A White House Executive Order sets the direction, NIST writes the technical standard, the Defense Department bakes that standard into a contract clause, and CMMC verifies you followed it. So the SSP and SPRS score sitting on your desk didn't come from nowhere — they're the last link in a chain that runs Executive Order 14028 → NIST 800-171 → DFARS 252.204-7012 → CMMC (DFARS 252.204-7021) → flow-down from your prime. Understand the chain and the paperwork stops feeling arbitrary.
Nobody in a small shop wakes up wanting to write a System Security Plan. You got here because a prime sent you a subcontract with a clause in it, or a solicitation named a control set you'd never heard of, and suddenly a piece of federal cybersecurity policy became your problem. It feels arbitrary. It isn't. There's a clean chain of custody behind every requirement, and once you can see it, the whole thing stops looking like a bureaucratic trap and starts looking like what it is — a standard being handed down the line.
I've watched this machinery run from the inside for years. The players change, the memos get renumbered, but the shape of it holds: policy at the top, a technical standard in the middle, a contract clause at the bottom, and verification stapled to the whole thing so nobody can wave it away. Let me walk you down each rung so you know exactly why the work landed where it did.
On May 12, 2021, the President signed Executive Order 14028, "Improving the Nation's Cybersecurity." A string of breaches — federal agencies and their software vendors getting hit through the supply chain — had made the old approach untenable, and an Executive Order is how the White House points the whole federal government in a new direction at once.
An EO doesn't reach into your office directly. It commands agencies. EO 14028 told them to move toward zero trust architecture, to turn on multifactor authentication and encryption across federal systems, to lock down the software supply chain with things like a software bill of materials (SBOM) and secure development practices, and to make IT providers share breach and incident information instead of sitting on it. Critically for you, it also directed the FAR Council to standardize the cybersecurity language that goes into federal contracts. That last instruction is the seed of everything downstream.
The follow-on strategy filled in the picture. In January 2022, the Office of Management and Budget issued OMB M-22-09, the Federal Zero Trust Strategy that implemented EO 14028. It laid out five pillars — Identity, Devices, Networks, Applications & Workloads, and Data — mirroring CISA's Zero Trust Maturity Model, and set agency goals to hit by the end of fiscal year 2024. If the vocabulary in your compliance paperwork sometimes sounds like it came from a zero-trust briefing, this is why. It did.
Policy points a direction; it can't tell an engineer what to actually configure. That translation is the job of the National Institute of Standards and Technology (NIST). NIST takes the intent — protect sensitive federal information sitting on private-sector systems — and turns it into a concrete, testable control set.
For defense contractors, the relevant document is NIST Special Publication 800-171, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations." This is the standard that defines what protecting Controlled Unclassified Information (CUI) means in practice: access control, identification and authentication, audit logging, incident response, media protection, and the rest — organized into control families with a defined set of requirements. It's the widely referenced Rev 2 that most contractors know by its 14 control families and 110 requirements; NIST issued Rev 3 in 2024, so which revision your specific contract points to is a detail to confirm against the clause rather than assume.
Here's the part people miss: NIST 800-171 is not a law. It's a standard sitting on a shelf. On its own it obligates no one. It becomes mandatory only when something with legal teeth — a contract clause — reaches up, points at it, and says do this one. That's the next rung.
The Department of Defense makes NIST 800-171 binding through the Defense Federal Acquisition Regulation Supplement (DFARS). The clause that matters is DFARS 252.204-7012, "Safeguarding Covered Defense Information and Cyber Incident Reporting." When this clause is in your contract — and it's in a great many of them — three obligations become law for you:
This is the moment an abstract federal priority becomes your legally enforceable duty. A breach at the top of government in 2021 has now, through two translations, become a line in a contract you signed. The clause doesn't care how big you are. If it's in the award, it applies.
For years, DFARS 7012 ran on the honor system. You attested that you'd implemented 800-171, and the government mostly took your word for it. That gap — self-attested compliance with no verification — is exactly what CMMC, the Cybersecurity Maturity Model Certification, was built to close.
CMMC doesn't invent new security requirements. At Level 2, it is NIST 800-171 — the same 110 requirements you already owed under 7012. What CMMC adds is proof. The companion clause, DFARS 252.204-7021, ties contract award to holding the required CMMC certification. Depending on the level and the program, that means either a self-assessment and affirmation, or a certified third-party assessment.
