Contractual Ingestion & LOB Strategy

CMMC compliance obligations do not begin at the time of an assessment — they begin at contract award. The moment a contract containing DFARS 252.204-7012 is executed, the organization is legally bound to protect Covered Defense Information (CDI) under the requirements of NIST SP 800-171. That obligation exists regardless of whether the organization has completed a CMMC assessment, updated its System Security Plan, or even identified which systems will touch the new CUI. The assessment merely verifies what the contract already requires.

This creates a business process problem that is predominantly organizational rather than technical. A contract is awarded to a program or business development team. The CUI handling obligation that comes with it is owned by IT and security. Without a formal contract intake process that connects these two functions, new awards silently expand the CUI scope, add systems to the assessment boundary, and create potential compliance gaps from day one. Organizations that treat CMMC as a one-time project rather than an ongoing contract management discipline accumulate risk with every new award.

DFARS 252.204-7012 — The Triggering Clause

DFARS 252.204-7012, formally titled Safeguarding Covered Defense Information and Cyber Incident Reporting, is the primary contractual mechanism through which DoD imposes CUI protection requirements on defense contractors. When this clause appears in a contract, the contractor is obligated to implement adequate security across all systems that process, store, or transmit Covered Defense Information — including email, file shares, collaboration platforms, and any cloud services.

The clause is broad. It does not require that the prime contractor handle classified information. CDI includes Controlled Technical Information (CTI), export-controlled data, and any information that meets the definition of CUI under the National Archives CUI Registry. It applies at the time of award, not at the time of assessment.

Key DFARS 7012 Obligations

Obligation	Requirement	Timeline
Adequate security	Implement all controls in NIST SP 800-171	At time of award
Cyber incident reporting	Report to DoD via dibnet.dod.mil	Within 72 hours of discovery
Media preservation	Preserve images of compromised systems and relevant data	90 days from incident
Cloud service use	Use only cloud services meeting FedRAMP Moderate equivalency	At time of award
Subcontractor flow-down	Flow 7012 to all subcontractors that will handle CDI	At subcontract award

The 72-hour cyber incident reporting requirement is operationally significant. It requires that the organization have a documented incident response process capable of identifying an incident, scoping the affected CDI, and submitting a report to DoD — all within three days. This is not achievable without pre-existing detection capabilities, a clear process owner, and pre-registered access to dibnet.dod.mil.

The cloud service requirement has direct platform implications. Any cloud service used to process, store, or transmit CDI must meet FedRAMP Moderate equivalency. Microsoft 365 GCC High satisfies this requirement. Standard commercial Microsoft 365 (E3/E5 commercial tenant) does not meet this bar for DoD CUI without additional compensating controls and documented risk acceptance.

---

Identifying CMMC-Triggering Contracts

Not every DoD contract triggers a CMMC obligation. The obligation attaches when a contract involves CUI — specifically when the contract includes DFARS 252.204-7012 or, for newer solicitations, DFARS 252.204-7021 (the CMMC clause itself).

Starting in FY2025, DoD began including DFARS 252.204-7021 in solicitations for contracts requiring CMMC Level 2 certification. This clause goes further than 7012: it requires the contractor to have achieved a CMMC Level 2 certification (issued by a C3PAO) at the time of contract award, not merely self-attest to NIST SP 800-171 compliance via SPRS. Organizations that currently self-attest should identify contracts that include 7021 and treat them as driving a certification requirement rather than a self-assessment.

CUI Categories Common in the DIB

CUI Category	Abbreviation	Common Trigger
Controlled Technical Information	CTI	Engineering drawings, specifications, test results
Export Controlled	EXPT	ITAR/EAR-controlled data, hardware/software designs
Contractor Bid or Proposal Information	CBPI	Bid packages, pricing, teaming agreements
For Official Use Only	FOUO	Program documentation, government correspondence
Privacy / Personally Identifiable Information	PII	Personnel records, background check data

Contract Review Checklist

Use this checklist when a new contract award or modification is received:

• Does the contract include DFARS 252.204-7012?
• Does the contract include DFARS 252.204-7021 (CMMC clause)?
• Does the Statement of Work reference CUI, CDI, CTI, or ITAR/EAR-controlled information?
• Does the contract include government-furnished information (GFI) or government-furnished equipment (GFE)?
• Does the contract require access to government networks, systems, or portals?
• Does the contract involve export-controlled technology, software, or hardware?
• Will performance of the contract require sharing information with subcontractors?

A "yes" to any of these questions should trigger the full contract intake process described in the next section.

