Do You Need CMMC? Reading the DFARS Clauses in Your Contract

Not every defense contractor needs the same thing. Your obligations are written into your contract through a small set of DFARS clauses. Learning to read them tells you exactly what is required and when.

The clauses that matter

• —DFARS 252.204-7012 — requires you to safeguard CUI per NIST 800-171 and to report cyber incidents to the DoD.
• —DFARS 252.204-7019 — requires you to have a current NIST 800-171 self-assessment score posted in SPRS.
• —DFARS 252.204-7020 — gives the government the right to verify your score and flows the requirement to subcontractors.
• —DFARS 252.204-7021 — the CMMC clause itself; specifies the certification level you must hold.

How to read your obligations

If -7012 appears, you handle CUI and owe NIST 800-171. If -7019/-7020 appear, you owe a posted SPRS score today, regardless of CMMC timing. When -7021 appears in a solicitation, it names the level you must have certified before award.

Flow-down to subcontractors

These requirements flow down. If you are a prime, you are responsible for ensuring subs that touch CUI meet the same bar. If you are a sub, expect your prime to ask for your SPRS score and, eventually, your certification.

Bottom line: read every clause in your current contracts and active solicitations before you spend a dollar. The clauses, not a vendor, define your scope.