The DFARS 252.204-7012 Framework and What It Actually Requires
DFARS 252.204-7012, titled "Safeguarding Covered Defense Information and Cyber Incident Reporting," is the foundational cybersecurity clause in defense contracting. Any contractor whose work involves a covered contractor information system, defined broadly as any system that processes, stores, or transmits covered defense information, must comply with this clause. The clause requires contractors to provide adequate security on all covered systems, which DoD defines as implementation of the security requirements in NIST SP 800-171. The clause also imposes a 72-hour cyber incident reporting obligation to the DoD DIBNet portal, a requirement to preserve images of compromised systems, and a requirement to report any malicious software discovered during incident response.
In an M&A context, the significance of DFARS 7012 is threefold. First, it is a contractual obligation, not a regulatory filing. A contractor that certifies compliance while operating below the NIST 800-171 standard has potentially made a false certification to the government, which is the foundation for False Claims Act liability. Second, the clause has been in effect since December 2017, meaning most defense contractors have had years to implement the required controls and file for any necessary waivers. A target that still has material gaps in 2024 or later is not simply behind on an emerging requirement: it has tolerated a known compliance obligation for an extended period. Third, the clause flows down to subcontractors, meaning an acquirer who picks up a prime contract also picks up the obligation to ensure that every subcontractor receiving covered defense information is itself complying with NIST 800-171.
The scope definition matters enormously in practice. Not every contractor information system is a "covered contractor information system." The determination depends on whether covered defense information flows through the system. A contractor that has carefully scoped its CUI boundary and implemented appropriate controls within that boundary is in a materially different position from one that has never conducted a scoping exercise and assumes all systems are in scope (or, worse, assumes none are). Buyers need to review the System Security Plan to understand how the target defined its boundary, whether that definition is defensible, and whether the controls documented in the plan are actually implemented.
NIST SP 800-171 Rev 2: The 14 Control Families and 110 Practices
NIST SP 800-171 Rev 2 contains 110 security practices organized across 14 control families. The families are: Access Control (22 practices), Awareness and Training (3), Audit and Accountability (9), Configuration Management (9), Identification and Authentication (11), Incident Response (3), Maintenance (6), Media Protection (9), Personnel Security (2), Physical Protection (6), Risk Assessment (3), Security Assessment (4), System and Communications Protection (16), and System and Information Integrity (7). This distribution matters for diligence because the families with the largest practice counts, Access Control and System and Communications Protection, are also the families where implementation is most technically complex and where gaps are most commonly found.
NIST assigns a point value to each practice in its scoring methodology, with more complex practices weighted higher. The maximum SPRS score is 110, representing full implementation of all 110 practices with no deficiencies. Each unimplemented practice reduces the score by its assigned weight, and scores can go negative for contractors with extensive gaps. NIST has not made all practice weights publicly available in a single clean table, but the methodology is documented and contractors can calculate their own scores using the NIST 800-171 scoring template.
For M&A purposes, practice-level analysis is more useful than a single composite score. A target with an SPRS score of 80 could have that score because of minor gaps across many families or because of complete failure in one or two critical families. The former is a remediation management problem. The latter may be a contract eligibility problem if the failures are in areas where CMMC designates certain practices as non-deferrable. Buyers should request the underlying NIST 800-171 self-assessment workbook, not just the SPRS score, to understand exactly which practices are not implemented and what remediation each requires.
NIST SP 800-171 Rev 3 was published in May 2024 and introduced organizational changes to the control structure, including reorganization of some practices. CMMC 2.0, as currently implemented, is based on Rev 2. The transition to Rev 3 within CMMC will require a future rulemaking, so buyers should understand which revision the target's assessments reference and whether any pending CMMC assessments will be conducted against Rev 2 or the eventual Rev 3-aligned standard.
Controlled Unclassified Information: Categorization and Boundary Definition
Controlled Unclassified Information (CUI) is the category of unclassified government information that requires safeguarding under law, regulation, or government-wide policy. The National Archives manages the CUI Registry, which lists the authorized CUI categories and subcategories. Defense contractors most commonly handle CUI in the following categories: Technical Data (TD), which includes engineering drawings, specifications, and design documentation; Controlled Technical Information (CTI) under the DFARS definition; Export Controlled information; Privacy (PR); Proprietary Business Information (PROPIN); and Law Enforcement (LE) in some contexts.
