Skip to Main Content
All Trimarc services are now delivered through TrustedSec! Learn more
August 07, 2025

The Proliferation of “Fake” CMMC Contract Clauses

Written by Chris Camejo
CMMC

Defense subcontractors may already be seeing CMMC clauses in their contracts, even though the CMMC contracting procedures and contract clause have yet to be finalized (as of this post in August 2025). However, the Department of Defense (DoD) is not currently putting CMMC requirements in contracts, and the clauses that are showing up in contracts today are not legitimate CMMC clauses from the government.

September 10, 2025 update: The start date of the CMMC rollout has been announced. Legitimate CMMC contract clauses will start appearing in government contracts on November 10, 2025. See our other post A Big Step on the CMMC Rollout Timeline for more information on the phases of the CMMC rollout to understand when certain requirements will show up in contracts.

The problem seems to stem from the legal departments within some large defense contractors that decided to get an early start and write their own CMMC compliance clauses to push on their subcontractors. This is not how the CMMC program is supposed to operate and has led to much confusion about CMMC obligations among defense subcontractors.

Legitimate CMMC contract clauses will use very specific language that, once finalized, will be shown in 48 CFR 252.204-7021 (better known as DFARS 7021). These links currently show the old CMMC 1.0 contract clauses, but the content will be updated when the CMMC 2.0 contract clause is finalized. The proposed new language can be seen in the DFARS 7021 CMMC contract clause draft. The full CMMC contract clause text, level, and assessment requirements are only supposed to flow down from the DoD to prime contractors and then down to subcontractors as per paragraph (d)(1) of the draft DFARS 7021 clause. Any CMMC contract clause that does not use the final language is not an official DoD requirement.

Illegitimate CMMC clauses often do not define the CMMC level and assessment type required for the contract. Vague statements like “the subcontractor must be CMMC-compliant” are common. A subcontractor that receives a CMMC contract clause without the critical level and assessment type information will have no idea what information (FCI or CUI) they are expected to handle, which set of requirements apply to them (FAR 52.204-21 Basic Safeguards, NIST SP 800-171, or NIST SP 800-172), and how they are expected to assess their compliance with those requirements (self-assessment, C3PAO assessment, or DIBCAC assessment). Paragraph (b)(1) of the draft CMMC contract clause explicitly tells the contractor what CMMC level they must adhere to so that these expectations will be properly set in real CMMC contracts.

Missing CMMC level and assessment type information will also be an issue if contracts with supposed CMMC requirements only include a reference to DFARS 7021 rather than the text of DFARS 7021 itself. This has been common practice in contracts that impose FAR 52.204-21 and DFARS 7012 obligations (the current programs for FCI and DoD CUI protection, respectively). Clauses like “The subcontractor must comply with DFARS 252.204-7012” are common. Unlike the DFARS 7021 CMMC clause, the FAR 52.204-21 and DFARS 7012 clauses do not have varying requirements, that depend on the type of information handled. Therefore, references to these clauses do not omit critical information the way that a reference to the CMMC clause does.

Clauses that impose CMMC requirements at an incorrect level (e.g., a clause that requires CMMC Level 2 compliance of a subcontractor that does not handle CUI) pose a similar problem. This can cause confusion as subcontractors try to figure out how to demonstrate that they have secured information that they don’t handle or cause subcontractors to apply inadequate safeguards to information that requires a higher level of protection. Contractors are only supposed to flow down CMMC requirements appropriate for the type of information they are passing to the subcontractors, as per paragraph (d)(2) of the draft CMMC clause. For example, a prime contractor should impose CMMC Level 1 self-assessment requirements on a subcontractor that only handles FCI, even if the prime contractor handles CUI and is subject to CMMC Level 2 C3PAO certification under that same contract.

Upstream contractors may say they are inserting their own CMMC clauses to prepare subcontractors for future CMMC requirements, but this shows an incorrect understanding of how the CMMC program operates. CUI protection obligations, including CMMC obligations, are imposed on a contract-by-contract basis. Information received under a contract must always be handled using the requirements of that specific contract. Once the CMMC contracts begin rolling out, the CMMC requirements will only apply to information handled under those future contracts with legitimate CMMC clauses, and information handled under any prior contracts will not suddenly inherit CMMC compliance obligations, either directly as a result of regulatory changes or indirectly from other contracts. These contractors are protecting themselves from a nonexistent problem and causing chaos in the process.

Subcontractors should push back to have all suspicious CMMC clauses fixed or removed from contracts, including:

  • All CMMC clauses received before the Title 48 CMMC rule (that contains the CMMC contracting procedures and clauses) becomes effective
  • Any CMMC clause that does not match the text of the final version of the DFARS 7021 clause
  • Any CMMC clause that does not state the level and assessment requirements
  • Any CMMC clause with level and assessment requirements that do not match the type of information the subcontractor expects to handle

The only CMMC contract clause that subcontractors should accept is the full text of the final version of DFARS 7021 including level and assessment requirements appropriate for the information that the subcontractor is expected to handle.

TrustedSec is a CMMC Registered Practitioner and is available to help answer CMMC questions and prepare for future assessments. If your organization requires assistance or has any questions, get in touch with us!