FAR vs DFARS vs CMMC vs NIST
Who protects what and how they fit together
Acronyms Aplenty
How do you keep track of what all of the acronyms mean and how they related to each other? Hopefully, this little cheat sheet will help!
How they Relate
Let's dig into some of the most important acronyms that relate to the protection of sensitive unclassified information within the federal contracting environment, particularly in the Department of Defense (DoD) supply chain.

Roles in the Ecosystem
Let's get into the details of each of these roles.
FCI
Federal Contract Information
Information not intended for public release & provided or generated under a contract.
Type: | Data Category |
---|---|
Governs/References: | FAR 52.204-21 |
Applies to: | All Federal Contractors |
CUI
Controlled Unclassified Information
Sensitive but unclassified information requiring safeguarding.
Type: | Data Category |
---|---|
Governs/References: | DFARS 252.204-7012 NIST 800-171 |
Applies to: | All Federal Contractors |
FAR
Federal Acquisition Regulation
Government-wide rules for acquisition, including safeguarding FCI.
Type: | Regulation |
---|---|
Governs/References: | Includes 52.204-21 |
Applies to: | All Federal Contractors |
DFARS
Defense FAR Supplement
DoD-specific rules. Includes requirements to protect CUI.
Type: | Regulation |
---|---|
Governs/References: | 252.204-7012, 7019, 7020 |
Applies to: | DoD Contractors |
NIST SP 800-171
National Institute of Standards & Technology
A NIST standard that defines 110 security controls for protecting CUI in non-federal systems
Type: | Security Standard |
---|---|
Governs/References: | DFARS 7012 |
Applies to: | Any contractor handling CUI |
CMMC
Cybersecurity Maturity Model Certification
DoD framework requiring certification of compliance with NIST 800-171 (and more at higher levels).
Type: | Certification Program |
---|---|
Governs/References: | NIST 800-171 + added controls |
Applies to: | DoD contractors (2025) |
Relationship Summary
FAR governs the protection of FCI - basic security (15 requirements)
DFARS governs the protection of CUI - requires compliance with NIST SP 800-171 (110 controls)
CMMC is the DoD program that keeps you accountable by requiring validation (Self-assessment or 3rd party)
CUI must be protected according to DFARS 252.204-7012 (which points to NIST SP 800-171)
CMMC Level 1 = Protecting FCI (Matches FAR 52.204-21)
CMMC Level 2 = Protecting CUI (Matches NIST SP 800-171)
Scenario #1
Process payment information or scheduling data for a federal
contract (FCI)
Applicable Rules
- FAR 52.204-21
- CMMC Level 1
Scenario #2
Develop software containing DoD mission data (CUI)
Applicable Rules
- DFARS 7012
- NIST 800-171
- CMMC Level 2
Scenario #3
Bidding on a DoD contract requiring CMMC certification
Applicable Rules
- CMMC
- Level needed is based on data sensitivity

Lower your costs and risk with
Agile IT's expert license optimization
Gain valuable insights with Agile IT’s help to maximize your Microsoft 365 ROI.
Contact Us