
What is DFARS? A Guide to the Four Clauses Behind CMMC 2.0s
While the phased rollout of CMMC requirements in federal contracts hasn’t begun yet, that doesn’t mean you can delay your CMMC readiness efforts. If you’re waiting until the 48 CFR CMMC Acquisition rule is finalized, then you misunderstand the CMMC program and its relationship to DFARs and FAR clauses.
Starting in 2016 and 2017, defense contractors should have been compliant with the FAR clause 52.204-21 and DFARS clause 252.204-702. CMMC is a framework designed to verify compliance with these requirements, not to alter them. So if you haven’t yet implemented the appropriate measures to protect sensitive information entrusted by the federal government, then you’re not ahead of the CMMC compliance deadline—you’re years behind.
To close the readiness gap, let’s cover what DFARs is, how it relates to FAR and the CMMC program, and how you can comply fast.
Recommended reading

Are Defense Contractors Ready for CMMC 2.0? A Look at the Most Recent Data
What is the Defense Federal Acquisition Regulation Supplement (DFARS)?
The Defense Federal Acquisition Regulation Supplement (DFARS) is a set of rules issued by the Department of Defense (DoD) that implements and supplements the Federal Acquisition Regulation (FAR). While FAR provides the primary set of rules governing all federal procurement, DFARS defines the requirements for contractors working with the Department of Defense (DoD) specifically and covers everything from procurement and logistics to safeguarding sensitive data.
The DFARS provides requirements and guidelines specifically tailored to the DoD and its contractors that are not comprehensively covered by the FAR. For example, DFARS focuses on national security, classified information, intellectual property rights in the defense sector, and cybersecurity requirements, among other areas.
DFARS’s cybersecurity requirements have focused particularly on contractors that process Controlled Unclassified Information (CUI). These requirements, along with FAR 52.204-21, have formed the foundation of the CMMC program.
Recommended reading

What Are CMMC Requirements?
FAR, DFARS, and CMMC: How are these rules related?
To understand how FAR, DFARS, and CMMC are intertwined, we have to go back in time. In 2016, the DoD partnered with the General Services Administration (GSA) and National Aeronautics and Space Administration (NASA) to release the FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, in response to increases in cyber threats aimed at the Defense Industrial Base (DIB).
Soon after, DFARS clause 252.204-7012 was released, requiring defense contractors and subcontractors to provide adequate security for all covered defense information. Later, they clarified that “adequate security” meant contractors must implement all 110 NIST 800-171 Revision 2 requirements prior to contract award.
However, neither FAR clause 52.204-21 nor DFARS clause 252.204-7012 required the DoD to verify a contractor's implementation of those security requirements prior to contract award. So by signing a defense contract, vendors were essentially self-attesting that they met those security requirements.
This turned out to be an issue. In 2020, the DoD reviewed the DIB and found widespread noncompliance with the FAR and DFARS requirements. In fact, many contractors had Plans of Action and Milestones that wouldn’t have brought them into full compliance with NIST 800-171 until 2099.
To replace this self-attestation model of security, the DoD introduced the DFARS Interim Rule in 2020 to verify contractor implementation of cybersecurity requirements and enhance the protection of unclassified information within the DoD supply chain. The DFARS Interim Rule, formally known as the Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements, introduced three new DFARS clauses (7019, 7020 and 7021) to increase compliance with DFARS 7012.
Let’s take a closer look at the four DFARS clauses that make up the DFARS 70 series below.

DFARS 7012
First introduced in 2016 and in effect by December 2017, DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, remains the foundational cybersecurity clause for defense contractors that handle CUI and lays the groundwork for CMMC.
If you are currently working on behalf of the DoD as a prime or subcontractor, then your contract includes DFARS 7012 requirements.
These requirements are to:
1. Safeguard covered defense information: Contractors must implement all 110 NIST 800-117 Revision 2 requirements to safeguard CUI and develop and maintain a System Security Plan (SSP) that outlines how they meet each requirement.
2. Report cyber incidents: Contractors must report cyber incidents that affect covered defense information or that affect the contractor’s ability to provide operationally critical support to the DoD within 72 hours. They must also preserve logs and relevant data for 90 days.
There are two other requirements related to cyber incident reporting:
- Submit malicious software: If the reported cyber incident involves malicious software, contractors must submit the software to the DoD Cyber Crime Center (DC3).
- Facilitate damage assessment: If DoD reviews the cyber indecent report and decides to conduct a damage assessment, the contractor must provide any requested media and damage assessment information.
3. Flowdown requirements to subcontractors: These DFARS 7012 requirements must be passed to subcontractors that handle CUI.
While these requirements have been in effect for years, many defense contractors did not implement them despite enforcement mechanisms built into DFARS 7012. For example, while this DFARS clause did not require the DoD to verify a contractor's implementation of security requirements prior to contract award, if the DoD found out that a contractor wasn’t meeting those requirements due to a reported cyber incident or a whistleblower reporting non-compliance, they could sue the contractor for making false claims. They could also withhold progress payments, forgo remaining contract options, or terminate the contract in part or in whole.
Despite the significant business and legal risk of not complying, many companies within the DIB failed to comply with DFARS 7012 and implement NIST 800-171 requirements. DFARS 7019, 7020, and 7021 were introduced in 2020 to improve compliance with DFARS 7012 and NIST 800-171 across the DIB.
Recommended reading

