Federal Government / Defense Contractor Requirement

DFARS

Defense Federal Acquisition Regulation Supplement - Cybersecurity Clauses

Legally Required Featured Framework

Defense-specific federal acquisition regulations establishing mandatory cybersecurity standards and incident reporting procedures for all Department of Defense contractors and subcontractors handling Covered Defense Information or Controlled Unclassified Information.

Executive Summary

DFARS establishes comprehensive cybersecurity framework for DoD contractors through key clauses: 252.204-7012 (NIST SP 800-171 implementation + 72-hour incident reporting), 252.204-7019/7020 (NIST assessments and SPRS scoring), and 252.204-7021 (CMMC certification requirements). Applies to all DoD contracts involving Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) with flow-down requirements through entire supply chain.

Comprehensive Documentation

DFARS Cybersecurity Requirements

Overview

The Defense Federal Acquisition Regulation Supplement (DFARS) implements comprehensive cybersecurity requirements for all Department of Defense contractors and subcontractors through specific clauses that establish mandatory security standards and incident reporting procedures.

Authoritative Source: https://www.acquisition.gov/dfars
Current Version: October 24, 2025 (Change 10/24/2025)
Primary Cybersecurity Subparts:

  • Subpart 204.73: Safeguarding Covered Defense Information and Cyber Incident Reporting

  • Subpart 204.75: Cybersecurity Maturity Model Certification (CMMC)


Key DFARS Clauses

DFARS 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting

Effective Date: October 24, 2025 (most recent change); Original: December 31, 2017

Primary Purpose: Establishes mandatory security requirements and cyber incident reporting procedures for contractors handling covered defense information.

Key Requirements:

  1. Security Implementation

- Contractors must provide "adequate security" for covered defense information
- Primary method: Implement NIST Special Publication (SP) 800-171 controls (110 security requirements)
- For external cloud service providers: Meet FedRAMP Moderate baseline equivalency
- Compliance deadline for pre-October 2017 contracts: December 31, 2017

  1. Cyber Incident Reporting

- Reporting Timeline: Within 72 hours of discovery of any cyber incident
- Reporting Method: Report via https://dibnet.dod.mil using Incident Collection Form (ICF)
- Certificate Requirement: DoD-approved medium assurance certificate required for DIBnet access
- Definition: "Actions taken through use of computer networks resulting in compromise or adverse effect on information system"

  1. Supporting Obligations

- Preserve affected system images and monitoring/packet capture data for at least 90 days
- Provide forensic analysis access upon DoD request
- Submit malicious software samples to DoD Cyber Crime Center (DC3)
- Conduct compromise evidence review within systems

  1. Subcontractor Requirements

- Flow-down clause to all subcontractors handling covered defense information
- Subcontractors must notify prime contractors of incidents
- Prime contractors remain responsible for reporting to DoD

DFARS 252.204-7019: Notice of NIST SP 800-171 DoD Assessment Requirements

Type: Solicitation Provision

Primary Purpose: Notifies offerors of requirement to possess current NIST SP 800-171 assessments before award consideration.

Key Requirements:

  • Offerors must have current assessments "not more than 3 years old unless lesser time specified"

  • Assessments required for each covered contractor information system relevant to contract

  • Summary-level scores must be posted in Supplier Performance Risk System (SPRS)

  • Offerors without current SPRS-posted scores may conduct and submit Basic Assessments


DFARS 252.204-7020: NIST SP 800-171 DoD Assessment Requirements

Type: Contract Clause

Applicability: All solicitations and contracts except those solely for COTS items

Assessment Types (Three Levels):

  1. Basic Assessment

- Contractor self-assessment
- Based on review of system security plans
- Conducted per NIST SP 800-171 DoD Assessment Methodology
- Confidence Level: "Low"
- Score format: "X out of 110" (e.g., "95 out of 110")

  1. Medium Assessment

- Government or third-party conducted
- Includes thorough examination of documentation, contractor discussions, walkthrough
- Confidence Level: "Medium"

  1. High Assessment

- Government personnel conducted
- Uses NIST SP 800-171A assessment methodology
- Includes verification, examination, and demonstration of contractor's system security plan
- Confidence Level: "High"
- Results retained as CUI for internal DoD use only

SPRS Scoring Requirements:

  • Summary-level scores (not individual requirement scores) posted in SPRS

  • Assessment frequency: Current assessments renewed at least every 3 years

  • Provides DoD Components visibility into contractor security posture


DFARS 252.204-7021: Cybersecurity Maturity Model Certification Requirements

Type: Contract Clause

Effective Date: October 1, 2025 (for general use)

Primary Purpose: Mandates contractors maintain current Cybersecurity Maturity Model Certification at levels specified in contract.