The distinction between CUI Basic and CUI Specified carries legal significance. CUI Basic is governed by the baseline standards in the CUI regulation at 32 CFR Part 2002. CUI Specified is CUI where the authorizing law, regulation, or policy contains specific handling requirements that supersede or supplement the baseline. For example, export-controlled technical data covered by ITAR or EAR carries CUI Specified status, meaning that in addition to NIST 800-171 requirements, the contractor must also comply with ITAR or EAR handling requirements. Failure to identify that certain information is CUI Specified, and therefore subject to additional controls, is a gap that standard NIST 800-171 assessments may not surface unless the assessor is specifically examining the CUI Registry categorization.
In diligence, CUI identification failures take several forms. The most common is a System Security Plan that identifies a CUI boundary that is too narrow, omitting systems that actually store or transmit CUI. This creates a situation where unprotected systems contain regulated information. The second common failure is inadequate marking: CUI must be marked in accordance with CUI marking standards when transmitted outside the covered contractor information system, and many contractors have never implemented consistent marking policies or trained personnel on marking requirements. A third failure is CUI that flows to subcontractors without verification that those subcontractors have implemented NIST 800-171, violating the DFARS 7012 flow-down obligation.
CMMC 2.0 Level Framework: Self-Assessment, C3PAO Assessment, and DIBCAC-Led Assessment
The Cybersecurity Maturity Model Certification 2.0 framework, codified in the DFARS interim rule effective December 16, 2024, establishes three certification levels. Understanding which level applies to a given contractor is the starting point for any CMMC-related diligence.
Level 1 applies to contractors handling only Federal Contract Information (FCI), which is information provided by or generated for the government under a contract but not intended for public release. Level 1 requires annual self-assessment and senior official affirmation against 17 practices drawn from FAR 52.204-21. The self-assessment is submitted to SPRS. Level 1 does not require third-party validation, but the self-assessment must be accurate because a false submission can support False Claims Act claims.
Level 2 applies to contractors handling CUI in connection with DoD contracts. Level 2 requires compliance with all 110 practices in NIST SP 800-171 Rev 2. For most contracts, Level 2 requires a triennial third-party assessment conducted by a Cyber AB-accredited C3PAO, with annual affirmations between assessments. For a subset of contracts designated as lower-risk by DoD, Level 2 self-assessment may be permitted. The determination of which contracts require C3PAO assessment versus self-assessment is made by DoD at the program level and reflected in contract solicitations.
Level 3 applies to contractors on DoD's highest-priority programs involving advanced CUI. Level 3 requires compliance with all 110 NIST SP 800-171 practices plus a subset of practices from NIST SP 800-172. Level 3 assessments are conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) rather than commercial C3PAOs. The government initiates Level 3 assessments; contractors cannot independently request them.
CMMC requirements are being phased into contract solicitations between FY2024 and FY2028. Not all contracts will immediately require CMMC certification. However, as the phase-in progresses, the proportion of defense contracts requiring CMMC will increase substantially, and contractors without a current certification will face growing eligibility constraints. Buyers evaluating a target's revenue sustainability must account for whether existing contracts are in pre-CMMC solicitation windows and whether the target will be able to maintain eligibility as those contracts are recompeted under CMMC-required solicitations.
C3PAO Certification Pathway: Accreditation, Scheduling, and Assessment Execution
A C3PAO is a Certified Third-Party Assessment Organization accredited by the Cyber AB (formerly the CMMC Accreditation Body). To conduct CMMC Level 2 assessments, a C3PAO must be accredited by the Cyber AB and listed in the Cyber AB Marketplace. The Cyber AB also certifies individual Certified CMMC Assessors (CCAs) who conduct assessments on behalf of C3PAOs. The quality and thoroughness of an assessment depends in significant part on the experience and rigor of the individual CCAs assigned.
