DFARS (Defense Federal Acquisition Regulation Supplement)

The Defense Federal Acquisition Regulation Supplement (DFARS) is the Department of Defense's companion to the Federal Acquisition Regulation (FAR). It specifies DoD-specific contracting rules, including the cybersecurity obligations that bind every defense contractor who handles Covered Defense Information (CDI) — the category that includes Controlled Unclassified Information (CUI).

The clause that matters: 252.204-7012

The operative cybersecurity clause is DFARS 252.204-7012, "Safeguarding Covered Defense Information and Cyber Incident Reporting." It has three core requirements:

1. Implement NIST SP 800-171 Rev 2. Contractor information systems that process, store, or transmit CDI must implement the 110 security controls in NIST SP 800-171 Rev 2. This is the direct link to the CMMC Level 2 control set — CMMC operationalizes the same 110 controls with third-party assessment.

2. 72-hour cyber incident reporting. The contractor must report cyber incidents to DoD via DIBNet within 72 hours of discovery. A cyber incident is defined broadly — compromise of CDI, adverse effects on a covered contractor system, or actions that could affect the contractor's ability to perform. Reports go to the DoD Cyber Crime Center (DC3).

3. Cloud service flowdown. If the contractor uses a cloud service to store or process CDI, the provider must meet FedRAMP Moderate baseline equivalency. The contractor is responsible for flowing these obligations down to subcontractors through the contract.

Related DFARS clauses

Three additional clauses round out the cybersecurity framework:

• DFARS 252.204-7019 — Notice of NIST SP 800-171 DoD Assessment Requirements. Requires the contractor to have a current NIST 800-171 self-assessment score posted in the Supplier Performance Risk System (SPRS) before contract award.
• DFARS 252.204-7020 — NIST SP 800-171 DoD Assessment Requirements. Formalizes the self-assessment methodology and DoD's right to conduct its own assessments.
• DFARS 252.204-7021 — Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement. The clause that activates CMMC in contracts. A contract containing 7021 requires the relevant CMMC level at the specified phase.

Relationship to CMMC

DFARS 252.204-7012 has required NIST SP 800-171 implementation since 2017. CMMC adds third-party verification. The timeline:

• 2017 — DFARS 7012 takes effect. Contractors self-attest to NIST 800-171 compliance.
• 2020 — DFARS 7019 and 7020 add SPRS scoring and DoD assessment rights.
• 2024 — CMMC Program Rule (32 CFR 170) finalized.
• 2026-11-10 — CMMC Phase 2 begins. Contracts containing DFARS 7021 require C3PAO-issued Level 2 certifications.

The DFARS clauses are the contract mechanism; CMMC is the assessment mechanism. A contractor cannot satisfy DFARS 7012 without implementing the same 110 controls that CMMC Level 2 will verify.

What 252.204-7012 means for OT assets

Many defense manufacturers process CUI on OT assets — G-code with technical drawings, firmware containing export-controlled parameters, test data from classified programs. DFARS 7012 covers those assets with the same 110 controls. Where the asset cannot satisfy a control natively, the CMMC Enduring Exception mechanism and compensating controls apply.

The 72-hour reporting requirement covers OT incidents as well. A ransomware-induced production stop that affects the contractor's ability to perform triggers the same reporting obligation as a data-breach incident on IT systems.

Related terms

• CMMC
• CMMC Level 2
• NIST SP 800-171
• Controlled Unclassified Information
• Affirming Official (CMMC)

Access Gate connection

Access Gate enforces identity-based access, encryption in transit, and session-level audit on CUI paths — mapping directly to the NIST 800-171 controls that DFARS 252.204-7012 requires. See Defense & Government Contracting.