DFARS Compliance Checklist

DFARS 252.204-7012: The 7 Core Requirements

Clause 252.204-7012 contains seven distinct compliance obligations. Each requirement has specific NIST 800-171 controls that satisfy it, and each has measurable cost implications.

Requirement 1: CUI Identification and Protection

What it requires: Contractors must identify and mark all Covered Defense Information (CDI) within their systems and apply appropriate security controls to prevent unauthorized disclosure.

Key NIST 800-171 controls: AC-2 (Account Management), MP-4 (Media Storage), SC-7 (Boundary Protection), SI-4 (Information System Monitoring)

Implementation steps:

• Define what constitutes CUI in your organization (technical data, specifications, source code, design docs, performance data)
• Classify existing systems: which handle CUI, which don't
• Implement data classification labels/markings in your document management system
• Configure access controls to restrict CUI access to authorized personnel only
• Enable encryption for CUI at rest and in transit (AES-256 or equivalent)
• Set up auditing and logging for all CUI access

Estimated cost (50-person contractor): $18,000–$35,000 (software licensing, consultant days, staff training)

Requirement 2: 72-Hour Cyber Incident Reporting

What it requires: Contractors must detect cybersecurity incidents involving CUI and report them to the Defense Counterintelligence and Security Agency (DCSA) within 72 hours of discovery (not occurrence). Late or missing reports are violations that trigger debarment investigation.

Key NIST 800-171 controls: IR-4 (Incident Handling), SI-4 (Information System Monitoring), AU-2 (Audit Events), AU-12 (Audit Generation)

Implementation steps:

• Deploy SIEM (Security Information and Event Management) tool to detect anomalies and intrusions in real-time
• Create formal incident response procedure document with clear escalation paths
• Define what qualifies as a reportable incident under DFARS (any confirmed breach of CUI confidentiality, availability, or integrity)
• Establish incident response team with assigned roles and 24/7 on-call rotation
• Create template for DCSA incident report (includes system affected, CUI involved, threat actor if known, timeline)
• Test incident detection and reporting through quarterly tabletop exercises
• Maintain incident response logs documenting discovery time, investigation timeline, and action items

Estimated cost (50-person contractor): $25,000–$50,000 (SIEM licenses, IR tools, consultant setup, staff training)

Requirement 3: Medium Assurance Certificates

What it requires: All cryptographic communications protecting CUI (VPN, SSH, HTTPS, etc.) must use TLS 1.2 or higher with medium assurance certificates (SHA-256 or stronger hash algorithms, 2048-bit RSA minimum).

Key NIST 800-171 controls: SC-8 (Transmission Confidentiality), IA-5 (Authentication Mechanisms)

Implementation steps:

• Audit all communication channels handling CUI (identify unencrypted protocols)
• Procure medium assurance certificates from recognized CAs (DigiCert, GlobalSign, Entrust)
• Deploy certificates on all systems: servers, VPNs, APIs, web applications
• Disable TLS 1.0, 1.1, and SSL 3.0 (only TLS 1.2+ allowed)
• Configure certificate pinning for critical internal services
• Implement certificate rotation/renewal process (annual for most CAs)
• Verify compliance through SSL/TLS scanner (e.g., testssl.sh)

Estimated cost (50-person contractor): $3,000–$8,000 (certificates, infrastructure changes, validation)

Requirement 4: Self-Assessment Against NIST 800-171

What it requires: Contractors must conduct annual self-assessments of their compliance with NIST SP 800-171 (all 110 controls) and calculate a maturity score using the SPRS (Security Assessment Assessment and Risk Management [SSARM]) tool.

Key NIST 800-171 controls: CA-2 (Security Assessment), CA-7 (Continuous Monitoring)

Implementation steps:

• Download SPRS tool from NIST Computer Security Resource Center (csrc.nist.gov)
• Map your current security controls to each of the 110 NIST 800-171 controls
• Assign maturity level (0=Not Implemented, 1=Basic, 2=Intermediate, 3=Advanced) to each control
• Document evidence for each control: policies, procedures, screenshots, test results
• Calculate overall SPRS score (max 110 points; CMMC Level 2 requires ~80% equivalent)
• Identify gaps and create remediation plan
• Document findings in System Security Plan (SSP)

Estimated cost (50-person contractor): $8,000–$20,000 (consultant days, internal staff time, documentation)

Requirement 5: System Security Plan (SSP)

What it requires: Contractors must maintain a comprehensive System Security Plan documenting all security controls, system boundaries, data flows, risk assessments, and mitigation strategies for all systems handling CUI.

Key NIST 800-171 controls: PL-2 (System Security Plan), RA-3 (Risk Assessment), SA-3 (System Development Life Cycle)

Implementation steps:

• Define system boundary: which systems, networks, and applications handle CUI
• Document system architecture diagram (detailed, showing data flows)
• Create risk assessment identifying threats and vulnerabilities
• List all 110 NIST 800-171 controls and how each is implemented
• Document roles and responsibilities (who manages security, who has access)
• Include incident response procedure and recovery time objectives (RTO/RPO)
• Document change management and configuration management processes
• Create Plan of Action & Milestones (POA&M) for any gaps
• Review and update SSP annually or after major system changes

Estimated cost (50-person contractor): $12,000–$25,000 (consultant writing, internal SME time)

Requirement 6: Subcontractor and Supplier Flow-Down (Critical, Often Missed)

What it requires: All subcontractors and suppliers with access to CUI must be contractually bound to the same DFARS requirements. This is not optional—it's a direct liability for the prime contractor if a sub violates DFARS.

