DFARS Compliance Guide for Defense Contractors

Understanding Defense Federal Acquisition Regulation Supplement requirements, 252.204-7012 safeguarding requirements, and the path to CMMC certification.

800+
Monthly searches for DFARS compliance
252.204-7012
The mandatory safeguarding clause for all DoD contractors
CUI Protection
The core compliance requirement across all DFARS controls
Published: January 15, 2024 | Updated: March 26, 2025

What is DFARS?

The Defense Federal Acquisition Regulation Supplement (DFARS) is a specialized extension of the Federal Acquisition Regulation (FAR) that applies exclusively to Department of Defense contracts and subcontracts. Issued by the Office of the Secretary of Defense, DFARS establishes additional compliance requirements beyond standard FAR rules to protect sensitive defense information.

DFARS applies to every contractor and subcontractor with access to DoD networks or handling Controlled Unclassified Information (CUI). Unlike industry compliance frameworks that are optional, DFARS is a contractual mandate. If you bid on or receive a DoD contract, DFARS compliance becomes a legal obligation.

The most critical DFARS requirement is embedded in clause 252.204-7012: "Safeguarding Covered Defense Information and Cyber Incident Reporting." This single clause contains the foundation of modern defense contractor cybersecurity requirements.

Every DoD Contractor Is Affected

If you bid on or hold a DoD contract and handle CUI, DFARS 252.204-7012 compliance is mandatory — not optional.

See Requirements →

DFARS 252.204-7012: The Safeguarding Clause

Clause 252.204-7012 mandates that contractors implement "adequate security measures" to protect Covered Defense Information (CDI)—any unclassified technical data or information marked as such or reasonably identified as requiring protection against unauthorized disclosure.

The clause has seven core components:

  1. Identification and protection of CUI: Contractors must identify all covered defense information and apply appropriate protections
  2. Cyber incident reporting: Any cybersecurity event involving CUI must be reported to the Defense Counterintelligence and Security Agency (DCSA) within 72 hours of discovery
  3. Security assessment: Organizations must conduct self-assessments of compliance with NIST SP 800-171
  4. System security planning: Document security controls in a System Security Plan (SSP)
  5. Incident response capability: Establish procedures to detect, investigate, and respond to cyber incidents
  6. Flow-down requirements: Pass DFARS obligations to all subcontractors and suppliers with access to CUI
  7. Cloud service provider approval: Any cloud services processing CUI must be approved by DoD or meet FedRAMP Moderate equivalency

How DFARS Relates to CMMC and NIST 800-171

The relationship between these three frameworks is sequential and foundational:

  • DFARS 252.204-7012 creates the legal requirement for security controls (the mandate)
  • NIST SP 800-171 provides the specific 110 security controls contractors must implement (the blueprint)
  • CMMC certification provides third-party validation that DFARS and NIST 800-171 controls are properly implemented (the proof)

DFARS doesn't specify how to achieve security—that's where NIST 800-171 enters. The regulation simply requires "adequate security." NIST 800-171 has become the de facto standard for meeting that requirement. CMMC Level 2 certification covers all 110 NIST 800-171 controls.

Practically speaking: DFARS compliance requires NIST 800-171 controls, and CMMC Level 2 certification proves you've implemented them correctly.

Cloud service provider approval: Any cloud services processing CUI must be approved by DoD or meet FedRAMP Moderate equivalency

DFARS Compliance Requirements Checklist

Requirement Explanation Verification Method
CUI Identification & Classification Mark and track all covered defense information within your systems DCSA assessment, document review
NIST 800-171 Controls Implementation Implement the 110 security controls across 17 families (Level 2 = 110 controls) CMMC assessment, self-assessment SPRS
Cyber Incident Reporting (72 hours) Report security incidents involving CUI to DCSA within 72 hours of discovery Incident response documentation
Medium Assurance Certificates Use TLS 1.2+ with SHA-256 or stronger for encrypted communications System Security Plan, certificate audit
Subcontractor Flow-Down Impose identical DFARS/NIST 800-171 requirements on all suppliers with CDI access Contract review, subcontractor assessment results
Cloud Service Provider Controls Cloud services must be FedRAMP Moderate or equivalent; obtain DoD approval FedRAMP authorization letters, DoD approval
Personnel Security Screening Conduct background checks on all personnel with CUI access Security clearance verification, vetting records
System Security Plan Document all security controls, system boundaries, and risk mitigations CMMC assessor review, SPRS submission
Government building representing federal compliance

DFARS vs. FAR: Key Differences

FAR (Federal Acquisition Regulation) is the baseline federal procurement standard applied across all federal agencies. It covers contract formation, pricing, property management, and general compliance requirements.