Core Requirements:

  • Contractors must have current (not older than 3 years) CMMC certificate at required level

  • Certification must be maintained for entire contract performance duration

  • Contracting officers cannot award contracts without required CMMC certificate

  • Cannot exercise contract options or extend performance periods without valid current certificate

  • Verification through Supplier Performance Risk System (SPRS)


Subcontractor Requirements:
  • Must flow down CMMC clause to all subcontracts except COTS items

  • Verify subcontractors possess current CMMC certificates at appropriate levels before award


Covered Defense Information (CDI): Definition and Scope

Official Definition (DFARS 204.7301):

"Covered defense information" means unclassified controlled technical information or other information requiring safeguarding or dissemination controls pursuant to law, regulations, and Government-wide policies, and is:

  1. Marked or otherwise identified in contract and provided to contractor by or on behalf of DoD; or

  2. Collected, developed, received, transmitted, used, or stored by or on behalf of contractor in support of contract performance


Controlled Technical Information (CTI):
Technical information with military or space application subject to controls on access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.

Scope:

  • Includes all information supporting DoD contract performance whether marked or not

  • Applies to commercial products and services that may incidentally involve CDI

  • Does not apply to purely commercial off-the-shelf items used without modification


Cyber Incident Reporting Requirements

72-Hour Reporting Timeline:
"Rapidly report" is defined in DFARS 204.7301 as: "Within 72 hours of discovery of any cyber incident"

Reporting Discovery Standard:

  • Reporting begins upon "discovery" of incident

  • Discovery occurs when contractor becomes aware through any means


Reporting Portal and Method:
  • Reporting Portal: https://dibnet.dod.mil (Defense Industrial Base Network)

  • Reporting Tool: Incident Collection Form (ICF)

  • Recipient: Department of Defense directly

  • Certification: DIBnet access requires DoD-approved medium assurance certificate


Post-Reporting Obligations:
  1. Media Preservation - Preserve images of all affected systems for at least 90 days

  2. Forensic Analysis Support - Provide access for DoD forensic analysis upon request

  3. Malicious Software Submission - Submit samples to DoD Cyber Crime Center (DC3)

  4. Notification to Prime - Subcontractors notify prime; prime reports to DoD


Contractor Reporting Protection:
Per DFARS 252.204-7009, cyber incident reports NOT interpreted as evidence of contractor failure to provide adequate security. Contracting officers must assess incidents in context of overall contractor cybersecurity posture.

Flow-Down Requirements to Subcontractors

Subpart 204.73 (Safeguarding) Flow-Down:
DFARS 252.204-7012 must be flowed down to all subcontractors that:

  • Receive or handle covered defense information

  • Operate covered contractor information systems

  • Support DoD contract performance involving CDI


Subpart 204.75 (CMMC) Flow-Down:
DFARS 252.204-7021 must be flowed down to all subcontracts except COTS-only acquisitions

Supply Chain Applicability:

  • Flow-down extends through entire supply chain

  • Each contractor responsible for ensuring subcontractor compliance

  • Multi-tier subcontracting: Each level flows down requirements further

  • Commercial suppliers must comply if performing work involving CDI


Prime Contractor Responsibility:
  • Prime contractors remain responsible for subcontractor compliance

  • Must verify CMMC certificates before subcontract award via SPRS

  • Must receive and report cyber incident notifications from subcontractors to DoD

  • Must enforce compliance through subcontract terms and conditions


Assessment Requirements (NIST SP 800-171 Assessments)

Three Assessment Levels

1. Basic Assessment (Self-Assessment)

  • Conducted By: Contractor self-assessment

  • Confidence Level: "Low"

  • Methodology: NIST SP 800-171 DoD Assessment Methodology

  • Components: Review of system security plans, self-evaluation of 14 security families

  • Cost: Minimal (internal resources)


2. Medium Assessment (Third-Party/Government)
  • Conducted By: Government or third-party assessor

  • Confidence Level: "Medium"

  • Depth: Review of basic assessment, thorough examination of documentation, discussions, walkthrough

  • Cost: Moderate (professional assessment fees if third-party)


3. High Assessment (Government-Conducted)
  • Conducted By: DoD personnel or authorized government representatives

  • Confidence Level: "High"