The C3PAO assessment process begins with a scoping engagement where the C3PAO and the contractor agree on the boundary of the assessment: which systems, locations, and personnel are in scope. Scope definition is among the most consequential decisions in the assessment because a narrow scope may exclude systems that actually handle CUI, producing a certification that is technically accurate for the scoped environment but misleading about the contractor's overall compliance posture. Sophisticated buyers will examine the scoping documentation from prior assessments to assess whether the scope was drawn appropriately.
After scoping, the C3PAO conducts a readiness assessment (sometimes called a pre-assessment) where gaps are identified and the contractor has an opportunity to remediate before the formal assessment. The formal assessment includes document review, interviews with personnel, and technical testing. The C3PAO produces a Final Assessment Report that documents findings for each of the 110 practices and identifies any open POA&M items. The report is submitted to the CMMC Enterprise Mission Assurance Support Service (eMASS) portal, and the certification status is reflected in SPRS.
From initial contact with a C3PAO to receipt of final certification, the realistic timeline under current market conditions is six to twelve months. This timeline is extended for contractors with large or geographically distributed environments, significant remediation requirements, or contracts with specific security plan requirements that must be resolved before assessment. Buyers whose acquisition thesis depends on the target winning new CUI-handling contracts post-close should model this timeline explicitly and determine whether interim contract eligibility is achievable through self-assessment pathways while C3PAO assessment is in process.
SPRS Scoring, Self-Attestation, and the Points-Based Deduction Methodology
The Supplier Performance Risk System is DoD's authoritative database for contractor performance information, including cybersecurity self-assessment scores. Under DFARS 252.204-7019, a contractor must have a current NIST SP 800-171 DoD Assessment on record in SPRS before DoD will award a contract requiring NIST 800-171 compliance. The "current" requirement means the assessment cannot be more than three years old for most assessment types.
For Level 1 and Level 2 self-assessed contractors, the SPRS score is calculated using the DoD Assessment Methodology, which assigns a points value to each of the 110 NIST SP 800-171 practices. Practices are weighted from 1 to 5 points based on their assessed criticality. A contractor that has implemented all 110 practices with no deficiencies submits a score of 110. Each unimplemented practice reduces the score by its assigned weight. The resulting score can be negative, with some contractors scoring significantly below zero when multiple high-weight practices are unimplemented.
The self-attestation process requires a senior company official, typically a C-level executive, to submit the SPRS score and affirm its accuracy. This affirmation creates personal exposure for the signing official if the score is materially inaccurate. DoD and the Department of Justice have pursued False Claims Act cases where SPRS score submissions were found to be inaccurate, and settlements in those cases have involved both corporate and individual liability. Buyers conducting diligence should specifically examine who signed the SPRS submission, on what basis the score was calculated, and whether there is documentation supporting the score calculation.
An SPRS score submitted by a C3PAO-assessed contractor reflects the results of the formal third-party assessment rather than a self-calculated score. For these contractors, the score carries greater credibility because it has been independently validated. However, assessment scores have expiration dates, and buyers need to verify that the target's certification has not lapsed and that no material changes to the environment have occurred since the last assessment that would affect score accuracy.
DFARS 252.204-7019, 7020, and 7021: The Regulatory Architecture and How the Clauses Interact
Three DFARS clauses form the regulatory structure for cybersecurity requirements in defense contracting, and understanding how they interact is essential for any legal analysis of a defense contractor acquisition.
DFARS 252.204-7019, "Notice of NIST SP 800-171 DoD Assessment Requirements," is a notice clause that appears in solicitations and awards for contracts requiring NIST 800-171 compliance. The clause requires that a contractor have a current NIST SP 800-171 assessment score in SPRS before award and that the score remain current throughout contract performance. If a contractor's SPRS score lapses or if the contractor experiences changes that affect score accuracy, the obligation to update the SPRS entry is ongoing.