DFARS supersedes FAR for DoD contracts with additional, stricter cybersecurity and supply chain risk requirements. Key differences:

  • Cybersecurity specificity: DFARS mandates NIST 800-171; FAR is cybersecurity-agnostic
  • CUI handling: DFARS has detailed unclassified information protection rules; FAR does not
  • Incident reporting: DFARS requires 72-hour DoD incident reporting; FAR has no such requirement
  • Supply chain risk: DFARS requires "critical cybersecurity supply chain risk management" language; FAR has no equivalent
  • Subcontractor flow-down: DFARS clauses must flow down to all subcontractors; FAR is less prescriptive
  • Enforcement: DFARS violations can trigger contract termination and debarment; FAR violations are typically administrative

Timeline and Current Enforcement Status

DFARS clause 252.204-7012 was first issued in December 2016, with the 72-hour cyber incident reporting requirement taking effect immediately. The original regulation referenced NIST SP 800-171 Revision 1.

In September 2023, DFARS was updated to align with NIST SP 800-171 Revision 3, which became mandatory effective June 22, 2024. Organizations that had not completed Rev 3 implementation faced non-compliance risk starting mid-2024.

Current enforcement (2025):

  • The Defense Counterintelligence and Security Agency (DCSA) actively investigates DFARS violations
  • Contract specialists conduct compliance reviews before contract award or renewal
  • CMMC certification is increasingly required for contract renewals (C3PAO assessment required)
  • DoD has issued explicit guidance that contractors failing incident reporting within 72 hours will face contract penalties

Penalties for Non-Compliance

DFARS non-compliance carries severe consequences for defense contractors:

  • Contract termination: DoD can terminate contracts immediately upon discovering non-compliance, with no recourse
  • False Claims Act liability: If a contractor certifies DFARS compliance falsely, the False Claims Act applies. Civil penalties: $11,181–$22,363 per false claim (adjusted annually), plus treble damages (3x the loss to the government)
  • Criminal liability: Executives responsible for knowingly false certifications face criminal prosecution, up to 10 years imprisonment
  • Debarment: DCSA can debar contractors from all federal business for up to three years
  • Contract suspension: Immediate suspension pending debarment investigation
  • Loss of future contracts: Even resolved violations appear on your Federal Awardee Performance and Integrity Information System (FAPIIS) record, affecting future contract bids

A single unconfirmed cyber incident report can trigger a full DCSA investigation. Late or missing incident reports trigger automatic compliance violations.

How to Get DFARS Compliant

DFARS compliance is a phased program, not a one-time checkbox:

  1. Gap analysis: Conduct a self-assessment against all 110 NIST 800-171 controls (use the NIST SP 800-171 Revision 3 control catalog)
  2. System boundary definition: Identify all systems and data flows handling CUI; separate CUI systems from public-facing systems
  3. Control implementation: Prioritize high-risk, easy-to-implement controls first (access control, encryption, incident response)
  4. System Security Plan: Document all controls and their implementation in a formal SSP
  5. Self-assessment scoring: Use the SPRS (Security Assessment Assessment and Risk Management [SSARM]) tool to calculate your NIST 800-171 score (0–110 points)
  6. Remediation planning: Create a Plan of Action & Milestones (POA&M) for remaining gaps
  7. CMMC certification: Engage a C3PAO (Certified Third-Party Assessor Organization) for formal CMMC Level 2 assessment
  8. Incident response testing: Conduct tabletop exercises and penetration tests to validate incident detection and reporting

Start Your Compliance Journey

Our free readiness assessment benchmarks your current NIST 800-171 score and identifies your highest-priority gaps.

Free Assessment →

Ready to assess your current DFARS compliance posture? Use our DFARS Readiness Assessment to identify gaps against the 110 NIST 800-171 controls and benchmark your score against industry peers.

Key Resources and Next Steps

Disclosure: Defense Compliance.ai contains affiliate links to compliance software and assessment tools. We recommend tools we've independently vetted; affiliate commissions help fund this resource.