  • Methodology: NIST SP 800-171A, "Assessing Security Requirements for Controlled Unclassified Information"

  • Depth: Complete verification, examination, and demonstration of security plan and controls

  • Cost: Highest (extensive government resources)


SPRS (Supplier Performance Risk System) Scoring

Scoring Format:

  • Summary-level score expressed as number out of 110

  • Example: "95 out of 110" or "110 out of 110"

  • NOT individual scores for each requirement, but aggregate score


SPRS Posting Timeline:
  • Summary-level scores posted 30 days post-assessment

  • Provides DoD Components visibility into contractor security posture

  • Contracting officers verify current assessments before award


Assessment Currency Requirements:
  • Contractors must maintain current assessments "not more than 3 years old"

  • Solicitations may specify shorter periods (e.g., 1 year, 2 years) as needed


Scope: Who Must Comply

Mandatory Applicability:
This applies to all contracts and subcontracts requiring contractors to:

  • Safeguard covered defense information in or transiting through covered contractor information systems

  • Report cyber incidents affecting such systems


Contractor Categories Affected:
  1. Prime Contractors to DoD - All defense contractors receiving unclassified CDI/CUI from DoD

  2. Subcontractors at All Levels - All tiers when involved in CDI handling

  3. Commercial Contractors and Suppliers - Commercial providers if handling CDI

  4. Research Institutions and Universities - Universities with DoD research contracts


Geographic Scope:
  • Applies to all contractors regardless of location (U.S. and foreign equally)

  • Does not replace classified information security requirements

  • Applies to unclassified information only


Effective Application Date:
  • DFARS 252.204-7012: December 31, 2017 compliance deadline for NIST SP 800-171

  • DFARS 252.204-7019/7020: Applied to new solicitations and contracts as issued

  • DFARS 252.204-7021 (CMMC): October 1, 2025 for most acquisitions


Enforcement: Contractual and Regulatory Consequences

Contractual Consequences

1. Contract Award Decisions
Per DFARS 204.7501: Contracting officers shall NOT award to offerors lacking required CMMC certificate at specified level

2. Option Exercise Restrictions
Cannot exercise contract options unless contractor maintains current CMMC certificate

3. Cyber Incident Reporting Impact
Cyber incident reported by contractor NOT automatically interpreted as failure to provide adequate security

4. SPRS Score Impact

  • Low NIST SP 800-171 scores or lack of current assessments negatively impacts bid competitiveness

  • SPRS scores affect contractor's ability to bid on other DoD contracts


Administrative Remedies

  1. Suspension from Bidding - Suspension from specific contract opportunities

  2. Debarment Procedures - Serious or repeated violations may trigger debarment (typically 3 years)

  3. Cost Disallowance - Costs associated with incidents may be deemed unallowable


Contracting Officer Authority

Contracting officers shall:

  • Consult with DoD component CIO or cyber security office before assessing contractor compliance

  • Consider cyber incidents in overall compliance context

  • Document assessment basis

  • Apply remedies proportionate to violation severity


Massachusetts Perspective

Massachusetts Defense Contractor Categories

Based on industry knowledge, Massachusetts hosts:

  1. Aerospace and Defense Contractors - Major contractors in Boston metro area

  2. Research Universities with DoD Contracts - MIT, Harvard, Northeastern, UMass, WPI, Tufts

  3. Cybersecurity and IT Services Contractors - Defense IT services companies


Applicable DFARS Requirements for Massachusetts Entities:

All Massachusetts-based DoD contractors and subcontractors subject to identical requirements:

  1. DFARS 252.204-7012 - Safeguarding and cyber incident reporting (72-hour requirement)

  2. DFARS 252.204-7019/7020 - NIST SP 800-171 assessments (SPRS posting)

  3. DFARS 252.204-7021 - CMMC certification requirements (from October 1, 2025)


Special Considerations for Universities:
  • Research institutions receiving DoD funding must comply with DFARS

  • University research networks handling CDI must implement NIST SP 800-171

  • Some exemptions may apply under FAR/DFARS education/research provisions


Registration and Reporting:
  • Massachusetts contractors register with System for Award Management (SAM.gov)

  • DIBnet registration required for cyber incident reporting

  • SPRS registration required for NIST SP 800-171 and CMMC scores


Related Frameworks

NIST Special Publication 800-171 (NIST SP 800-171)


Current Version: Revision 3 (Released May 14, 2024)
Full Title: "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations"
  • DFARS 252.204-7012 mandates implementation of NIST SP 800-171 controls