DFARS 252.204-7020, "NIST SP 800-171 DoD Assessment Requirements," is the substantive clause that actually imposes the assessment obligation. This clause requires contractors to maintain the current NIST SP 800-171 assessment in SPRS and grants DoD the right to conduct its own assessment of the contractor's implementation at any time. A DoD-conducted assessment (sometimes called a "medium" or "high" assessment under the DoD Assessment Methodology) overrides the contractor's self-assessment score in SPRS if the DoD assessment produces a different result.
DFARS 252.204-7021, "Cybersecurity Maturity Model Certification Requirements," is the CMMC-specific clause. This clause requires contractors to have a current CMMC certification at the level specified in the contract before the contract can be awarded. It also requires that all subcontractors receiving CUI have the appropriate CMMC level certification before they can receive CUI under a subcontract. The interplay between 7020 and 7021 is that 7020 addresses NIST 800-171 self-assessment for contracts not yet requiring formal CMMC, while 7021 addresses contracts where CMMC certification is specifically required. Both clauses may appear in the same contract as the CMMC phase-in progresses.
In an M&A context, buyers should compile a complete clause matrix for each of the target's active contracts, identifying which DFARS cybersecurity clauses appear and what the specific compliance obligations are for each contract. This matrix forms the foundation for understanding the target's current compliance obligations, where gaps exist, and what post-close remediation timeline is required for each contract.
The 72-Hour Incident Reporting Obligation: Mechanics and M&A Implications
DFARS 252.204-7012 requires a contractor that discovers a cyber incident affecting a covered contractor information system to report the incident to DoD within 72 hours of discovery via the DIBNet portal at dibnet.dod.mil. The 72-hour clock runs from the moment of discovery, not from the moment the contractor determines with certainty that covered defense information was compromised. Under the DFARS definition, a cyber incident includes any unauthorized access to, exfiltration of, manipulation of, or deletion of covered defense information, as well as unauthorized access to systems that process covered defense information even if no data exfiltration is confirmed.
The reporting obligation includes not just the initial notification but also preservation of images of compromised systems for at least 90 days after reporting, to allow for DoD forensic investigation. If DoD requests access to a compromised system for investigation, the contractor must accommodate that request. These obligations create a significant operational burden in the period immediately following incident discovery, and buyers should assess whether the target has incident response procedures that address the DIBNet reporting process and system preservation requirements.
In a transaction context, the 72-hour obligation intersects with M&A in several ways. First, if the target experiences an incident during the diligence period, it has a mandatory obligation to report to DoD that cannot be waived or delayed because of confidentiality concerns related to the deal. Second, the target should be required to notify the buyer of any incident, though the diligence agreement confidentiality provisions do not override the DoD reporting requirement. Third, buyers should conduct a lookback review of all SPRS submissions and DIBNet incident reports during a period of at least three years preceding the acquisition to identify any incidents that may have affected the target's compliance posture or that were reported late or not at all.
A late or missed incident report is not simply a technical violation. It is a failure of a contract-specific obligation that can affect the contractor's CMMC certification status and can, in a FCA context, support claims that the contractor made false certifications about its compliance program while simultaneously failing to fulfill a specific compliance requirement. Buyers who discover unreported incidents during diligence should engage qualified legal counsel before determining how to handle disclosure, remediation, and any applicable voluntary disclosure considerations.
Cybersecurity Diligence Scope in Defense Contractor Acquisitions
Defense contractor cybersecurity diligence requires a structured, multi-layer analysis that integrates legal review, technical assessment, and contract analysis. Buyers who approach this as a checkbox exercise, reviewing the SPRS score and moving on, will systematically miss the most consequential risks.
The diligence scope should include, at minimum: the System Security Plan and all associated appendices, including the boundary definition and data flow diagrams; the current NIST 800-171 self-assessment workbook showing practice-level status; all POA&M documents with remediation timelines and responsible parties; the SPRS score submission history, including any prior scores and the basis for any score changes; all DIBNet incident reports submitted in the prior three years; C3PAO assessment reports if available; subcontractor flow-down documentation for all subcontractors receiving CUI; cloud service provider agreements and documentation of FedRAMP Moderate equivalent compliance; CUI marking and handling policies; training completion records for personnel handling CUI; and all DFARS clause matrices for active contracts.
