Main Menu
CMMC Level 2 • DFARS 252.204-7012 • NIST 800-171

Mapping CMMC Level 2 to DFARS 252.204-7012 — Alignment & Evidence (With Free POA&M)

See exactly how CMMC Level 2 aligns to DFARS 252.204-7012 and NIST SP 800-171, and what evidence a C3PAO and contracting officer will expect. Use our checklist, 90‑day plan, and free POA&M to get audit‑ready—and win DoD work.

Audit‑Ready Evidence Pack
SSP/POA&M Templates
72‑Hour IR Playbook
FIPS Crypto Inventory
Book a Free 30‑min Pre‑Assessment
Name

CMMC ↔ DFARS ↔ NIST at a glance

110 Controls • 72‑Hour IR • FedRAMP Cloud • FIPS Crypto

On this page

  1. Who this is for
  2. The 30‑Second CMMC Level 2 Requirements Picture
  3. Quick map: CMMC L2 ↔ NIST 800‑171 ↔ DFARS 252.204‑7012
  4. NIST 800‑171 Evidence: What Auditors Expect
  5. C3PAO Assessment Readiness & SPRS Score — 90‑Day Plan
  6. Where companies lose points
  7. Evidence checklist
  8. FAQ

Who this article is for

If you’re a CEO, CTO, CISO, or IT/security lead at a DoD contractor handling Controlled Unclassified Information (CUI), you’ve likely seen three acronyms everywhere: DFARS 252.204-7012, CMMC Level 2, and NIST SP 800-171. This guide shows how they fit together—and exactly what evidence you need to be audit-ready and contract-eligible.

TL;DR: DFARS requires NIST 800‑171 safeguards for CUI plus 72‑hour incident reporting and cloud/FIPS obligations. CMMC Level 2 verifies those same controls (and their maturity). Produce the right evidence package and you’ll satisfy both.

The 30‑Second CMMC Level 2 Requirements Picture

  • DFARS 252.204-7012: A contract clause mandating NIST 800‑171, 72‑hour cyber incident reporting, malware submission, and subcontractor flow‑down.
  • NIST SP 800‑171: The 110 security requirements across 14 families to protect CUI in nonfederal systems.
  • CMMC Level 2: A verification program (often via a C3PAO) that you actually implement and maintain those 110 controls, with evidence.

Bottom line: Pass CMMC Level 2 and you’ll have the evidence that meets DFARS safeguarding expectations—then add DFARS‑specific overlays (72‑hour reporting, cloud, FIPS, flow‑down).

Quick map: CMMC L2 ↔ NIST 800‑171 ↔ DFARS 252.204‑7012

AreaCMMC Level 2NIST 800‑171DFARS 252.204‑7012 Focus
Safeguarding CUICertification that 110 controls are implemented & maintained110 requirements / 14 familiesContractual requirement to implement 800‑171 for CUI
AssessmentThird‑party (C3PAO) for prioritized; some self‑assessmentImplementation statements + objective evidenceDoD may review score (SPRS); CO reliance
ReportingEvidence of IR capability, plans, and logsIR controls (IR‑L2)72‑hour DoD incident reporting; malware submission
CloudVendor due diligence, agreements, logsControls still apply to SaaS/IaaS/PaaSFedRAMP‑equivalent or DoD‑approved if storing CUI
EncryptionKeys, algorithms, key management evidenceSC controls require protectionFIPS‑validated crypto for CUI at rest/in transit
Flow‑downSubcontractor oversight & attestationApplies to environments touching CUIPrime must flow down safeguarding & reporting
DocumentationSSP, POA&M, policies, procedures, diagramsDescribe how controls are metAccurate descriptions for oversight & accountability

NIST 800‑171 Evidence: What Auditors Expect (Audit‑Ready)

Core documentation

  • System Security Plan (SSP) — Current, detailed narrative of each 800‑171 control; include data‑flow diagrams.
  • Plan of Actions & Milestones (POA&M) — Gaps with owners, budgets, priority, and due dates.
  • Policies & Procedures — Access control, asset, change, IR, vuln, configuration, media, risk, vendor/flow‑down.
  • Control Artifacts — Configs, screenshots, tickets, logs, contracts, training, scans, pen‑test findings.
  • Risk Register & Training Records — Awareness, role‑based, IR tabletop exercises.