NIST 800-171 Compliance: How to Comply with the Latest Revision [+ Checklist]
DFARS 7019
DFARS clause 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements, amends DFARS 7012 to include a new requirement. Contractors must perform a Basic self-assessment using the NIST SP 800-171 DoD Assessment Methodology and submit their score to the Supplier Performance Risk System (SPRS) prior to contract award.
How is the SPRS score calculated? The DoD Assessment Methodology assigns each NIST 800-171 requirement a score of one (1), three (3), or five (5) points. So organizations start with the lowest score possible, -203, and earn between one and five points for each requirement they meet for a maximum score of 110. If an organization does not meet all NIST 800-171 requirements and gets a score below 110, they must create a Plan of Action and Milestones (POA&M) to explain how they’ll fill those security gaps.
During an assessment, an Organization Seeking Certification (OSC) can POA&M their scores to no lower than 88 in order to pass their audit. However, they must remediate all POA&Ms within 180 days and get to a final score of 110 to get CMMC authorized.
While the DoD doesn’t specify a minimum SPRS score for contract award, they will likely consider companies with lower scores a higher security risk and opt to work with companies with the highest scores and least risk.
If you are currently working on behalf of the DoD as a prime or subcontractor, then your contract includes DFARS 7019 requirements.
These requirements strengthen DFARS 7012 in two key ways:
- By providing a metric (the SPRS score) for the DoD to assess that contractors actually implemented NIST 800-171 requirements.
- By requiring assessments and SPRS scores to be updated at least every three years to remain eligible for new contract awards.
DFARS 7020
DFARS clause 252.204-7020, NIST SP 800-171 DoD Assessment Requirements, builds off DFARS 7019. While DFARS 7019 is the “notice” of NIST SP 800-171 DoD Assessment Requirements, DFARS 7010 is the actual requirements themselves.
In addition to the requirements detailed above, DFARS 7020 formalizes the contractor’s responsibility to flow down requirements to subcontractors and confirm they have valid SPRS scores before awarding them contracts.
It also gives the DoD the right to conduct or renew a Medium or High NIST 800-171 DoD Assessment in order to validate the results of a contractor’s Basic self-assessment and ensure the contractor has properly implemented NIST 800-171 requirements. The DoD can exercise this right based on the criticality of the program or the sensitivity of information being handled by the contractor. In that case, the contractor must provide the DoD with access to its facilities, systems, and personnel for the assessment.
If you are currently working on behalf of the DoD as a prime or subcontractor, then your contract includes DFARS 7020 requirements.
These requirements strengthen DFARS 7012 in key ways:
- By providing the DoD with an additional verification mechanism to ensure contractors are actually implementing NIST 800-171.
- By providing a metric (the SPRS score) for the contractors to assess that subcontractors actually implemented NIST 800-171 requirements.
- By requiring assessments and SPRS scores to be updated at least every three years to remain eligible for new subcontract awards.
DFARS 7021
DFARS clause 252.204-7021, Cybersecurity Maturity Model Certification Requirements, formally requires CMMC certification as a condition for contract award. When this clause goes into effect, contractors will need to:
- Obtain the CMMC level specified in the contract.
- Maintain that certification throughout the contract period.
- Flow down the applicable CMMC level to any subcontractors handling FCI, CUI, Security Protection Data (SPD), and/or Covered Defense Information (CDI).
- Ensure subcontractors have the appropriate CMMC level prior to awarding a contract.
DFARS 7021—eg. CMMC requirements—are not yet included and enforced in DoD contracts. They will be once the 48 CFR CMMC Acquisition rule is final, which is expected to happen sometime in 2025. At this time, the CMMC phased rollout will begin.
By enforcing independent validation of the implementation of the DFARS 7012 rule, DFARS 7021 clause will officially shift DFARS compliance from a self-attestation model of security to a verification-based model of security. This is the vision for the CMMC program.
Recommended reading

Why is CMMC Important? Benefits of CMMC Certification
DFARS compliance checklist
In order to prepare for the CMMC 2.0 compliance deadline, contractors must meet the requirements of DFARS 7012, 7019, 7020, and 7021. We’ve created a high-level checklist to simplify compliance with the DFARS 70 series requirements and help accelerate your path to CMMC certification.