Technical assessment, meaning actual verification of control implementation rather than review of documentation, should be conducted by a qualified cybersecurity firm with CMMC assessment experience. Documentation and reality diverge frequently in contractor environments. A System Security Plan may document multi-factor authentication as implemented when in fact MFA has been deployed only for a subset of accounts. Network segmentation may be documented as separating CUI systems from corporate systems when in fact the segmentation is misconfigured or has known bypass paths. Technical validation of a representative sample of controls is a necessary complement to document review.
The output of cybersecurity diligence should be a risk-tiered finding list that distinguishes between: findings that create current False Claims Act exposure (inaccurate SPRS submissions, unreported incidents); findings that create contract eligibility risk (CMMC level non-compliance for contracts that require certification); findings that create remediation cost and timeline risk (gap items that require capital expenditure or significant operational change); and findings that represent documentation deficiencies without underlying control failures (a lower priority but still requiring post-close attention).
Cybersecurity Representations and Warranties: Drafting for Defense Contractor Transactions
Standard M&A purchase agreement representations are not adequate for defense contractor transactions. The cybersecurity representation package requires substantial expansion to address the specific regulatory environment, and the indemnification structure must account for the potential for treble damages under the False Claims Act.
The cybersecurity representations should address the following areas with specificity. First, SPRS accuracy: the seller should represent that each SPRS submission made by any CAGE code held by the target was accurate when submitted and remains accurate as of closing, and that no information known to the seller would require a downward revision to any submitted score. Second, System Security Plan completeness: the seller should represent that the System Security Plan accurately describes the systems and controls in place as of closing, that the CUI boundary definition is complete and accurate, and that all material controls documented in the plan are implemented as described. Third, incident reporting: the seller should represent that all incidents required to be reported under DFARS 252.204-7012 during a defined lookback period were reported on a timely basis, and that no incident is known to the seller that has not been reported. Fourth, POA&M status: the seller should represent that the POA&M is complete, that all open items are accurately described, and that no additional items are known to the seller that would require addition to the POA&M. Fifth, subcontractor flow-down: the seller should represent that all required DFARS cybersecurity clauses have been flowed down to subcontractors receiving CUI, and that no subcontractor is in known violation of those obligations in a manner that creates prime contractor liability.
On the indemnification side, cyber representations in defense contractor transactions should carry indemnification with enhanced or unlimited caps to account for False Claims Act exposure. The FCA permits the government to recover treble the government's actual damages plus mandatory civil penalties per false claim. In a situation where a contractor has submitted an inaccurate SPRS score across multiple contract years or has falsely certified CMMC compliance across multiple contract awards, the aggregate FCA exposure can be substantial relative to the deal size. Standard indemnification caps based on purchase price multiples may be inadequate. Sophisticated buyers negotiate for specific FCA carve-outs from the general indemnification cap, with separate higher caps or no cap for FCA-related claims.
Representations and warranties insurance (RWI) is increasingly available for defense contractor transactions, but cyber-specific coverage varies significantly by carrier. Buyers should work with insurance advisors who have specific experience placing RWI for defense contractor transactions to understand what cyber representations are insurable, at what sublimits, and with what exclusions. FCA-related claims are typically excluded from standard RWI but may be available through specialized government contract liability endorsements.
SPRS Score Treatment and Recalculation Post-Acquisition
The treatment of a target's SPRS score post-acquisition depends on the transaction structure. In a stock purchase or membership interest acquisition where the legal entity continues in existence with its existing CAGE codes, the SPRS score associated with each CAGE code remains in place. The buyer inherits whatever compliance posture the score reflects, including any inaccuracies or deficiencies in the underlying assessment. No automatic recalculation occurs as a result of the change in ownership.
Post-close, the new ownership must determine whether the existing SPRS submission remains accurate or whether changes in ownership, management, IT systems, or other factors require a revised self-assessment. If the buyer's integration plan includes migrating the target to the buyer's IT environment, the System Security Plan must be updated to reflect the new environment, and in most cases a new NIST 800-171 self-assessment will be required against the updated environment. If the target had a C3PAO-issued CMMC certification, the buyer must determine whether the integration changes constitute a material change to the assessed environment that would require re-assessment before the certification remains valid.