---

Contract Intake Process

The Business Process Gap

The organizational dynamic at most defense contractors works against compliance. Business development or program management receives a contract award. The award notice goes into a contracts management system. The IT and security team — who own the assessment boundary, the SSP, and the CMMC compliance posture — may never see the contract unless there is a formal intake process that connects the two functions.

This gap produces predictable failures: new systems stand up to support a contract before they are evaluated for CUI scope; CUI arrives via email before the data flow diagram is updated; subcontractors receive CDI before any flow-down review occurs. By the time the compliance team becomes aware, the boundary has already expanded and the exposure has occurred.

A formal contract intake workflow closes this gap. It does not need to be elaborate — it needs to be mandatory.

Intake Workflow

Step 1  Contract award or modification received
        → Contracts team reviews for DFARS 252.204-7012 and 252.204-7021

Step 2  If 7012 or 7021 is present
        → Security / IT team notified within 5 business days of award

Step 3  Security intake review
        → What CUI categories will be received?
        → From whom will CUI be received (contracting officer, subcontractors, GFI)?
        → Via what mechanism (SAFE, encrypted email, portal, physical media)?
        → What systems will process or store the CUI?

Step 4  Data flow update
        → Add the new CUI flow to the SSP data flow diagram
        → Label source, destination, data type, and transport mechanism

Step 5  Asset scope review
        → Are any new endpoints, servers, or cloud workloads entering scope?
        → If yes, add to the asset inventory and apply baseline configuration

Step 6  Subcontractor review
        → Will any CUI be shared with subcontractors?
        → If yes, initiate subcontractor flow-down process (see below)

Step 7  SSP update
        → Document the new contract, CUI categories received, and any boundary changes
        → Update the SSP revision history
        → Notify the ISSO / compliance lead

This workflow should be documented as a written procedure and referenced in the SSP under the Configuration Management and Planning control families. Assessors will ask how scope expansions are detected and managed — a documented intake process with evidence of execution (intake tickets, notification emails, SSP revision log) is the expected answer.

---

Subcontractor Flow-Down

DFARS 252.204-7012 places an affirmative obligation on prime contractors: if CUI or CDI will be shared with a subcontractor, the prime must flow the clause down to the subcontract as a binding obligation. The subcontractor must then meet the same NIST SP 800-171 requirements as the prime. The prime is responsible for this requirement — a subcontractor's non-compliance does not absolve the prime during a DoD assessment or incident investigation.

As CMMC certification requirements expand, some subcontracts may require that the sub hold a CMMC Level 2 certification rather than self-attest. Primes should review subcontract terms proactively, particularly where DFARS 252.204-7021 is present in the prime contract.

Subcontractor Management Checklist

• Include DFARS 252.204-7012 language verbatim in all subcontracts where CDI will be shared
• Require each sub to provide their current SPRS score or CMMC Level 2 certification letter before CUI is shared
• Limit CUI shared with subs to the minimum necessary for performance (need-to-know)
• Document the approved data sharing mechanism and prohibit sharing outside that mechanism
• Review sub compliance posture at least annually, or upon contract renewal

Approved Sharing Mechanisms

GCC High

Sharing CUI with subcontractors who are not on GCC High requires deliberate handling. A sub operating on a commercial Microsoft 365 tenant does not meet the FedRAMP Moderate equivalency bar for DoD CUI. The following mechanisms are approved for sharing CDI with external parties:

Mechanism	Use Case	Notes
SAFE (DoD Safe Access File Exchange)	File transfer of CDI to external parties	Free, DoD-hosted, does not require sub to be on GCC High
Encrypted email with MIP sensitivity labels	Low-volume document exchange	Requires recipient capability to decrypt; confirm before use
Entra External Identities (B2B guest)	Structured collaboration on GCC High SharePoint	Guest user governed by your Conditional Access and DLP policies
Physical media (encrypted, tracked)	Large file transfers or offline environments	Chain of custody required; encryption mandatory

Do not share CUI via consumer OneDrive, consumer Dropbox, unencrypted email, or cross-tenant sharing to a standard commercial Microsoft 365 tenant. These channels do not meet the DFARS cloud service equivalency requirement and produce a material compliance gap.

Commercial

For NIST SP 800-171-scoped contracts that do not involve DoD CUI (e.g., regulated contracts with civilian agencies or commercial primes), the flow-down obligation may come from the prime's contract terms rather than DFARS directly. The substantive requirements are the same: document the obligation in the subcontract, limit the scope of information shared, and require sub compliance attestation.

