Complete compliance programs to bring you peace of mind.

We bring unparalleled compliance expertise to our clients. CastleLock compliance services are designed to help you meet your compliance requirements and safeguard your sensitive information. With CastleLock there are no more compliance surprises.

DFARS 252.204-7012

The Defense Federal Acquisition Regulation Supplement (DFARS), is a supplement the Federal Acquisition Regulation (FAR) the Department of Defense uses to provide guidelines for procurement of everything the Department of Defense needs to operate. The DFARS is a list of regulations and clauses with requirements to manage the DoD supply chain. DFARS 252.204-7012 is often called out in reference to being DFARS compliant, but while there is no DFARS compliance certification, there are contractual obligations for organizations accepting this clause in their contract. DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, outlines core requirements for organizations collecting, developing, receiving, transmitting, using, or storing Covered Defense Information (CDI) in service of a contract.


The Cybersecurity Maturity Model Certification (CMMC) was first released on January 31, 2020 and is expected to be fully implemented by 2025. Updated in November 2021, the CMMC is the new approach the Department of Defense is using to manage cyber risk in the DoD supply chain. A three-level cumulative maturity framework, all DoD Supply Chain members will be required to meet CMMC level 1 at a minimum and CMMC level 2 if they are collecting, developing, receiving, transmitting, using, or storing Covered Unclassified Information (CUI) in service of a contract. Incorporating controls from NIST 800-171, FAR 52, NIST 800-171B, and others.

NIST 800-171

A derivative of NIST SP 800-53, the first release of NIST SP 800-171 was published in December of 2016 to address the minimum requirements for protecting Controlled Unclassified Information in nonfederal systems. 110 controls across 14 control families, this control framework is the core requirement, but not the only requirement, for Safeguarding Covered Defense Information in DFARS clause 252.204-7012. If an organization plans to do business with the Department of Defense and that opportunity contains covered defense information, it is important to understand this control framework. CastleLock consultants have been helping organizations understand and achieve full implementation of all 110 controls since the NIST 800-171 draft publication in 2015.

Cybersecurity Maturity Model Certification (CMMC) Gap Assessment

As a DoD contractor, the thought of your business being disrupted by DFARS 252.204-7012, Safeguarding Controlled Unclassified Information and the upcoming Cybersecurity Maturity Model Certification (CMMC). Process may be overwhelming.

What steps should I take now?

1.Gap Analysis

The first step to identifying risks and exposure of your companies information security program against DFARS 252.204-7012 is to conduct a gap analysis. A gap analysis will identify any deficiencies against the current DFARS Cybersecurity requirements and the upcoming CMMC regulations.


While DFARS allows for self-attestation, CMMC maturity levels will be assessed by an independent certification body.  The certification body has yet to be announced, but the capabilities that DoD suppliers will be required to implement for each maturity level have already been announced. Hiring a third party now to conduct neutral evaluation of your controls, policies, and processes ensures your companies information security programs readiness once the certification body has been formed.


The DoD expects to include CMMC certification levels in RFI and RFPs starting in Q3 of 2020. Suppliers should prepare now to strengthen existing obligations under DFARs 252.204-7012 in preparation for CMMC certification.


The Federal Information Security Act (FISMA) passed in 2002, forced federal agencies to develop, document and implement an information security program. Using NIST SP 800-53, organizations must document their assessed risk (Low, Moderate, High,) their information system and their remediation plans. Engage CastleLock to provide a FISMA Compliant Security Assessment Plan, System Security Plan with a Plan of Action and Milestones.


The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.This standard approach uses NIST SP 800-53 as the core control framework, and grants authorizations to cloud service providers operating at impact level moderate and high. CastleLock provides FedRAMP readiness assessment consultations and authorization package preparation services.

NIST 800-53

Originally published in 2005, the NIST SP 800-53 publication is nearing its fifth revision. This control framework provides recommended control sets for three different impact levels, low, moderate and high across eighteen different control families and 965 controls. These are the core requirements for Federal Information Security Management Act (FISMA) which are directly applicable to federal organizations. NIST 800-53 is a foundation for other programs such as cloud service providers under a FedRAMP program.

Frequently Asked Questions

The Cybersecurity Maturity Model Certification (CMMC) was established to provide a security framework for safeguarding the Department of Defenses's intellectual property, CUI, which includes various different types of data. It addresses supply chain security deficiencies and puts forth foundational levels of security for all the different participants.
Level one requirements are known as basic hygiene whereby your systems are protected from external attackers and that your company knows what devices you have , who your users are and that you keep your systems up to date.
Level 2 involves not only protection of Controlled Unclassified Information (CUI) but also defending against advanced persistent threats (APTs). Your company will be required to have documentation or resources for an information security program. DNS protection and monitoring is a strong component of Level 2.
Level 3 is intended for critical suppliers that require a higher level of maturity. Considered "Expert" level three is assessment requirements are still under development but are expected to pull heavily from the NIST 800-172 standard and NIST 800-172A Audit Guide.

Secure the perimeter of your business today.