In an asset purchase where the buyer acquires specific contracts and associated assets but not the legal entity, the CAGE code situation is more complex. The buyer will typically need to apply for its own CAGE code if it does not already hold one, or associate the acquired contracts with an existing CAGE code. The SPRS score from the seller's CAGE code does not transfer to the buyer's CAGE code. The buyer will need to establish its own SPRS record for the relevant CAGE code, which requires conducting a new self-assessment. Depending on the buyer's current cybersecurity posture and the specific contracts being acquired, this can create a gap period where the buyer holds acquired contracts but does not yet have a current SPRS score supporting award or performance.
For transactions where the target holds CMMC Level 2 certification, buyers should engage with the C3PAO that issued the certification to understand whether the certification survives the ownership change and under what conditions. The CMMC accreditation body has not issued comprehensive guidance on certification transfer in M&A transactions, and this is an area where legal and technical counsel must work together to assess the specific facts.
Cloud Service Provider Compliance and the FedRAMP Moderate Equivalent Requirement
DFARS 252.204-7012 requires that any cloud computing services used by a contractor to store, process, or transmit covered defense information meet security requirements equivalent to the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline. This requirement applies regardless of whether the cloud service provider is a hyperscale provider such as AWS, Azure, or Google Cloud, or a niche provider serving a specific technical function.
The FedRAMP Moderate baseline is a specific set of security controls derived from NIST SP 800-53 and assessed through a FedRAMP authorization process. There are two pathways to compliance: the cloud service can have a current FedRAMP authorization at the Moderate impact level or higher, which is documented in the FedRAMP marketplace; or the cloud service can have received a DoD Provisional Authorization at IL2 or higher, which covers the DoD's specific authorization pathway. Contractors cannot self-assess CSP compliance against the FedRAMP baseline; they must use a CSP that has received one of these authorizations.
In practice, CSP compliance is among the most commonly overlooked elements of defense contractor cybersecurity diligence. Defense contractors frequently use commercially available cloud services for collaboration, file storage, project management, and other functions without verifying whether those services have FedRAMP authorizations. Common violations include: using commercial versions of collaboration platforms that lack FedRAMP authorization when government community cloud versions are available; using cloud storage services that have not achieved FedRAMP Moderate authorization for CUI storage; using third-party software-as-a-service applications that process CUI through APIs without verifying those applications' authorization status; and using managed service providers whose underlying infrastructure does not meet the FedRAMP equivalent requirement.
Diligence on CSP compliance requires a complete inventory of all cloud services used by the target, mapped against what data those services process, followed by verification of FedRAMP or DoD authorization status for each service that touches CUI. Unauthorized CSP use is not simply a compliance gap; it represents a period during which CUI may have been stored in non-compliant systems, which can affect incident characterization and may constitute an independent DFARS 7012 violation. Buyers discovering widespread CSP compliance failures during diligence face both a remediation problem (migrating to compliant services) and a historical liability question (what happened to CUI stored in non-compliant systems).
For enterprise holdings with multiple subsidiaries, centralized IT services and cloud infrastructure managed at the holding company level may be used by subsidiary entities that hold defense contracts. The holding company's cloud environment must meet the FedRAMP Moderate equivalent requirement for any services that touch CUI from the defense contractor subsidiaries. This is a frequent gap in private equity-backed defense contractor portfolios where a shared IT services function was built for commercial efficiency without accounting for the defense-specific cloud compliance requirements that govern the portfolio companies' operations.
Frequently Asked Questions
How is CMMC level determined for a defense contractor acquisition target?
