If you have been a defense contractor since 2017, you have been living under DFARS 252.204-7012. You know the clause. You have (hopefully) implemented NIST SP 800-171. You have submitted your SPRS score. Now CMMC Level 2 is arriving and the question every contractor asks is: "How much of what I have already done still counts?" The answer is nuanced. The controls are the same. Everything around them has changed.
The Foundation: What Stayed the Same
Let us start with the good news. If you have genuinely implemented NIST SP 800-171 Rev 2, the technical control requirements for CMMC Level 2 are identical. The same 110 security requirements across 14 control families. The same CUI protection objectives. The same technical baseline. Your firewalls, your MFA, your encryption, your access controls, your audit logging: all of that work carries forward.
What Carries Forward
- All 110 NIST SP 800-171 Rev 2 security requirements
- Your System Security Plan (with updates needed)
- Technical control implementations
- CUI identification and marking procedures
- Incident response capabilities (72-hour reporting to DIBNet)
- Your SPRS score submission history
The Big Change: Third-Party Assessment
Under DFARS 7012, compliance was self-attested. You implemented the controls (or said you did), calculated your SPRS score, submitted it, and moved on. The government occasionally audited, but there was no systematic verification. CMMC Level 2 changes this fundamentally by requiring third-party assessment from an accredited C3PAO for contracts involving critical CUI.
This is the single biggest shift. Under 7012, a contractor could submit an SPRS score of 110 while having significant gaps. The DoD IG found that many contractors had overstated their compliance posture. CMMC eliminates that ambiguity. A trained assessor walks through your environment, examines your evidence, interviews your staff, and determines whether each of the 110 practices is MET, NOT MET, or NOT APPLICABLE.
DFARS 7012 vs. CMMC Level 2: Side-by-Side
| Dimension | DFARS 7012 | CMMC Level 2 |
|---|---|---|
| Controls | 110 (NIST 800-171) | 110 (NIST 800-171) |
| Verification | Self-attestation + SPRS | C3PAO third-party assessment |
| Frequency | Continuous (self-reported) | Triennial assessment + annual affirmation |
| POA&M Allowed | Yes, indefinitely | Yes, 180-day closeout window |
| Scoring | SPRS (-203 to 110) | MET / NOT MET per practice |
| Consequence of Gaps | Lower SPRS score | Conditional or failed certification |
| Incident Reporting | 72 hours to DIBNet | 72 hours to DIBNet (unchanged) |
| Flow-Down | Required to subs handling CUI | Required to subs at appropriate level |
POA&M Handling: The 180-Day Clock
Under DFARS 7012, Plans of Action and Milestones were essentially open-ended. You could have a POA&M item for years, deducting points from your SPRS score but never actually closing it. CMMC changes this dramatically. If a C3PAO assessment results in NOT MET findings, you receive a Conditional certification with a 180-day window to remediate and close those POA&M items.
Not all findings qualify for POA&M treatment. Certain practices are considered so fundamental that a NOT MET finding results in an automatic failure, regardless of your remediation plan. These include practices related to FIPS-validated cryptography, multi-factor authentication, and other foundational security controls.
POA&M Limitations Under CMMC
- Maximum 180-day closeout window from Conditional certification date
- Certain practices cannot be placed on POA&M (automatic fail if NOT MET)
- POA&M items must have credible, time-bound remediation milestones
- A closeout assessment by the C3PAO is required to convert Conditional to Final
- Failure to close POA&M items within 180 days revokes the Conditional status
Assessment Methodology: What C3PAOs Actually Do
The CMMC assessment methodology is defined in the CMMC Assessment Guide, which specifies three types of assessment objectives for each practice: Examine, Interview, and Test. This is far more rigorous than anything DFARS 7012 required.
C3PAO Assessment Methods
Examine
Reviewing documents, configurations, logs, and artifacts. The assessor examines your SSP, policies, network diagrams, configuration screenshots, and audit records.
Interview
Speaking with personnel responsible for implementing and maintaining controls. Assessors verify that staff understand their roles and can explain how controls work.
Test
Hands-on verification that controls function as described. The assessor may attempt to access systems without proper credentials, verify encryption is active, or test incident response procedures.
Practical Implications for 7012 Veterans
If you have been diligently implementing NIST 800-171 under DFARS 7012, you are in better shape than most. But "better shape" does not mean "ready." Here is what you need to focus on:
1. Evidence Quality, Not Just Control Existence
Under 7012, you needed controls in place. Under CMMC, you need provable evidence that controls are in place, configured correctly, and operating effectively. Screenshots, configuration exports, audit log samples, policy documents with revision history, training records with dates and attendees. If you cannot show it, it does not count.
2. SSP Accuracy and Completeness
Many contractors wrote their SSP once and never updated it. Under CMMC, the SSP is the primary document the C3PAO uses to understand your environment. If your SSP says you have 50 endpoints and you actually have 200, that is a finding. If your network diagram does not match your actual topology, that is a finding. Update your SSP to reflect reality before the assessor arrives.
3. Scope Definition and Boundary
DFARS 7012 applied to any system that processed, stored, or transmitted CUI. CMMC formalizes the concept of the assessment scope and system boundary. You need a clear, defensible boundary that defines exactly which systems, networks, and personnel are in scope. A well-defined CUI enclave can dramatically reduce your assessment surface.
4. Close Your POA&M Items Now
If you have been carrying POA&M items for years under 7012, close them before your CMMC assessment. The 180-day POA&M window under CMMC is for items discovered during the assessment, not for pre-existing gaps you have been ignoring. Walking into a C3PAO assessment with known open items is a recipe for a Conditional or failed result.
The Subcontractor Flow-Down Question
Under DFARS 7012, the flow-down requirement was straightforward: if you passed CUI to a subcontractor, they needed to implement NIST 800-171 and report incidents. Under CMMC, the flow-down becomes more structured. Subcontractors must achieve the CMMC level specified in the contract for the type of information they handle. A sub handling CUI on a contract requiring Level 2 must have Level 2 certification.
This creates a practical challenge for primes. You need visibility into your supply chain's certification status. You need to verify that subs are certified at the right level before flowing CUI to them. And you need contingency plans for subs that cannot achieve certification in time.
The Transition Strategy
For contractors who have been operating under DFARS 7012, the transition to CMMC is not a rebuild. It is an upgrade. Your existing controls are the foundation. What you need to add is assessment readiness: evidence quality, documentation accuracy, scope clarity, and the organizational discipline to maintain compliance continuously rather than point-in-time.
The contractors who will struggle are those who treated 7012 as a checkbox exercise. If your SPRS score does not reflect reality, CMMC will expose that gap. The contractors who will thrive are those who used 7012 as a genuine security improvement program and now just need to formalize their evidence and prepare for third-party scrutiny.
Transitioning from DFARS 7012 to CMMC?
AeoliTech helps contractors bridge the gap between self-attestation and C3PAO-ready certification. Let us assess where you stand.
Schedule a CMMC Readiness CallLeonard Esere
Founder & CEO, AeoliTech
Leonard has guided defense contractors through NIST 800-171 implementation since the original DFARS 7012 clause took effect. His experience at MITRE and LANL gives him unique insight into both the contractor and assessor perspectives.