DFARS 7012, 7019, 7020, and 7021 compliance checklist
Get a high-level overview of the steps you need to complete to comply with DFARS 7012, 7019, 7020, and 7021 requirements.
How Secureframe can help you achieve and maintain DFARS and CMMC compliance
Secureframe simplifies compliance for all contractors across the DIB, helping them meet the technical and documentation requirements of CMMC 2.0, NIST SP 800-171, and the DFARS 252.204-7000 series.
With hundreds of integrations to federal cloud services and other tools and pre-built mappings between requirements, controls, and tests, Secureframe helps you:
- Automate evidence collection: Secureframe integrates with over 300 tools, including the CMMC assessment-relevant softwares and tools you use every day, to automatically collect evidence and map it to NIST 800-171 and CMMC requirements.
- Automate gap assessments: Secureframe automates the gap assessment process, identifying what gaps exist in your controls and policies and how to fill them to get CMMC ready.
- Generate and maintain audit-ready SSPs, POA&Ms, and other key documentation: With Secureframe, you can automate SSP and POA&M generation to simplify control documentation and remediation tracking. Secureframe provides additional policy templates and policy management features that enable you to meet all CMMC documentation requirements more effectively.
- Prepare for self, C3PAO, or DoD assessments: As you work through the CMMC framework and complete activities within the Secureframe platform, it will update showing your progress percentage toward compliance, ensuring you have peace of mind going into your CMMC assessment.
- Simplify the assessment process: Secureframe makes the process of collecting and transferring evidence to your assessor easy and straightforward, saving you both from the back-and-forth of submitting additional evidence or manually re-testing controls. Secureframe also has established relationships with highly regarded C3PAOs that are deeply familiar with the Secureframe platform. That means faster assessments with fewer headaches for everyone.
- Maintain CMMC certification: The Secureframe platform also makes it easier to maintain continuous compliance. Rather than scrambling to resolve issues in the weeks before an assessor shows up at your door, you can use Secureframe to centrally manage tasks across teams, monitor control performance, and maintain visibility into every aspect of your CMMC 2.0 posture.
- Generate and track SPRS score: Your SPRS score plays a critical role in maintaining CMMC compliance and eligibility for federal contracts. Secureframe automatically calculates your score based on control implementation and keeps it up to date with system changes so you can stay contract-eligible and demonstrate federal readiness with a trusted, real-time score.
- Navigate your compliance journey with expert support: Our team of former federal auditors and compliance experts has deep experience with NIST 800-171 and CMMC 2.0 and can support you at every step of the compliance journey, from scoping your assessment and identifying gaps to keeping your entire compliance program running smoothly.
Need to get CMMC compliant fast? Request a demo to see how we can help accelerate your path to CMMC certification.
Use trust to accelerate growth
FAQs
What does DFARS stand for?
DFARS stands for Defense Federal Acquisition Regulation Supplement. It adds DoD-specific requirements to the government-wide Federal Acquisition Regulation.
What is FAR and DFAR?
FAR (Federal Acquisition Regulation) is the primary set of rules governing all federal procurement, while DFARS is a DoD-specific supplement that includes requirements related to national security and defense-specific priorities—like cybersecurity. In short:
- FAR = Government-wide rules.
- DFARS = DoD-specific rules, including cybersecurity and CMMC-related clauses.
What is DFARS compliance?
DFARS compliance means adhering to the security and reporting requirements defined in DFARS, particularly those related to protecting Controlled Unclassified Information (CUI), such as NIST SP 800-171 implementation and cyber incident reporting.
Who needs to be DFARS compliant?
Any contractor or subcontractor that processes, stores, or transmits CUI on behalf of the DoD must comply with applicable DFARS clauses.
What is DFARS 252.204-7012?
DFARS clause 252.204-7012 requires DoD contractors to implement NIST SP 800-171 security controls, report cyber incidents, and ensure subcontractors do the same. It is a foundational clause for CMMC.