3 min read

CMMC Certification and DFARS: What Defense Contractors Need to Know About the New Cybersecurity Requirements

Andrew Eckstrom : Updated on June 4, 2026

IT Security
CMMC Certification and DFARS: What Defense Contractors Need to Know About the New Cybersecurity Requirements
If your business works with the Department of Defense, or even hopes to, understanding and complying with evolving cybersecurity regulations is non-negotiable. The shift from self-attested DFARS compliance to verified CMMC Certification represents a seismic change in how the DoD holds defense contractors accountable for protecting Controlled Unclassified Information (CUI). But what is CMMC certification? How is it different from DFARS? And what does your company need to do to remain eligible for federal contracts? In this post, Succurri breaks down everything you need to know about these frameworks, the consequences of noncompliance, and how to prepare your business for what’s next. New call-to-action

What Is DFARS?

The Defense Federal Acquisition Regulation Supplement (DFARS) is a set of cybersecurity requirements that defense contractors have been expected to follow for years. Specifically, DFARS clause 252.204-7012 mandates that contractors implement the security controls defined in NIST SP 800-171 to protect CUI. Under DFARS:
  • Contractors must report cyber incidents to the DoD within 72 hours.
  • Implementation of 110 NIST 800-171 controls is expected.
  • Contractors are required to self-attest their compliance (no third-party validation).
This model worked on paper, but in practice, it created gaps. Many companies claimed compliance without fully implementing the required controls, leaving sensitive data at risk. Learn more about Succurri’s Cybersecurity Services learning cmmc compliance certification

What Is CMMC?

The Cybersecurity Maturity Model Certification (CMMC) was introduced by the DoD to bring structure, verification, and accountability to defense contractor cybersecurity. Unlike DFARS, CMMC compliance certification requires third-party audits and formal certification, particularly for contractors handling CUI.

CMMC 2.0 Overview

The current version, CMMC 2.0, simplifies the original five-tier model into three CMMC Certification levels:
  • Level 1 – Foundational: For contractors handling Federal Contract Information (FCI). Requires 17 basic safeguarding controls (aligned with FAR 52.204-21). Annual self-assessment allowed.
  • Level 2 – Advanced: For companies handling CUI. Requires all 110 NIST SP 800-171 controls. Third-party assessment required every 3 years (for critical contracts); self-assessment allowed for some non-critical contracts.
  • Level 3 – Expert: For companies supporting high-priority national security programs. Builds on NIST 800-171 with NIST 800-172 controls. Government-led assessment required.
“CMMC brings much-needed accountability to defense contractor cybersecurity. It’s no longer enough to say you follow best practices—you have to prove it. That shift is long overdue, especially as AI tools make attacks faster and harder to detect.” — Grant Eckstrom, vCISO at Succurri Learn more in our Weaponized AI and Business Security Webinar

DFARS vs. CMMC: Key Differences

Feature DFARS CMMC 2.0
Compliance Model Self-attestation 3rd-party or government audits
Framework NIST SP 800-171 NIST SP 800-171 & 800-172
Certification Requirement No Yes
Enforcement Weak Strong—mandatory for contracts
Risk to Non-Compliant Firms Low (in theory) High – loss of eligibility
The most important takeaway? Under CMMC 2.0, certification is a condition for contract award. No certification = no deal. Review your controls with our Free IT Audit

Why This Matters Now

CMMC certification requirements are already being rolled into new contract language, and primes are starting to ask subcontractors about their compliance status. For small to mid-sized businesses (SMBs) in the Defense Industrial Base (DIB), this means:
  • You must prove your ability to protect CUI, or risk losing business.
  • Many cyber insurance policies are now factoring CMMC compliance into underwriting.
  • CMMC readiness will soon be a key differentiator in the government contracting space.
A man searching for what is cmmc certification on a laptop

What DoD Contractors Must Do to Comply

Compliance isn’t just about tools; it’s about a proactive cybersecurity strategy. Here’s a breakdown of how businesses can prepare:

1. Assess Your Current Posture

Perform a gap analysis comparing your current environment to the 110 NIST SP 800-171 controls. Use our Business Network Security Checklist to begin your assessment.

2. Remediate Gaps

Fix any deficiencies, such as a lack of MFA, weak encryption, improper access control, or missing incident response plans.

3. Implement Documentation & Policies

Auditors want to see more than tech; they want documented evidence. This includes:
  • System Security Plan (SSP)
  • Plan of Action & Milestones (POA&M)
  • Access control policies
  • Employee CMMC certification training logs

4. Schedule a Third-Party Audit

If you require Level 2 certification, you’ll need an accredited CMMC Third-Party Assessment Organization (C3PAO) to perform your audit. Succurri can guide you through CMMC readiness and connect you with certified assessors.

Succurri’s Role in Your CMMC Certification Process Journey

Succurri has decades of combined experience helping defense contractors meet strict cybersecurity, compliance, and infrastructure standards. We help you:
  • Translate CMMC/NIST controls into business processes
  • Perform readiness assessments
  • Remediate technical gaps
  • Create audit-ready documentation
  • Train your employees with Cybersecurity Awareness Programs
Most importantly, we simplify the complexity so you can stay focused on growth, not red tape.

FAQs: DFARS & CMMC

Is DFARS still relevant with CMMC in place?

Yes. CMMC builds on DFARS requirements; it doesn’t replace them. Contractors still need to comply with DFARS 7012 clauses and NIST 800-171.

What happens if I fail a CMMC audit?

You won’t be eligible to bid on, win, or execute covered contracts. But a failed audit doesn’t mean the end. Succurri can help you build a POA&M and get back on track.

What if I only handle FCI, not CUI?

If you only work with Federal Contract Information, you may only need to meet Level 1 requirements—basic safeguarding. But primes may still require you to level up. A man holding a cmmc certification requirements check mark

Prepare Now or Risk Losing Contracts

CMMC isn’t a hypothetical. It’s here and it’s reshaping the defense contracting landscape. If your cybersecurity program hasn’t matured beyond self-attestation, your business could be in jeopardy. At Succurri, we’re helping clients transition from risk to readiness. Whether you’re bidding for new contracts or protecting what you’ve already earned, our team can help you implement a CMMC-aligned security strategy that earns trust and wins business. Request a Free CMMC Readiness Audit Explore Cybersecurity Services Meet the Succurri Team
What Is CompTIA Security+ Certification? Why It Matters for Protecting Your Business

2 min read

What Is CompTIA Security+ Certification? Why It Matters for Protecting Your Business

Grant Eckstrom : Sep 15, 2025 7:18:21 PM

The CompTIA Security+ certification is the globally recognized entry-level credential that validates the essential skills required to safeguard...

IT Security
Read More
Why CISSP Is the Gold Standard in Cybersecurity Leadership

3 min read

Why CISSP Is the Gold Standard in Cybersecurity Leadership

Grant Eckstrom : Sep 15, 2025 7:40:55 PM

The Certified Information Systems Security Professional (CISSP) credential, administered by (ISC)², has long been recognized as the gold standard...

IT Security
Read More
Net Neutrality: Why It Is Crucial for Small Businesses?

1 min read

Net Neutrality: Why It Is Crucial for Small Businesses?

Andrew Eckstrom : Sep 25, 2023 7:21:01 PM

The FCC has repealed Net Neutrality rules and regulations. What is Net Neutrality? Net Neutrality is the internet’s basic principle: It...

Read More