Mechanism	Use Case	Notes
Encrypted email	Low-volume document exchange	Use S/MIME or a portal-based encrypted mail service
SFTP / secure file transfer	Structured file delivery	Confirm server meets applicable security baseline
Managed file transfer portal	High-volume or recurring exchange	Verify FedRAMP authorization or equivalent if cloud-hosted
Commercial collaboration platform (scoped)	Ongoing project collaboration	Ensure the platform is scoped to regulated users only

Regardless of mechanism, document it. The SSP data flow diagram should show where CUI leaves the boundary and under what controls.

---

Line of Business CUI Recognition Training

Technical controls protect CUI only if the people handling it recognize that it is CUI. An employee who does not know that a set of engineering drawings received from a contracting officer constitutes CTI will not apply a sensitivity label, will not know to restrict forwarding, and may share the file through an unapproved channel. The technical architecture cannot compensate for unrecognized CUI.

What CUI Looks Like

CUI is marked using the standard format defined by the National Archives CUI Registry:

• CUI — baseline marking, no additional category specified
• CUI//SP-CTI — Controlled Technical Information (specified CUI)
• CUI//SP-EXPT — Export Controlled (specified CUI)
• CUI//FOUO — For Official Use Only (basic CUI)

Markings appear in document headers and footers, in email subject lines (when the sender follows marking requirements), and in filename prefixes on some programs. Personnel should be trained to recognize these patterns.

Unmarked CUI

A document does not need a marking to be CUI. The obligation attaches based on the nature of the information and the contract context, not the presence of a label. The applicable test is:

Would a reasonable government official expect this information to be protected based on its content and the circumstances under which it was shared?

If the answer is yes, treat it as CUI regardless of whether a marking is present. Technical drawings received from a program office under a CDI-bearing contract are CTI whether or not they carry a banner. Bid and proposal information generated in support of a government contract is CBPI whether or not the document is labeled.

Employees should be trained to apply this "reasonable expectation" test when they receive information that could be government-related, and to contact the organization's CUI Program Manager (or designated security point of contact) when they receive information they are uncertain how to classify.

Training Requirements

Training is not optional

CMMC requires that all personnel who handle CUI receive CUI awareness training. Personnel who work with CUI in a specific role (program manager, system administrator, contracts officer) must also receive role-based training. Undocumented training is treated as no training by assessors. Maintain training completion records tied to individual employees, contract scope, and date of completion.

Training records should capture:

• Employee name and role
• Training course name and version
• Date of completion
• CUI categories covered
• Whether training was role-based or general awareness

Records must be retained and producible for assessors. A spreadsheet or LMS export is acceptable. Verbal attestation is not.

---

Contract Flow-Downs — Compliance Control Mapping

GCC High

The following CMMC Level 2 practices are directly addressed by a mature contract intake and CUI recognition program.

CMMC Practice	Domain	Requirement	Contract Intake Artifact
AT.L2-3.2.1	Awareness and Training	Provide awareness training on organizational policies, threats, and CUI handling	Training completion records by employee and contract
AT.L2-3.2.2	Awareness and Training	Ensure personnel with CUI access receive role-based training	Role-based training records for contracts, IT, and program staff
IR.L2-3.6.1	Incident Response	Establish an operational incident-handling capability	Documented 72-hour reporting process; dibnet.dod.mil registration
IR.L2-3.6.2	Incident Response	Track, document, and report incidents	Incident log; DFARS 7012 reporting procedure
CM.L2-3.4.2	Configuration Management	Establish and maintain baseline configurations	New systems added to baseline upon contract scope expansion
CA.L2-3.12.4	Security Assessment	Develop, document, and periodically update SSPs	SSP updated with each new CUI contract; revision history maintained
MP.L2-3.8.1	Media Protection	Protect system media containing CUI	Approved sharing mechanisms documented; unapproved channels prohibited
SC.L2-3.13.11	System and Communications	Employ FIPS-validated cryptography	Encryption requirement enforced for all external CUI transfer mechanisms

Commercial

For organizations operating under NIST SP 800-171 Rev. 3 without a CMMC certification requirement, the same contract intake and training practices satisfy the following controls.

NIST Control	Family	Requirement
3.2.1	Awareness and Training	Ensure personnel are aware of CUI policies and threats
3.2.2	Awareness and Training	Provide role-based training for personnel with security responsibilities
3.6.1	Incident Response	Establish an incident-handling capability including reporting
3.6.2	Incident Response	Track, document, and report incidents to appropriate officials
3.4.2	Configuration Management	Establish and maintain baseline configurations; update upon scope change
3.12.4	Assessment, Authorization, Maintenance	Develop and maintain a system security plan
3.8.1	Media Protection	Protect system media containing CUI during transport and disposal