DFARS Compliance

Defense contractors working within the Defense Industrial Base (DIB) and have contracts with the Department of Defense (DoD) will likely have to comply with Defense Federal Acquisitions Regulation Supplement (DFARS) requirements. These requirements also go hand in hand with CMMC and the protection of Controlled Unclassified Information (CUI).

What is DFARS and How Does it Relate to CMMC?

DFARS is a set of regulations that are used by the DoD to supplement the Federal Acquisition Regulation or "FAR". The FAR is a document that governs how procurement within federal agencies works including acquisition planning, contracting methods, and other economic programs.

The DFARS specifically refers to defense contracts and adds additional requirements focused around cybersecurity and ensuring supply chain integrity. Its purpose is to ensure contractors meet minimum security standards before handling DoD data. Several key clauses within the DFARS require compliance with NIST 800-171, mandates reporting cyber incidents within 72 hours, and introduces CMMC requirements for validating compliance.

DFARS 7012

DFARS 252.204-7012 is the foundational clause in the expanded DFARS 70xx series. It applies to all DoD contracts with the exception of Commercially Off-the-shelf Items (COTS). It requires the implementation of NIST SP 800-171 and mandates that cyber incidents involving Covered Defense Information (CDI) are rapidly reported.

DFARS 7019

DFARS 252-204-7019 outlines the requirement for contractors to maintain current assessments of their NIST 800-171 implementation. These assessments must be accurately reported within the Supplier Performance Risk System (SPRS).

DFARS 7020

DFARS 252.204-7020 was first introduced in November 2020 and works in tandem with DFARS 7019 by establishing the obligations that contractors must meet when the DoD initiates a Medium or High assessment. These obligations include providing access to systems, facilities, and personnel during the assessment process.

DFARS 7021

DFARS 252.204-7021 integrates cybersecurity standards into federal contracting. This clause introduces theCybersecurity Maturity Model Certification (CMMC) as a formal requirement in the DoD acquisition lifecycle. It requires contractors to achieve and maintain a specified CMMC level as a condition of contract award or option year renewal, when included in the solicitation.