DFARS (Defense Federal Acquisition Regulation Supplement)

The Defense Federal Acquisition Regulation Supplement (DFARS) augments the Federal Acquisition Regulation (FAR) with DoD-specific clauses. The cybersecurity-critical provisions are DFARS clause 252.204-7012 ("Safeguarding Covered Defense Information and Cyber Incident Reporting"), which requires contractors to implement adequate security on all information systems that process, store, or transmit Covered Defense Information (CDI), and DFARS 252.204-7021, which mandates a current Cybersecurity Maturity Model Certification (CMMC) at the level specified in the solicitation. Clause 252.204-7012 applies to virtually every DoD contract that involves technical data or operationally critical support; it is not optional and cannot be waived by the contracting officer.

The engineering obligations under 252.204-7012 are precise. Contractors must implement NIST SP 800-171 rev 2 across all covered systems, report cyber incidents to the DoD Cyber Crime Center (DC3) within 72 hours of discovery, preserve and protect images of all compromised systems for at least 90 days, and submit a medium assurance certificate to the Government-Industry Data Exchange Program (GIDEP). Clause 252.239-7010 additionally requires Cloud Service Providers (CSPs) supporting DoD contractors to meet FedRAMP Moderate equivalency at minimum. The System Security Plan (SSP) must document all 110 NIST 800-171 controls, and a Plan of Action and Milestones (POA&M) is required for any controls not yet fully implemented, along with a projected completion date.

DFARS 252.204-7020 requires contractors to submit an annual self-assessment score to the Supplier Performance Risk System (SPRS) using the NIST SP 800-171 DoD Assessment Methodology. Scores range from −203 to 110; a perfect score requires all 110 controls to be fully implemented. The maximum score at contract award may be specified in the solicitation. Subcontractor flow-down is mandatory: prime contractors must include 252.204-7012 in all subcontracts where subcontractors will process CDI, and must verify subcontractor SPRS scores. CMMC 2.0 (finalized in the 48 CFR final rule published October 2024) replaces third-party assessment waivers with mandatory C3PAO assessments for Level 2 and Level 3 contracts.

We deliver DFARS compliance programs that begin with a gap assessment against all 110 NIST SP 800-171 controls mapped to the client's actual system boundaries, build SSPs and POA&Ms that satisfy DC3 reporting workflows, and instrument SIEM/SOAR pipelines for 72-hour incident reporting SLAs. We also configure SPRS-ready self-assessment tooling and support subcontractor due-diligence programs for prime contractors.

Compliance-Native Architecture Guide

Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.