  • Provides 14 security requirement families

  • DoD assessments evaluate compliance with NIST SP 800-171


NIST SP 800-172


Official Title: "Enhanced Security Requirements for Protecting CUI"
  • Provides enhanced requirements for high-value or critical CUI

  • 24 additional requirements addressing APTs

  • Forms basis for CMMC Level 3


Cybersecurity Maturity Model Certification (CMMC) 2.0


Official Source: https://www.acq.osd.mil/asda/dpc/cp/cyber/cmmc.html
  • DFARS 252.204-7021 requires contractors maintain CMMC certificate

  • Three-level framework (Level 1, 2, 3)

  • Applies to all DoD contracts except COTS-only acquisitions


Federal Acquisition Regulation (FAR)


FAR 52.204-21: Safeguarding of Controlled Unclassified Information
  • 15 security practices (basic cyber hygiene)

  • Basis for CMMC Level 1 requirements


Controlled Unclassified Information (CUI) Registry


Official Source: http://www.archives.gov/cui/registry/category-list.html
  • Establishes categories of unclassified information requiring safeguarding

  • DFARS relies on CUI Registry to define information types requiring protection


Effective Dates and Timeline

Historical Timeline

2017: Initial Safeguarding Requirements

  • December 31, 2017: Compliance deadline for implementing NIST SP 800-171 controls


DFARS 252.204-7012
  • First Effective Date: October 24, 2017

  • Compliance Deadline: December 31, 2017 (NIST SP 800-171 implementation)

  • Current Effective Date: October 24, 2025


DFARS 252.204-7019/7020
  • Effective Date: November 2023

  • Current Version: October 24, 2025 change


DFARS 252.204-7021 (CMMC)
  • Initial Effective Date: January 2023 (with approval requirement)

  • General Applicability Date: October 1, 2025

  • Current Version: October 24, 2025 change


CMMC 2.0 Framework Rule (32 CFR Part 170)
  • Published: October 15, 2024

  • Effective Date: December 16, 2024


DFARS Case 2019-D041 Final Rule
  • Published: September 10, 2025

  • Effective Date: November 10, 2025


NIST SP 800-171 Revisions
  • Revision 3: Published May 14, 2024 (current version)


Current Status (November 20, 2025)

  • DFARS 252.204-7012: In effect, current version October 24, 2025

  • DFARS 252.204-7019/7020: In effect, current version October 24, 2025

  • DFARS 252.204-7021 (CMMC): In effect for general use

  • CMMC 2.0 Framework: In effect per 32 CFR Part 170

  • NIST SP 800-171 Rev. 3: Current standard


Key Takeaways

  1. Comprehensive Framework: DFARS establishes comprehensive cybersecurity requirements for DoD contractors through multiple clauses

  2. NIST SP 800-171 Mandate: All contractors handling CUI must implement 110 security requirements

  3. 72-Hour Incident Reporting: Mandatory rapid reporting to DoD via DIBnet

  4. SPRS Scoring: Assessment scores visible to all DoD contracting officers through SPRS

  5. CMMC Integration: DFARS 252.204-7021 makes CMMC certification contractual requirement

  6. Supply Chain Flow-Down: Requirements flow down through entire supply chain to all tiers

  7. Contract Ineligibility: Non-compliance results in inability to bid or receive DoD contracts

  8. Massachusetts Context: Applies to all MA-based defense contractors, subcontractors, and research institutions

Applicable Industries

Defense Contractors (Prime)Defense Subcontractors (All Tiers)Aerospace and DefenseManufacturing (Defense)IT Services (Defense)Engineering Services (Defense)Research Institutions (DoD Contracts)Commercial Suppliers (Defense Supply Chain)

Company Size

undefined-undefined employees

Effective Date

12/31/2017

Penalties for Non-Compliance

Contract ineligibility (cannot bid or receive DoD contracts), loss of contract options, inability to extend performance periods, cost disallowance, potential suspension/debarment for serious violations, criminal liability for false statements.

For Massachusetts Companies

This is a mandatory federal framework that applies to Massachusetts companies in applicable industries. Non-compliance can result in significant penalties.

View MA Compliance OverviewBrowse by Industry

Official Resources

Primary Source

https://www.acquisition.gov/dfars

Additional Official Sources

Enforcement Agency

U.S. Department of Defense (DoD), Defense Contracting Officers, DoD Component CIOs, DoD Cyber Crime Center (DC3)