Key NIST 800-171 controls: SA-9 (External Information System Services), SR-3 (Supply Chain Risk Management), SR-4 (Supplier Agreement)

Implementation steps:

• Audit all subcontractors and vendors: which have access to CUI?
• Add DFARS clause 252.204-7012 to all contracts with CUI access
• Require each subcontractor to provide proof of NIST 800-171 compliance (SSP or CMMC certification)
• Establish service level agreements (SLAs) defining incident reporting timelines for subs
• Require subs to flow down the same DFARS obligations to their own subs (multiple levels)
• Conduct periodic audits of sub compliance (at least annually)
• Create a central register tracking all subs with CUI access and their compliance status
• Include termination clauses if a sub fails DFARS compliance verification

Estimated cost (50-person contractor with 5–10 active subs): $10,000–$18,000 (legal review, contract updates, audit cycles)

Requirement 7: Cloud Service Provider Controls and Approval

What it requires: If CUI is processed in cloud services (AWS, Azure, Google Cloud, etc.), the service must be FedRAMP Moderate authorized or approved by the Defense Information Systems Agency (DISA). This is a common compliance gap.

Key NIST 800-171 controls: SA-9 (External System Services), SC-7 (Boundary Protection), CP-2 (Contingency Plan)

Implementation steps:

• Audit current cloud usage: which services store or process CUI?
• Check FedRAMP authorization status at fedramp.gov for each service
• If using non-FedRAMP services, request written approval from DoD contracting officer (process takes 30–90 days)
• For FedRAMP services: review the authorization letter and confirm your use case is covered
• Implement cloud access controls (IAM policies, VPC isolation, encryption keys in your control)
• Maintain contract addendum documenting cloud security requirements and data retention policies
• For backup/disaster recovery: ensure backup cloud provider is also FedRAMP/approved

Common FedRAMP authorized services: AWS GovCloud, Microsoft Azure Government, Google Cloud FedRAMP Moderate (Oracle, Salesforce, ServiceNow also have authorizations)

Estimated cost (50-person contractor): $5,000–$15,000 (if cloud migration needed) or $1,000–$3,000 (if already using FedRAMP services)

DFARS 252.204-7012 to NIST 800-171 Control Mapping

Each of the 7 DFARS requirements maps to specific NIST 800-171 control families. Implementing all 110 NIST controls satisfies all DFARS obligations:

Bottom line: Full implementation of all 110 NIST 800-171 controls = full DFARS 252.204-7012 compliance. CMMC Level 2 assessment validates this.

Common DFARS Compliance Gaps

• ✓ Subcontractor oversight missing: 60% of contractors don't verify sub compliance or flow down requirements—automatic violation
• ✓ Incident reporting delays: Companies detect incidents but miss the 72-hour DCSA reporting window due to unclear procedures
• ✓ Cloud service approval gaps: Using non-FedRAMP commercial services (Dropbox, Slack, GitHub) for CUI without DoD approval
• ✓ Weak access controls: CUI systems still use weak authentication (no MFA); unsegregated from public networks
• ✓ No SSP maintained: Security controls exist but are never documented in a formal System Security Plan
• ✓ Outdated self-assessment: Last SPRS score calculated 3+ years ago; no continuous monitoring
• ✓ TLS/cert configuration weak: Legacy systems still using TLS 1.0, SHA-1 certificates, or self-signed certs

Step-by-Step DFARS Compliance Checklist

Cost Estimates by Organization Size

Cost breakdown typical of mid-market (50-person) contractor:

• Security tools (SIEM, EDR, encryption, MFA): $20,000–$30,000/year
• Consultant fees (gap analysis, SSP, CMMC assessment): $35,000–$50,000
• Internal staff time (IT, compliance, security): $15,000–$25,000
• Third-party services (penetration testing, code review): $10,000–$15,000
• Total first-year: $80,000–$120,000
• Annual maintenance: $25,000–$40,000 (tool licenses, staff, annual assessment)

Recommended Tools for DFARS Compliance

These tools help with specific DFARS and NIST 800-171 implementation tasks:

• ✓ SIEM & incident detection: Splunk Enterprise, Microsoft Sentinel, Elastic Stack
• ✓ Vulnerability scanning: Nessus Professional, Qualys VMDR, Rapid7 InsightVM
• ✓ Encryption at rest: HashiCorp Vault, AWS KMS, Microsoft Azure Key Vault
• ✓ Access control & IAM: Okta, Microsoft Entra ID, Ping Identity
• ✓ Endpoint detection & response: CrowdStrike Falcon, Microsoft Defender for Endpoint, Palo Alto Networks Cortex XDR
• ✓ SPRS self-assessment tool: NIST SSARM (free download from csrc.nist.gov)
• ✓ Documentation & SSP: Workiva, Drata, Vanta (automated control mapping)

Ready to start your DFARS compliance program? Use our DFARS Compliance Cost Calculator to estimate implementation costs for your organization.

Frequently Asked Questions

Does every DoD contractor need DFARS compliance?

Yes. If you have a DoD contract or handle CUI, DFARS 252.204-7012 applies. No exceptions.

What's the difference between DFARS compliance and CMMC certification?

DFARS is the legal requirement. CMMC is the verification. You must be DFARS-compliant regardless, but CMMC provides independent proof that you meet the requirements.

Can we use non-FedRAMP cloud services for CUI?

Only with written DoD approval. Request approval from your contracting officer. The approval process typically takes 30–90 days.

How often do we need to update our System Security Plan?

Annually minimum. Update immediately after major system changes, security incidents, or control modifications.

What happens if we miss the 72-hour incident reporting deadline?

It's a direct DFARS violation. DCSA investigates, contract can be terminated, and debarment is possible.

Are we liable for our subcontractor's DFARS violations?

Yes. You're responsible for verifying sub compliance and flow-down obligations. If a sub violates DFARS and you knew or should have known, you're liable.