CMMC Level 2 & DLA RD004/RD005
What Defense Contractors Must Know Now
The Department of Defense (DoD) and the Defense Logistics Agency (DLA) have entered a new enforcement phase. Updated CMMC Level 2 requirements and DLA clauses RD004 and RD005 now determine whether contractors are eligible to compete for and retain contracts involving Controlled Unclassified Information (CUI).
If your organization handles CUI, qualifying Level 2 status is required when CMMC clauses appear in solicitations. Cybersecurity eligibility is also increasingly verified prior to award, not addressed solely post-award.
What Changed
1. CMMC Is Now Embedded into Contract Eligibility
This means contractors must demonstrate qualifying CMMC status at time of award.1
For companies handling CUI, CMMC Level 2 is now the primary compliance mechanism aligned to NIST SP 800-171.2
Unlike legacy NIST “self-attestation” concepts, compliance must now be:
- Documented
- Assessed under defined criteria
- Recorded in SPRS
- Annually affirmed
2. Clause Renumbering Is Creating Confusion
Simultaneously, the government is restructuring and renumbering portions of the FAR under the Revolutionary FAR Overhaul (RFO).3 A detailed crosswalk of legacy clauses, their renumbered counterparts, and their practical compliance implications is provided in Appendix 1.
This means:
- “Old” and “new” clause numbers may both appear in solicitations
- For new solicitations where CMMC applies, standalone NIST self-assessment reporting has largely been incorporated into the CMMC framework.
- Primes and contracting officers are translating compliance requirements differently in questionnaires.
The technical controls may look familiar, but the enforcement mechanism has fundamentally changed.
CMMC Level 2 Requirements
CMMC Level 2 applies to contractors that store, process, or transmit CUI on non-federal systems.
It aligns to the 110 security requirements in NIST SP 800-171, with additional formal assessment structure defined in federal regulation.2
Under DFARS 252.204-7021, contractors must:
- Hold a qualifying Level 2 status (Self-Assessment or C3PAO Assessment)
- Record status in SPRS
- Perform annual affirmation of continuous compliance (not older than 1 year)1
SPRS now reflects compliance status, not just a raw NIST score. This status can determine award eligibility.
DLA RD004 and RD005 Requirements
The Defense Logistics Agency separates CMMC enforcement into two clauses:
- RD004 – non-export-controlled CUI
- RD005 – Export-controlled CUI
This distinction reflects increased national security sensitivity for export-controlled information.
DLA Phase-In Timeline
| Clause | Applies To | Optional Phase | Mandatory Phase |
| RD004 | Non-export-controlled CUI | 11/10/2025–11/10/2028: Level 2 self-assessment may be used | After 11/10/2028: Level 2 self-assessment required in SPRS |
| RD005 | Export-controlled CUI | 11/10/2025–11/10/2028: C3PAO certification may be used | After 11/10/2028: C3PAO certification required in SPRS |
These clauses apply to DLA-administered contracts and are reflected in DLA acquisition guidance.4, 5
Important: Requiring activities retain discretion. Higher-risk programs may mandate stricter validation earlier.
Practical Implications for Defense Contractors
If your organization handles CUI:
- Cybersecurity questionnaires now act as go/no-go gates
- CMMC status can be verified prior to proposal evaluation¹
- Self-assessments must meet SPRS criteria for Conditional or Final status¹
- Export-controlled CUI programs will generally trend toward C3PAO certification2, 4
- Annual affirmation is mandatory under current rule structure1
Being “secure in principle” is no longer sufficient. Compliance must be provable, consistent, and current.
Secure. Comply. Excel.
How Atlantic Digital Helps
Atlantic Digital aligns cybersecurity compliance to business strategy through a three-tier model built for defense contractors.
SECURE
Secure Start — Establish the Right Foundation: For organizations beginning or recalibrating their compliance posture.
We help you:
- Confirm whether CUI and/or export-controlled data is in scope
- Determine the correct CMMC target level
- Define the appropriate assessment pathway
- Avoid costly rework caused by mis-scoping
Outcome: A clear roadmap aligned to eligibility requirements.
COMPLY
ADvantage — Operationalize Compliance: For contractors who need defensible, repeatable execution.
We support:
- Evidence mapping to CMMC Level 2 controls
- RD004/RD005 applicability analysis
- Questionnaire response standardization
- Ongoing compliance monitoring
Outcome: A stable, audit-ready posture that holds up under scrutiny.
EXCEL
Premium — Executive Governance & Competitive Positioning: For organizations that treat compliance as strategic infrastructure.
We provide:
- Ongoing vCISO oversight
- Continuous compliance governance
- C3PAO certification readiness planning
- Executive reporting aligned to board and acquisition expectations
Outcome: Sustained eligibility and competitive differentiation.
Next Steps
If you handle CUI or pursue DoD/DLA contracts:
- Confirm whether CMMC Level 2 applies
- Determine whether RD004 or RD005 governs your contracts
- Validate your SPRS status
- Standardize cybersecurity questionnaire responses
- Build a roadmap toward sustained compliance
Schedule a CMMC Eligibility Review
Sources
- DFARS (in https://www.acquisition.gov/dfars/252.204-7021-contractor-compliance-cybersecurity-maturity-model-certification-level-requirements.
- Code of Federal Regulations (in https://www.ecfr.gov/current/title-32/subtitle-A/chapter-I/subchapter-D/part-170).
- FAR Overhaul – FAR Part Deviation Guidance (in https://www.acquisition.gov/far-overhaul/far-part-deviation-guide/far-overhaul-part-52)
- DLA Cybersecurity Resources for Suppliers (in https://www.dla.mil/Small-Business/Resource-Center/Cybersecurity-Resources/)
- DLA Master List of Technical and Quality Requirements (in https://www.dla.mil/Portals/104/Documents/J7Acquisition/DLA_Master_List_of_TQ_Requirements_December_01_2025_Rev_41.pdf)
Appendix 1
| Original clause or term | What It Maps To | What It Really Means |
| FAR 52.204-21 | FAR 52.240-93 (class deviation under FAR overhaul) | Same 15 basic safeguarding requirements; clause number renumbered under the FAR overhaul (Acquisition 3). |
| DFARS 252.204-7019 | No longer prescribed for new solicitations where CMMC applies; functionally superseded (may still appear on legacy contracts) | Previously required contractors to perform a NIST SP 800-171 self-assessment and upload a score to SPRS as a condition of award. This requirement has been eliminated as a standalone clause and absorbed into the CMMC framework, where self-assessments now support CMMC Level 1 or Level 2 status under DFARS 252.204-7021. (Acquisition 4; Acquisition 5). |
| DFARS 252.204-7020 | DFARS 252.240-7997 (class deviation) | Formerly governed DoD Medium and High NIST SP 800-171 assessments and associated SPRS reporting. Under the FAR/DFARS restructuring, this clause was renumbered or replaced via class deviation, and its remaining assessment concepts are now aligned with CMMC Level 2 assessment types. Contractor-performed “basic assessments” were removed from this clause and are now addressed under DFARS 252.204-7021. (Wiley; Acquisition 4; Acquisition 5). |
| DFARS 252.204-7021 | Unchanged | CMMC Level 2 requirement for systems handling CUI and linkage to CMMC assessments recorded in SPRS (Acquisition 4). |
| NIST SP 800-171 compliance | CMMC Level 2 | Same 110 security requirements, plus formalized CMMC Level 2 assessment and documentation. |
| SPRS assessment record | CMMC Level 2 assessment status | Your posted NIST/CMMC score and whether it meets DoD criteria for “current” or “conditional” status in SPRS. |