Skip to main content
background

DFARS (Defense Federal Acquisition Regulation Supplement)

DFARS is the Department of Defense’s supplement to the Federal Acquisition Regulation (FAR) that establishes policies, procedures, and clauses specific to DoD procurement. For defense contractors and subcontractors, DFARS is the regulatory backbone that mandates cybersecurity requirements — most notably through clause 252.204-7012, which requires the protection of Controlled Unclassified Information (CUI) and compliance with NIST SP 800-171.

What Is DFARS?

The Defense Federal Acquisition Regulation Supplement (DFARS) extends the Federal Acquisition Regulation (FAR) with rules that apply specifically to Department of Defense contracts. While the FAR governs procurement across all federal agencies, DFARS adds DoD-specific requirements covering everything from supply chain security to cybersecurity obligations for contractors handling sensitive government information.

Key DFARS Cybersecurity Clauses

Several DFARS clauses directly shape the cybersecurity landscape for defense contractors:

  • DFARS 252.204-7012 (Safeguarding Covered Defense Information): Requires contractors to implement NIST SP 800-171 security controls, report cyber incidents within 72 hours, and flow down requirements to subcontractors.
  • DFARS 252.204-7019 (NIST SP 800-171 DoD Assessment Requirements): Mandates that contractors complete a self-assessment of their NIST 800-171 implementation and submit scores to the Supplier Performance Risk System (SPRS).
  • DFARS 252.204-7020 (NIST SP 800-171 DoD Assessment Requirements): Provides the DoD authority to conduct medium and high-confidence assessments through DIBCAC.
  • DFARS 252.204-7021 (Cybersecurity Maturity Model Certification Requirements): Establishes the CMMC certification requirement, mandating that contractors achieve the appropriate CMMC level before contract award.

How DFARS Connects to CMMC

CMMC builds directly on the DFARS cybersecurity framework. While DFARS 252.204-7012 has required NIST 800-171 compliance since 2017, CMMC adds a third-party verification layer through C3PAO assessments. Contractors who have been working toward DFARS compliance are well-positioned for CMMC certification, as both frameworks center on the same 110 NIST SP 800-171 security requirements.

DFARS Compliance Requirements for Subcontractors

DFARS cybersecurity requirements flow down through the entire defense supply chain. Prime contractors must include DFARS 252.204-7012 in subcontracts where CUI or Covered Defense Information (CDI) is involved. This means that even small businesses and lower-tier subcontractors in the Defense Industrial Base (DIB) must implement NIST SP 800-171 controls and maintain an up-to-date System Security Plan (SSP) to remain eligible for DoD work.

Enforcement and Consequences

Non-compliance with DFARS cybersecurity clauses carries significant consequences. Contractors may face contract termination, suspension or debarment from future contracts, False Claims Act liability for misrepresenting compliance status, and reputational damage within the defense contracting community. The Department of Justice has actively pursued enforcement under the Civil Cyber-Fraud Initiative, using the False Claims Act to hold contractors accountable for cybersecurity failures.