you, they need a FedRAMP authorization at the appropriate impact level. A cloud provider telling you they're "FedRAMP-compliant" is not sufficient — they need an active authorization, and it needs to cover the specific services you're using.

The flowdown requirement: DFARS 7012 requires prime contractors to flow the clause down to subcontractors whenever a subcontractor will handle CDI. This is the part most subcontractors don't realize until it's too late: if you're a second-tier or third-tier subcontractor handling technical data or design documents from a defense program, the prime's DFARS 7012 obligation flows to you through the subcontract. The clause and all its requirements — NIST 800-171, 72-hour reporting, cloud restrictions — apply at every tier where CDI is present.

Layer 3: DFARS 7019 and 7020 — The SPRS Score Requirement

Two clauses published in 2020 added a self-assessment and reporting requirement on top of DFARS 7012:

DFARS 252.204-7019 — Notice of NIST SP 800-171 DoD Assessment Requirements. This clause notifies contractors that they're required to post a current NIST 800-171 self-assessment score to the SPRS (Supplier Performance Risk System) before contract award.

DFARS 252.204-7020 — NIST SP 800-171 DoD Assessment Requirements. This is the operative clause that requires contractors to conduct a NIST 800-171 self-assessment using the DoD Assessment Methodology, calculate a score using the standard DoD scoring model, and post that score to SPRS. The score must be current — DoD defines current as within the last three years for basic self-assessments. If the score is expired, you're not eligible for contract award on covered contracts.

The SPRS scoring model starts at 110 points (full compliance). Each unimplemented requirement subtracts a value based on its severity — values range from 1 to 5 points per requirement. A score of 110 means all requirements are met. A negative score is possible — and common for organizations early in their compliance journey.

The score you post to SPRS is a federal representation. It creates the same False Claims Act exposure as a SAM.gov certification. DoJ has brought False Claims Act cases against defense contractors specifically based on inflated SPRS scores.

Layer 4: NIST SP 800-171 — The Technical Standard

NIST SP 800-171 is not a regulation. It's a publication from the National Institute of Standards and Technology — a non-regulatory federal agency. NIST can't enforce anything. It doesn't have a compliance program, doesn't issue certifications, and doesn't conduct assessments.

What NIST 800-171 does is provide the technical specification that DFARS 7012 points to. When DFARS 7012 says "implement NIST SP 800-171," it incorporates the standard by reference and gives it contractual force. NIST sets the requirements; DFARS makes them legally binding.

This distinction matters for one practical reason: NIST can update the standard without changing the regulation. NIST published Rev 3 in May 2024. But the DFARS clause and the CMMC rule both reference Rev 2 specifically. Until DoD publishes a rule updating that reference, Rev 3 has no contractual effect. (See NIST 800-171 Rev 3: What Changed and Why It Doesn't Matter Yet for the full analysis.)

NIST also publishes 800-171A — the assessment procedures document. 800-171A defines the specific evidence an assessor collects to determine whether each of the 110 requirements is implemented. For each requirement, it lists the assessment objectives and the methods (examine, interview, test) used to evaluate them. This is the document your C3PAO uses as their assessment guide. If you want to understand exactly how your controls will be evaluated, 800-171A is the document to read.

Layer 5: CMMC — The Verification Mechanism

CMMC (Cybersecurity Maturity Model Certification) is the DoD program that adds mandatory third-party verification to the existing DFARS/NIST framework. The final rule was published as 32 CFR Part 170 on October 15, 2024.

CMMC does not replace or supersede DFARS 7012. When CMMC is fully phased into contracts, contractors will have both clauses: DFARS 7012 (the requirement to implement NIST 800-171 and report incidents) and DFARS 7021 (the CMMC certification requirement). DFARS 7021 is the final clause in the stack — the one that mandates an active CMMC certificate as a condition of contract award and performance.

CMMC Levels:

  • Level 1 — 15 practices from FAR 52.204-21. Annual self-assessment and affirmation. Applies to contractors handling only FCI (not CUI). No third-party assessment required.
  • Level 2 — All 110 requirements from NIST 800-171 Rev 2. Annual affirmation. For most contracts involving CUI, a third-party assessment by a C3PAO (CMMC Third-Party Assessment Organization) is required every three years. A small subset of Level 2 programs may be allowed to self-assess if DoD determines the CUI isn't prioritized — but this is the exception, not the rule.
  • Level 3 — Requirements from NIST 800-171 plus enhanced requirements from NIST SP 800-172. Government-led assessments. For contractors supporting the most sensitive DoD programs.

The CMMC certification is obtained through a C3PAO assessment. C3PAOs are authorized by the CMMC Accreditation Body (Cyber AB) and must themselves be assessed before they can certify contractors. The assessment results in a certification that is valid for three years, subject to annual affirmations.