The mechanics you'll actually touch:
The deadline that makes this real: November 10, 2026 begins Phase 2, when Level 2 C3PAO third-party certification becomes a required condition of award on applicable DoD contracts. Self-assessment and affirmation language is already showing up in contracts now. The verification rung isn't theoretical anymore — it's a date on the calendar.
Want to know where you stand on those 110 controls right now? Before you build anything, get a baseline. Our free SPRS score estimator walks you through the self-assessment scoring in about two minutes — the same number you'd submit to the government.
Here's how a rule aimed at defending the nation's supply chain ends up on the desk of a six-person machine shop. Remember the flow-down obligation baked into DFARS 7012 back on rung three? That clause requires a prime contractor to push the same safeguarding and reporting duties into any subcontract where the subcontractor will handle CUI.
So the rule follows the data, not the size of the company. A prime wins a program with the clause attached. It hands part of the work — and some CUI along with it — to you. Because CUI is going to touch your systems, the prime is required to flow the obligation down to you. You do the same to any sub of yours who'll see the data. The requirement travels down the supply chain exactly as far as the controlled information does, and no farther.
This is why "I'm too small for this" is never the reason you're off the hook. The government isn't sizing you up. It's tracking where its sensitive data goes. If the data reaches you, so does the rule — and your prime has a contractual duty to make sure it did. If you want to make that obligation dramatically cheaper to satisfy, this is where scoping the data into a small boundary changes everything; we lay that out in The CUI Enclave Method.
Strip away the policy history and here's the concrete pile of work the chain deposits in front of you:
That's the chain, start to finish. A breach that shook the government produced an Executive Order, the Order produced a standard, the standard became a clause, the clause got a verification mechanism, and the whole package flowed down the supply chain until it reached the desk of the person actually holding the data — you. None of it is arbitrary. Every rung has a reason. And every rung is a place where doing the work early and cleanly beats scrambling at the deadline.
The pipeline ends in documents — an SSP, the 20 required policies, a POA&M, and a SPRS scorer. Building them from a blank page is where small shops lose weeks. The CMMC Level 2 DIY Compliance Kit is all of it, editable, mapped to every one of the 110 controls, built for a contractor doing this without a six-figure consultant.
An Executive Order directs federal agencies to act. EO 14028 (May 2021) told agencies to modernize cybersecurity and standardize contract language. NIST turns that direction into technical standards like SP 800-171. The Defense Department writes those standards into a contract clause — DFARS 252.204-7012 — and CMMC (DFARS 252.204-7021) verifies you meet them. Once the clause is in a contract, it's legally binding on you and flows down to your subcontractors.
NIST 800-171 is the technical standard — the list of security requirements for protecting CUI. DFARS 252.204-7012 is the contract clause that legally requires you to implement 800-171 and report cyber incidents within 72 hours. CMMC (DFARS 252.204-7021) is the verification mechanism that ties contract award to a certified assessment of whether you actually did it. Standard, clause, proof — in that order.
Because DFARS 252.204-7012 requires flow-down. When a prime holds a contract with the clause, it must include the same safeguarding and reporting obligations in any subcontract where the sub will handle CUI. The rule follows the data down the supply chain, which is how a two-person shop ends up needing an SSP and a SPRS score. If the controlled data reaches you, the obligation does too.
SPRS is the Supplier Performance Risk System, the government database where you submit your NIST 800-171 self-assessment score. It converts your compliance posture into a single number the contracting officer can see before award. Submitting a current score is already a condition of many DoD awards under DFARS 252.204-7012, ahead of full CMMC third-party certification. Our free estimator gives you that number in minutes.
No. A newer order can trim specific programs — EO 14306 in June 2025 rolled back some software-attestation and digital-identity mandates — but it left NIST 800-171, DFARS 252.204-7012, and CMMC intact. The defense-contractor pipeline runs on the DFARS and CMMC rules, and those are still on track for November 10, 2026. We break down exactly what changed in The 2025 Cybersecurity Executive Order.
November 10, 2026 begins Phase 2, when Level 2 C3PAO third-party certification becomes a required condition of award on applicable DoD contracts. Self-assessment and affirmation requirements are already appearing in contracts now, so your scoping and documentation work should be underway well before that date.