Skip to content
ISI is officially CMMC Level 2 certified! Read our full press release here.
Talk to an Advisor
Talk to an Advisor

What is DFARS: A Deeper Look at DoD Compliance

DFARs stands for defense federal acquisition regulation.

EXECUTIVE BRIEF

DFARS plays a critical role in defense-specific regulatory standards and is a key contractual clause that could determine your company's targeted CMMC Level. Here is what contractors need to know: 

  • Implemented in 2017 to standardize cybersecurity practices for contractors handling FCI and CUI
  • DFARS 252.204-7012 requires adherence to NIST 800-171A Rev2, the basis for CMMC Level 2
  • The DFARS 7021 interim rule requires prime contractors to confirm their subcontractors have achieved and maintained an appropriate CMMC status

Dig deeper and continue learning below!

 

 

DFARS—short for the Defense Federal Acquisition Regulation Supplement—is a set of rules added to the Federal Acquisition Regulation (FAR) that governs how the U.S. Department of Defense (DoD) procures goods and services. DFARS is specifically tailored to defense contracting and includes requirements that contractors must meet to do business with the DoD. It governs everything from acquisition planning to contract administration, ensuring that DoD contractors meet high standards for protecting sensitive information and delivering value to the government.

If you're a contractor or subcontractor working with the DoD, DFARS outlines what you need to do to mitigate cybersecurity vulnerabilities and prevent unauthorized access to Controlled Unclassified Information (CUI) and classified data. This blog takes a deeper look at what DFARS is, why it matters, how it relates to CMMC and NIST, and how it impacts companies in the defense industrial base (DIB).

What Is the Purpose of DFARS?

The purpose of DFARS is simple but critical: to protect national security by ensuring defense contractors safeguard sensitive government data and follow proper acquisition procedures.

DFARS builds on the Federal Acquisition Regulation (FAR) by adding new DoD-specific rules around procurement, contracting, and compliance and by standardizing compliance expectations to make sure every DoD contractor is held to the same cybersecurity, reporting, and performance standards—regardless of size. DFARS secures the defense supply chain by ensuring that all contractors handling CUI and FCI (Federal Contract Information) follow strict cybersecurity standards to prevent data breaches and cyberattacks.

Who Administers DFARS?

DFARS is owned by the DoD, managed through the Defense Acquisition Regulations System (DARS), and enforced via a combination of DoD contracting officers, auditors, and cybersecurity oversight bodies such as the Defense Contract Management Agency (DCMA), the Defense Counterintelligence and Security Agency (DCSA), and the Cyber AB.

  • The DARS is the policy brain behind DFARS. They’re responsible for updating DFARS to reflect law, policy, and evolving threats and coordinating public comment periods and finalizing rules.
  • DoD Contracting Officers ensure that DFARS clauses (like 252.204-7012) are included in new DoD contracts, and they check for compliance in vendor proposals and performance.
  • The DCMA monitors contractor performance and compliance by conducting audits and reviews of contractor systems and verifying that cybersecurity measures are implemented.
  • The DCSA handles Facility Clearance (FCL) and Personnel Clearance (PCL) processes and ensures contractors comply with the National Industrial Security Program (NISP).
  • The Cyber AB runs the CMMC ecosystem, training assessors, certifying companies, and ensuring DFARS clauses like 252.204-7012 are tied to measurable cybersecurity standards.

Who Needs To Be DFARS Compliant?

Any company in the DoD supply chain that handles CUI must be DFARS compliant. This includes not only direct DoD prime contractors, but also subcontractors and vendors in the supply chain, such as IT service providers, software developers, manufacturers, and cloud hosting companies.

DFARS compliance is triggered when a company stores, processes, or transmits CUI or Federal Contract Information (FCI), making it essential even for small businesses working indirectly with the DoD. Noncompliance can result in lost government contracts, audit failures, or even False Claims Act liability. 

What Is CUI?

CUI is data created or possessed by the government (or by entities working on its behalf) that isn’t classified, but that still requires protection according to applicable laws, regulations, or government-wide policies. CUI encompasses a wide range of information types, such as trade secrets and intellectual property (IP), controlled technical information (CTI) used in military or federal operations, critical infrastructure information (CII) vital to national security, or even just personally identifiable information (PII) or protected health information (PHI).

Read What Is CUI? for a complete overview.

Key Components of DFARS Compliance

DFARS regulations are organized into subparts, each addressing a specific area such as pricing, cost accounting standards, copyrights, and sustainment. These subparts help ensure that all stages of the procurement process — from solicitation to post-award performance — are handled transparently and in accordance with national security interests.

Let’s consider some of the most essential DFARS clauses for DoD contractors to understand.

