Most DoD contractors know they have compliance obligations somewhere in their contract. What they don't always know is exactly which obligations apply to them, what triggers CMMC specifically, and what the contract says about where and how work can be performed. These aren't obscure legal questions -- they have direct answers if you know where to look.

Here's how to read your contract and find out what's actually required of you.

Step 1: Find Your DFARS Clauses

Your contract contains a section called the contract clauses -- typically near the back, sometimes labeled "Section I" or listed in the contract's terms. This is where the regulatory obligations live. The ones that matter most for cybersecurity are DFARS clauses -- Defense Federal Acquisition Regulation Supplement.

The two you're looking for:

DFARS 252.204-7012 -- Safeguarding Covered Defense Information and Cyber Incident Reporting
DFARS 252.204-7021 -- Cybersecurity Maturity Model Certification Requirements

If 252.204-7012 is in your contract: you are required to implement NIST SP 800-171 and have a current SPRS score on file. This clause has been in DoD contracts since 2017. Many contractors have it and don't realize it.

If 252.204-7021 is in your contract: CMMC certification is explicitly required. The clause will specify which level -- Level 1, Level 2, or Level 3. This is the newer clause that began appearing in contracts in late 2025.

How to search: Open your contract as a PDF and use Ctrl+F to search for "7012" and "7021". If either number appears, read the full clause carefully -- it will tell you the required CMMC level and any applicable deadlines.

Step 2: Determine Whether You Handle CUI

CMMC Level 2 applies specifically to contractors who handle Controlled Unclassified Information (CUI). The presence of DFARS 252.204-7012 in your contract is a strong signal that CUI is involved, but it's worth confirming directly.

Look for any of the following in your contract or performance work statement:

DD Form 254 -- Contract Security Classification Specification. If this is attached, read it carefully. It specifies what classified and controlled information you'll receive and how it must be handled.

Also look for language referencing "technical data," "export controlled information," "proprietary government information," or specific program names with sensitivity designations. If your work involves engineering drawings, specifications, test data, or design documents from a government program, CUI is almost certainly involved.

If you genuinely handle no CUI and no FCI -- meaning your contract is purely for commercial off-the-shelf products or non-sensitive services -- CMMC Level 2 may not apply. But this determination should be made carefully. When in doubt, assume it applies.

Step 3: Check for Performance Location Requirements

Some contracts restrict where work can be performed. This matters for cybersecurity because it affects where CUI can be processed, stored, and transmitted. Look for these clauses and terms:

On-Site Performance Requirements

Some contracts require that work be performed at a government facility or at a specific contractor location. This is usually stated explicitly in the Statement of Work or Performance Work Statement. If your contract requires on-site performance, your CMMC compliance environment needs to cover that physical location specifically.

Continental United States (CONUS) Restrictions

Look for language referencing CONUS -- Continental United States. Some contracts prohibit performance outside the continental US, which means work cannot be offshored, performed by foreign nationals, or processed on systems located outside the US. Cloud storage counts -- if your data is replicated to servers outside CONUS, that can be a violation.

DFARS 252.225-7040 -- Contractor Personnel Supporting US Armed Forces Deployed Outside the US (flags overseas performance requirements)
FAR 52.225-19 -- Contractor Personnel in a Designated Operational Area or Supporting a Diplomatic or Consular Mission Outside the US

Foreign Ownership, Control, or Influence (FOCI)

If your company has any foreign ownership, investment, or board-level influence from a foreign national, you may have FOCI issues that go beyond CMMC. Look for any reference to FOCI mitigation requirements or National Industrial Security Program (NISP) obligations in your contract. These require separate handling.

Puerto Rico note: Puerto Rico is a US territory, not a foreign country. Performance in Puerto Rico is CONUS-equivalent for most federal contracting purposes and does not trigger foreign performance restrictions.

Step 4: Check Flow-Down Requirements

If you are a subcontractor -- meaning you work under a prime contractor rather than directly with the government -- your CMMC obligations may flow down from the prime's contract. The prime is required to pass DFARS cybersecurity clauses down to subcontractors who handle CUI.

Look for these in your subcontract agreement:

DFARS 252.204-7012 -- if the prime has it, they are required to flow it to you
DFARS 252.204-7021 -- CMMC requirement flows down if you handle CUI in scope of the prime contract

If you are a subcontractor and your prime has not mentioned CMMC to you, that does not mean you are exempt. It may mean the prime is not yet managing their supply chain compliance -- which is their problem until it becomes yours at renewal or audit time.

What to Do With What You Find

Once you've identified your clauses and obligations, you have a clear picture of what's required. The next step is knowing whether you actually meet those requirements -- which is exactly what a gap assessment determines.

If you found 252.204-7012 in your contract and have never formally assessed your environment against NIST 800-171, you are already out of compliance with an existing obligation -- not a future one. That's worth addressing before your next contract renewal, audit, or incident.