CMMC level is determined by the sensitivity of the information the contractor handles and the requirements embedded in its existing and anticipated contracts. Level 1 applies to contractors handling only Federal Contract Information (FCI) and requires annual self-assessment against 17 practices drawn from FAR 52.204-21. Level 2 applies to contractors handling Controlled Unclassified Information (CUI) and requires third-party assessment by a Cyber AB-accredited C3PAO every three years, with annual affirmations between assessments. Level 3 applies to contractors on DoD's highest-priority programs and requires a DIBCAC-led assessment against NIST SP 800-172 practices on top of the full 110-practice NIST SP 800-171 Rev 2 baseline. In an M&A context, buyers should map each of the target's active and pipeline contracts to the applicable CMMC level before finalizing diligence scope, because acquiring a Level 2 or Level 3 requirement without understanding the target's current compliance posture creates immediate contract performance risk.
What happens to the target's SPRS score after an acquisition closes?
The Supplier Performance Risk System score belongs to the entity's CAGE code, not to any individual person. When a buyer acquires the legal entity that holds the CAGE code, the SPRS score associated with that CAGE code transfers as an attribute of the entity. If the acquisition involves only an asset purchase rather than a stock or membership interest purchase, the CAGE code may or may not follow depending on how the transition is structured with the Defense Logistics Agency. In either structure, buyers should request the target's current SPRS score and underlying self-assessment documentation during diligence. If the score is negative or low, buyers need to assess whether a corrective Plan of Action and Milestones (POA&M) can be executed post-close and how that timeline interacts with existing contract performance obligations. Under DFARS 252.204-7019, a contractor must have a current score on record before being awarded a contract, so score validity and recalculation timelines belong in acquisition planning.
How long does it take to schedule and complete a C3PAO assessment for CMMC Level 2?
As of the current CMMC 2.0 rollout, the scheduling backlog for Cyber AB-accredited C3PAOs is significant. Contractors pursuing Level 2 certification should expect a minimum of six to twelve months from initial contact with a C3PAO to receiving a final assessment report. This timeline includes scoping discussions, remediation of identified gaps, the formal assessment window (typically two to four weeks of active assessment work), and report finalization. The timeline extends further if the target has not yet completed a rigorous internal NIST SP 800-171 Rev 2 gap analysis, has a large or complex environment with multiple enclaves, or requires significant infrastructure remediation before the C3PAO will begin. In an acquisition context, buyers who discover that a target has not yet initiated a C3PAO engagement may face a situation where CMMC Level 2 certification cannot be achieved until well after close, which affects contract eligibility for future solicitations that require certification.
What are the most common gaps in CUI identification at defense contractor acquisition targets?
CUI identification failures are among the most common and consequential findings in defense contractor diligence. The most frequent gaps include: failure to identify CUI in engineering drawings and specifications received from the government or prime contractors; inadequate marking of CUI in email and shared drives, often because marking policy was never operationalized; CUI flowing to subcontractors without adequate flow-down of DFARS 252.204-7012 obligations; personnel who handle CUI without having received required CUI training; and IT systems that store or transmit CUI but were never scoped into the System Security Plan. A related issue is confusion between CUI Basic and CUI Specified categories, where Specified categories carry additional handling controls that the contractor may not have implemented. Buyers should request the target's CUI Registry documentation, marking policies, and the scope definition in the System Security Plan to determine whether the CUI boundary is accurately drawn before assessing NIST 800-171 control implementation.
Will DoD accept a NIST SP 800-171 POA&M at time of contract award under CMMC 2.0?
Under CMMC 2.0, the treatment of open POA&M items depends on the CMMC level and the specific items at issue. For Level 2 assessed contracts, CMMC 2.0 rules permit a contractor to receive certification with certain open POA&M items, subject to defined conditions: the open items cannot be among the practices that CMMC designates as immediately required with no deferral, the items must have a credible remediation timeline, and the contractor must achieve closure within defined windows (generally 180 days post-assessment for allowable POA&M items). For Level 2 self-assessed contracts, the SPRS score reflects open POA&M items through a points-based deduction, and a contractor may submit a score that is not 110 while maintaining contract eligibility under certain thresholds. Buyers should not assume that a POA&M-based path eliminates risk. Contract officers retain discretion to reject bids where the SPRS score falls below program-specific thresholds, and false certification of compliance on a Form DD-2345 or SPRS submission with material POA&M items can give rise to False Claims Act exposure.
