What Defense Contractors Must Know Now

The Department of Defense (DoD) and the Defense Logistics Agency (DLA) have entered a new enforcement phase. Updated CMMC Level 2 requirements and DLA clauses RD004 and RD005 now determine whether contractors are eligible to compete for and retain contracts involving Controlled Unclassified Information (CUI).

If your organization handles CUI, qualifying Level 2 status is required when CMMC clauses appear in solicitations. Cybersecurity eligibility is also increasingly verified prior to award, not addressed solely post-award.

What Changed

1. CMMC Is Now Embedded into Contract Eligibility

This means contractors must demonstrate qualifying CMMC status at time of award.1

For companies handling CUI, CMMC Level 2 is now the primary compliance mechanism aligned to NIST SP 800-171.2

Unlike legacy NIST “self-attestation” concepts, compliance must now be:

  • Documented
  • Assessed under defined criteria
  • Recorded in SPRS
  • Annually affirmed

2. Clause Renumbering Is Creating Confusion

Simultaneously, the government is restructuring and renumbering portions of the FAR under the Revolutionary FAR Overhaul (RFO).3 A detailed crosswalk of legacy clauses, their renumbered counterparts, and their practical compliance implications is provided in Appendix 1.

This means:

  • “Old” and “new” clause numbers may both appear in solicitations
  • For new solicitations where CMMC applies, standalone NIST self-assessment reporting has largely been incorporated into the CMMC framework.
  • Primes and contracting officers are translating compliance requirements differently in questionnaires.

The technical controls may look familiar, but the enforcement mechanism has fundamentally changed.

CMMC Level 2 Requirements

CMMC Level 2 applies to contractors that store, process, or transmit CUI on non-federal systems.

It aligns to the 110 security requirements in NIST SP 800-171, with additional formal assessment structure defined in federal regulation.2

Under DFARS 252.204-7021, contractors must:

  • Hold a qualifying Level 2 status (Self-Assessment or C3PAO Assessment)
  • Record status in SPRS
  • Perform annual affirmation of continuous compliance (not older than 1 year)1

SPRS now reflects compliance status, not just a raw NIST score. This status can determine award eligibility.

DLA RD004 and RD005 Requirements

The Defense Logistics Agency separates CMMC enforcement into two clauses:

  • RD004 – non-export-controlled CUI
  • RD005 – Export-controlled CUI

This distinction reflects increased national security sensitivity for export-controlled information.

DLA Phase-In Timeline

ClauseApplies ToOptional PhaseMandatory Phase
RD004Non-export-controlled CUI11/10/2025–11/10/2028: Level 2 self-assessment may be usedAfter 11/10/2028: Level 2 self-assessment required in SPRS
RD005Export-controlled CUI11/10/2025–11/10/2028: C3PAO certification may be usedAfter 11/10/2028: C3PAO certification required in SPRS

These clauses apply to DLA-administered contracts and are reflected in DLA acquisition guidance.4, 5

Important: Requiring activities retain discretion. Higher-risk programs may mandate stricter validation earlier.

Practical Implications for Defense Contractors

If your organization handles CUI:

  • Cybersecurity questionnaires now act as go/no-go gates
  • CMMC status can be verified prior to proposal evaluation¹
  • Self-assessments must meet SPRS criteria for Conditional or Final status¹
  • Export-controlled CUI programs will generally trend toward C3PAO certification2, 4
  • Annual affirmation is mandatory under current rule structure1

Being “secure in principle” is no longer sufficient. Compliance must be provable, consistent, and current.

Secure. Comply. Excel.

How Atlantic Digital Helps

Atlantic Digital aligns cybersecurity compliance to business strategy through a three-tier model built for defense contractors.

SECURE

Secure Start — Establish the Right Foundation: For organizations beginning or recalibrating their compliance posture.

We help you:

  • Confirm whether CUI and/or export-controlled data is in scope
  • Determine the correct CMMC target level
  • Define the appropriate assessment pathway
  • Avoid costly rework caused by mis-scoping

Outcome: A clear roadmap aligned to eligibility requirements.

COMPLY

ADvantage — Operationalize Compliance: For contractors who need defensible, repeatable execution.

We support:

  • Evidence mapping to CMMC Level 2 controls
  • RD004/RD005 applicability analysis
  • Questionnaire response standardization
  • Ongoing compliance monitoring

Outcome: A stable, audit-ready posture that holds up under scrutiny.

EXCEL

Premium — Executive Governance & Competitive Positioning: For organizations that treat compliance as strategic infrastructure.

We provide:

  • Ongoing vCISO oversight
  • Continuous compliance governance
  • C3PAO certification readiness planning
  • Executive reporting aligned to board and acquisition expectations

Outcome: Sustained eligibility and competitive differentiation.

Next Steps

If you handle CUI or pursue DoD/DLA contracts:

  1. Confirm whether CMMC Level 2 applies
  2. Determine whether RD004 or RD005 governs your contracts
  3. Validate your SPRS status
  4. Standardize cybersecurity questionnaire responses
  5. Build a roadmap toward sustained compliance

Schedule a CMMC Eligibility Review

Sources

  1. DFARS (in https://www.acquisition.gov/dfars/252.204-7021-contractor-compliance-cybersecurity-maturity-model-certification-level-requirements.
  2. Code of Federal Regulations (in https://www.ecfr.gov/current/title-32/subtitle-A/chapter-I/subchapter-D/part-170).
  3. FAR Overhaul – FAR Part Deviation Guidance (in https://www.acquisition.gov/far-overhaul/far-part-deviation-guide/far-overhaul-part-52)
  4. DLA Cybersecurity Resources for Suppliers (in https://www.dla.mil/Small-Business/Resource-Center/Cybersecurity-Resources/)
  5. DLA Master List of Technical and Quality Requirements (in https://www.dla.mil/Portals/104/Documents/J7Acquisition/DLA_Master_List_of_TQ_Requirements_December_01_2025_Rev_41.pdf)

Appendix 1

Original clause or termWhat It Maps ToWhat It Really Means
FAR 52.204-21FAR 52.240-93 (class deviation under FAR overhaul)Same 15 basic safeguarding requirements; clause number renumbered under the FAR overhaul (Acquisition 3).
DFARS 252.204-7019No longer prescribed for new solicitations where CMMC applies; functionally superseded (may still appear on legacy contracts)Previously required contractors to perform a NIST SP 800-171 self-assessment and upload a score to SPRS as a condition of award. This requirement has been eliminated as a standalone clause and absorbed into the CMMC framework, where self-assessments now support CMMC Level 1 or Level 2 status under DFARS 252.204-7021. (Acquisition 4; Acquisition 5).
DFARS 252.204-7020DFARS 252.240-7997 (class deviation)Formerly governed DoD Medium and High NIST SP 800-171 assessments and associated SPRS reporting. Under the FAR/DFARS restructuring, this clause was renumbered or replaced via class deviation, and its remaining assessment concepts are now aligned with CMMC Level 2 assessment types. Contractor-performed “basic assessments” were removed from this clause and are now addressed under DFARS 252.204-7021. (Wiley; Acquisition 4; Acquisition 5).
DFARS 252.204-7021UnchangedCMMC Level 2 requirement for systems handling CUI and linkage to CMMC assessments recorded in SPRS (Acquisition 4).
NIST SP 800-171 complianceCMMC Level 2Same 110 security requirements, plus formalized CMMC Level 2 assessment and documentation.
SPRS assessment recordCMMC Level 2 assessment statusYour posted NIST/CMMC score and whether it meets DoD criteria for “current” or “conditional” status in SPRS.