What is CMMC? CMMC Update Archives CMMC Links
Security Awareness Training Public Speaking Expert Witness
Newsletters Whitepapers Articles Videos Interviews Additional Resources
CMMC Update by Glenda R. Snodgrass for The Net Effect
[ View this email in your web browser ] [ Visit our archives ] [ Sign Up for this Newsletter ]

March 5, 2025

What's the difference between ...

A new client recently sent me this question via email:

Can you explain the difference between these clauses? Which one was supposedly in contracts for years that no one did anything about? I get confused with the FAR and DFAR clauses.

  • FAR 52.204-21
  • DFARS 252.204-7012
  • DFARS 252.204-7020

What a great question! Answer:

FAR 52.204-21 "Basic Safeguarding Rule" has been in effect since May 2016 for all USG (not just DoD) contracts. It requires implementation of 15 controls to protect Federal Contract Information (any info related to a contract that isn't for public release or payments). This is the regulation for CMMC Level One.

DFARS 7012 Clause has been in effect since October 2016 but applies only to DoD contracts. It requires implementation of the 110 controls of NIST SP 800-171 to protect Controlled Unclassified Information (CUI). This is the basis of CMMC Level Two.

DFARS 252.204-7020 was introduced as part of the CMMC Interim Rule in September 2020. It enables DIBCAC to perform assessments of contractor information systems that handle CUI to verify their compliance with DFARS 7012. (It is a companion to DFARS 252.204-7019 which requires annual self-assessment recorded in SPRS.)

The first two clauses have been in contracts since 2016, but many contractors paid little or no attention to the requirements. Lack of attention to the 7012 requirements is the genesis of CMMC -- independent verification that the security requirements have been implemented as required by existing contracts.

And I'll explain all this and more in greater detail in my workshop next week. Join me!

CMMC 101: An Introduction to CMMC

Are you feeling pressure to prepare for CMMC -- but don't know how to begin? This virtual workshop will get you started!

Tuesday, March 11 @ 10am - 12pm (CT)

Reserve Your Spot

CMMC 102: Understanding the Security Controls

This deep-dive into the requirements of CMMC L1 will focus on the assessment objectives and evidence, preparing you to assess L2.

Tuesday, March 25 @ 10am - 12pm (CT)

Reserve Your Spot



 Glenda R. Snodgrass Sincerely,

Glenda R. Snodgrass, CCP/CCA
grs@theneteffect.com
The Net Effect, LLC
www.theneteffect.com
251-433-0196 x107

TNE. Cybersecurity. Possible.

Speak with an Expert

Contact

The Net Effect, L.L.C.
Post Office Box 885
Mobile, Alabama 36601-0885 (US)
phone: (251) 433-0196
fax: (251) 433-5371
email: sales at theneteffect dot com
Secure Payment Center

Site Map

Home
Employee Training
Security Awareness Training
Public Speaking
Expert Witness
Workshops
About

Resources


CMMC
Newsletter
Whitepapers
Articles
Videos
Interviews

The Net Effect, LLC

Copyright 1996-2025 The Net Effect, L.L.C. All rights reserved. Read our privacy policy