Critical point: CMMC Level 2 certification satisfies the CMMC requirement (DFARS 7021) but does not replace your DFARS 7012 obligations. The 72-hour incident reporting requirement exists independently of CMMC certification status. A certified contractor who experiences a cyber incident still has a 72-hour reporting obligation to DoD through DIBNet, regardless of their CMMC certificate.

The Stack Visualized

From most general to most specific:

CUI Program (EO 13556 / 32 CFR Part 2002)
    ↓ defines what's being protected

FAR 52.204-21
    ↓ basic safeguarding, all federal contractors with FCI

DFARS 252.204-7012
    ↓ full NIST 800-171 + 72hr reporting, DoD CUI contractors

DFARS 252.204-7019 / 7020
    ↓ SPRS self-assessment score, DoD CUI contractors

NIST SP 800-171 Rev 2
    ↓ the 110 technical requirements (incorporated by reference)

CMMC / DFARS 252.204-7021
    ↓ third-party verification of NIST 800-171 compliance

Each layer adds requirements on top of the previous one. Satisfying CMMC Level 2 means satisfying everything below it in the stack too.

The FCI-Only vs. CUI Question

This is the most consequential determination most small and mid-size defense contractors need to make: are you handling CUI, or only FCI?

FCI-only means FAR 52.204-21 (15 practices) and potentially CMMC Level 1. The cost and complexity of compliance is substantially lower.

CUI means DFARS 7012 (110 practices), SPRS scoring (DFARS 7019/7020), and CMMC Level 2 (when phased in through DFARS 7021). The cost and complexity jump by an order of magnitude.

The way to make this determination: review your contracts and subcontracts. Look for the DFARS 252.204-7012 clause. If it's in your contract, you have a CUI obligation. Also examine your Statement of Work and any Contract Data Requirements List (CDRL) for references to Controlled Technical Information, export-controlled technical data, or other CUI categories.

If your prime's contract has DFARS 7012 and they've flowed the clause down to you in your subcontract, you're a CUI contractor regardless of whether you think of yourself that way. Many second- and third-tier subcontractors discover this late.

When in doubt, ask the contracting officer or your prime: "Is Controlled Unclassified Information present in the work I'm performing under this contract?" Get the answer in writing.

Cross-Framework Context

The regulatory stack described above is DoD-specific. For contractors who work across multiple government agencies or maintain commercial compliance programs:

  • ISO 27001 is not required by FAR, DFARS, or CMMC. But ISO 27001 certification demonstrates implemented security controls through a third-party audit process. Organizations with ISO 27001:2022 certification have a much shorter path to CMMC Level 2 because many of the technical controls overlap. ISO certification doesn't substitute for CMMC, but the implementation work counts.
  • FedRAMP is required for cloud service providers (CSPs) whose services are used to process, store, or transmit CUI under DoD contracts. The DFARS 7012 cloud requirement specifically requires DoD Cloud SRG compliance, which for most commercial cloud services means FedRAMP Moderate authorization or equivalent. If your MSP or cloud provider isn't FedRAMP authorized, you have a DFARS compliance gap.
  • NIST CSF 2.0 is a voluntary framework, not a regulatory requirement. But it maps well to NIST 800-171 and can be a useful organizing structure for your security program. The CSF's "Govern" function maps to CMMC's Security Assessment and Planning domains; "Protect" maps largely to AC, IA, and SC; "Detect" maps to SI and AU.

What Your Assessor Expects

Your C3PAO assessor evaluates you against NIST 800-171 Rev 2 — not FAR 52.204-21, not DFARS clauses, and not Rev 3. But understanding the regulatory stack gives you two advantages:

First, you can explain your compliance program accurately when asked. Assessors ask questions like "Why are you implementing these controls?" and "What's your legal basis for the security program?" A contractor who can trace from their DFARS 7012 clause to NIST 800-171 to their SSP demonstrates organizational maturity.

Second, you won't overlook requirements that exist outside the NIST 800-171 technical controls. The 72-hour incident reporting requirement isn't one of the 110 NIST requirements — it's a DFARS 7012 contractual obligation. Your incident response plan needs to address it whether or not your C3PAO specifically assesses it. Same with SPRS score maintenance (DFARS 7020) — that's a contractual requirement that runs alongside your CMMC certification status, not a part of the assessment itself.

Know your stack. Know which clauses are in your contracts. Know what each one requires and who enforces it.

Need help mapping your specific contracts to the right compliance tier and requirements? Schedule a regulatory stack review with our team — we'll identify which clauses apply, what each one requires, and where your current program has gaps.

Related reading: NIST 800-171: All 14 Control Families Explained — the technical requirements that DFARS 7012 makes contractually binding.

Read more