DFARS Clause 252.204-7012

The cornerstone of DFARS compliance is Clause 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting.” This clause mandates that contractors implement security measures sufficient to protect Covered Defense Information (CDI). It’s important to note that CDI encompasses CUI.

If DFARS 252.204-7012 is in your contract, you’re legally required to implement the National Institute of Standards and Technology’s Special Publication 800-171 (NIST SP 800-171). To ensure compliance with NIST 800-171, defense contractors must implement 110 security controls across 14 control families. These controls cover areas such as access control, incident response, and system and information integrity.

Contractors are also required to provide notifications of cyber incidents affecting CUI to the DoD within 72 hours, preserve and protect data related to the incident, and submit their security status via a Supplier Performance Risk System (SPRS) score. Rapid reporting helps mitigate potential damage and allows the DoD to respond promptly to threats.

DFARS Interim Rule

Introduced in September 2020, the DFARS Interim Rule was a game-changer for defense contractors. It added teeth to cybersecurity compliance by introducing new requirements to verify contractor implementation of NIST SP 800-171 before CMMC was fully rolled out.

The DFARS Interim Rule added three new clauses to enhance cybersecurity requirements:

DFARS 252.204-7019 - Notice of NIST SP 800-171 DoD Assessment Requirements: This clause establishes a system for self-assessment so contractors can report their compliance with NIST 800-171 by submitting a Supplier Performance Risk System (SPRS) score to the DoD.

DFARS 252.204-7020 - NIST SP 800-171 DoD Assessment Requirements: This clause ensures that the DoD can evaluate contractor compliance by conducting its assessments. These assessments are categorized as Basic, Medium, and High based on the sensitivity of the information handled.

DFARS 252.204-7021 – Cybersecurity Maturity Model Certification Requirements: This clause sets the stage for the implementation of CMMC and was published in January 2024. This clause details the subcontractor flow-down requirement which stipulates that prime contractors must include DFARS 7021 requirements in subcontracts to ensure subcontractors also meet the necessary CMMC level.

Why DFARS Compliance Matters

Protecting National Security

The primary objective of DFARS is to protect national security by ensuring that sensitive defense information is safeguarded against cyber threats. By adhering to DFARS, contractors play a crucial role in fortifying the cybersecurity posture of the DIB.

Business Imperatives

Non-compliance with DFARS can lead to severe consequences for contractors, including loss of contracts, financial penalties, and damage to reputation. Conversely, compliance can be a competitive advantage, demonstrating a company’s commitment to cybersecurity and its ability to handle sensitive defense information responsibly.

Your DFARS Compliance Checklist

1. Assess Current Security Posture

Evaluate your current cybersecurity measures against NIST 800-171 controls to identify gaps and areas for improvement.

2. Develop a System Security Plan (SSP)

Create an SSP that outlines how your organization will implement the necessary security controls. This plan should detail each control, the current state of implementation, and any plans for future enhancements.

3. Implement Required Controls

As a best practice, defense contractors should ensure that all 110 controls of NIST 800-171 are fully implemented. This may involve updating policies, deploying new technologies, and providing employee training on cybersecurity best practices.

4. Conduct Regular Audits and Reviews

Regularly audit your cybersecurity practices to ensure ongoing compliance. This includes internal reviews and external assessments as required by the DFARS Interim Rule.

5. Report and Respond to Cyber Incidents

Establish a robust incident response plan to detect, report, and respond to cyber incidents promptly. Ensure that all incidents involving CUI are reported to the DoD within the specified timeframe. DFARS compliance is non-negotiable for companies operating within the DIB. By understanding and implementing DFARS requirements, organizations not only contribute to national security but also enhance their competitive edge in the defense industry.

Stay DFARS Compliant with ISI

ISI stands ready to support your organization with expert guidance, assessment services, and comprehensive solutions to achieve and maintain DFARS compliance.

>>Contact ISI for Expert Guidance on Compliance Strategies

FAQs about DFARS

What Is the Difference between FAR and DFARS?

The FAR (Federal Acquisition Regulation) is the primary set of rules for all federal government procurement across all agencies, while the DFARS (Defense Federal Acquisition Regulation Supplement) is a DoD-specific set of regulations that supplement the FAR.

How Does DFARS Relate to CMMC?

DFARS 252.204-7012 requires DoD contractors to implement the cybersecurity controls outlined in NIST SP 800-171, but until recently, compliance was based on trust. CMMC (Cybersecurity Maturity Model Certification) was introduced to close that gap by requiring third-party assessments to verify that contractors have truly implemented those controls. In short, DFARS sets the requirement, and CMMC provides the proof—making CMMC the enforcement mechanism for DFARS cybersecurity obligations.

Related Posts