What are the incident reporting obligations in an active transaction where the target experiences a cyber incident?
DFARS 252.204-7012 requires a contractor to report a cyber incident affecting a covered contractor information system within 72 hours of discovery to DoD via the DIBNet portal. This obligation does not pause because the contractor is in the middle of an M&A transaction. If the target experiences a reportable incident during the diligence or post-LOI period, it must report to DoD on the regulatory timeline regardless of deal status. From the buyer's perspective, discovery of an unreported or late-reported incident during diligence is a significant finding because it creates regulatory risk that survives closing, affects the target's SPRS scoring and CMMC certification status, and may signal systemic security failures that need independent verification. Transaction counsel should ensure the purchase agreement includes representations about incidents during the pre-closing period and should structure a specific covenant requiring the target to report any incident to the buyer within a defined window, in addition to fulfilling the DoD reporting obligation.
How should buyers negotiate cybersecurity representations and warranties in defense contractor acquisitions?
Cybersecurity representations in defense contractor acquisitions should go well beyond a generic 'no material data breaches' rep. Buyers should negotiate for representations covering: accuracy of the SPRS score submitted to the government for each CAGE code; completeness and accuracy of the System Security Plan and associated boundary documentation; status of any open POA&M items, including the nature of each open item and the remediation timeline; absence of any unreported incidents under DFARS 252.204-7012 during a defined lookback period; whether all cloud service providers used to process CUI meet the FedRAMP Moderate equivalent baseline; and whether all subcontractors receiving CUI have DFARS 252.204-7012 flow-down clauses in place. On the indemnity side, buyers should seek uncapped or high-cap indemnification for pre-closing cyber violations given the potential for False Claims Act liability, which carries treble damages. Sellers will resist uncapped cyber indemnities, creating a negotiation point that often resolves through representations and warranties insurance riders with cyber-specific sublimits.
How do multi-entity defense contractor holdings coordinate CMMC certification across subsidiaries?
For a holding company or private equity portfolio with multiple defense contractor subsidiaries, CMMC certification is an entity-level obligation tied to each CAGE code. There is no group-level CMMC certification that flows down to subsidiaries. However, the DoD has acknowledged the operational complexity of large enterprise environments and introduced guidance around the concept of shared services, where a parent's IT infrastructure supporting multiple subsidiaries can be assessed once if properly documented through an enterprise-level System Security Plan with subsidiary enclave documentation. The Memorandum of Process Protection approach, sometimes referenced in enterprise CMMC planning, contemplates documenting how common services are delivered to each subsidiary and scoping a single C3PAO assessment accordingly. Even with a shared services approach, each subsidiary CAGE code must maintain its own SPRS score and CMMC certification status. Buyers acquiring a portfolio of defense contractors should treat CMMC planning as a cross-entity program management exercise, not a series of independent compliance projects, to avoid duplicative assessment costs and inconsistent compliance postures across the portfolio.
Related Resources in This Series
Aerospace and Defense M&A: Legal Guide
Full overview of the regulatory and transactional landscape for defense contractor M&A.
ITAR Compliance and Export-Controlled Technical Data in Defense M&A
Analysis of ITAR licensing, technical data controls, and export compliance diligence.
DCSA FOCI Mitigation and Special Security Agreements in Defense M&A
How foreign ownership, control, and influence mitigation structures affect defense contractor acquisitions.
Legal Counsel for DFARS and CMMC Compliance in Defense Contractor Transactions
DFARS cybersecurity and CMMC compliance analysis requires counsel with direct experience in defense contracting law, M&A transaction structuring, and the technical regulatory frameworks that govern the defense industrial base. The interaction between SPRS scoring, C3PAO certification timelines, FCA exposure, and purchase agreement structure is not a general M&A problem. It requires specific expertise.
Acquisition Stars works with buyers and sellers in defense contractor M&A transactions where DFARS and CMMC compliance is a central legal issue. Alex Lubyansky structures the legal analysis around the specific contract portfolio, CAGE code situation, and compliance posture of each transaction.