Operational evidence

  • MFA enforcement (IdP, VPN, privileged access) and least‑privilege role maps.
  • Asset inventory (hardware, software, SaaS) and CUI data inventory mapped to vendors.
  • Secure configurations, patch cadence, vulnerability management tickets.
  • Logging & monitoring: SIEM/EDR, retention, alert triage evidence.
  • Backup/restore tests, encryption configs, key management procedures.
  • Change management tickets and approvals.
  • Third‑party management: DFARS flow‑down, FedRAMP evidence, breach‑notification terms.

DFARS‑specific overlays

  • 72‑hour incident reporting plan — notification tree, indicator capture, malware submission.
  • FIPS‑validated crypto inventory — modules, versions; replace “FIPS‑like” with validated.
  • Cloud due‑diligence file — FedRAMP authorization/equivalency, CUI boundary, log access.
  • Subcontractor compliance file — CUI subs list, executed clauses, assessment/attestations, oversight cadence.

C3PAO Assessment Readiness & SPRS Score: Your 90‑Day Action Plan

Days 0–15: Establish scope & gap picture

  • Confirm CUI scope and boundaries; document data flows and vendors.
  • Pull your SPRS score; run/refresh a NIST 800‑171 gap assessment.
  • Stand up an executive‑visible POA&M with budgets and deadlines.

Days 16–45: Close critical gaps

  • Enforce MFA everywhere, harden admin paths, remove standing privilege.
  • Stand up centralized logging (SIEM/EDR), set retention, tune alerts.
  • Remediate high‑risk vulnerabilities, encrypt CUI with FIPS‑validated modules, segment networks.

Days 46–75: Prove it works

  • Run IR tabletops and backup/restore tests; save outputs.
  • Update vendor contracts for DFARS flow‑down and cloud/FedRAMP terms.
  • Finalize SSP updates and attach real artifacts.

Days 76–90: Pre‑assessment & scheduling

  • Conduct a CMMC Level 2 pre‑assessment; score internally.
  • Fix residual findings; lock the SSP/POA&M.
  • If required, schedule your C3PAO assessment; if self‑attesting, capture objective evidence.

DFARS 252.204‑7012 Compliance Overlays & Where Companies Lose Points

  • Weak or outdated SSP/POA&M → Treat as living docs; update after changes/incidents.
  • MFA exceptions → Remove; place legacy apps behind secure gateways.
  • Shadow IT & SaaS sprawl → Maintain a SaaS registry; restrict CUI to approved systems.
  • No proof of monitoring → Keep evidence of alert triage and incident closeout.
  • Cloud misunderstandings → Collect FedRAMP letters and logging terms; map shared responsibility.
  • Subcontractor blind spots → Flow‑down clauses, subcontractor assessments, periodic checks.

CMMC Level 2 Evidence Checklist (Copy/Paste)

✅ SSP (current, scoped), POA&M (funded), data‑flow diagrams
✅ SPRS score with calculation details
✅ MFA proof, RBAC matrix, JML logs
✅ Asset/SaaS inventory tied to CUI
✅ Baselines, patch cadence, vuln scan reports
✅ SIEM/EDR retention, alert runbooks, case evidence
✅ IR policy, playbooks, tabletop minutes, 72‑hour steps
✅ Backup schedules, encryption, restore test proof
✅ FIPS‑validated modules list; key management SOPs
✅ Vendor contracts w/ DFARS flow‑down, FedRAMP evidence
✅ Training: awareness, role‑based admin, phishing

FAQ

Is CMMC Level 2 the same as NIST 800‑171?

No. 800‑171 is the what (requirements). CMMC Level 2 is the proof that you consistently do the what.

Do we still need to comply with DFARS 252.204‑7012 if we pass CMMC Level 2?

Yes. CMMC proves 800‑171 implementation; DFARS also requires 72‑hour reporting, FIPS crypto, cloud obligations, and subcontractor flow‑down.

What if we only handle FCI (not CUI)?

You may be in CMMC Level 1 scope. Start with our 5‑minute Level 1 Readiness Quiz—you’ll receive an emailed POA&M to plan Level 2.

How long does Level 2 take?

Most SMBs reach audit‑ready in 90–180 days with focused effort and executive sponsorship.

Get a free CMMC/NIST 800‑171 pre‑assessment

We’ll review your scope, SPRS score, and build a 90‑day plan to reach audit‑ready.

Book 30‑min Consult
Already building your POA&M? Take our 5‑minute CMMC Level 1 Readiness Quiz. We’ll email you a POA&M you can use alongside this guide.
Start Level 1 Quiz Talk to a vCISO