DFARS Cybersecurity Requirements Checklist for Prime Contractors and Subcontractors

Why DFARS Cybersecurity Requirements Demand Your Immediate Attention

If your organization holds a Department of Defense contract — or supports one as a subcontractor — DFARS cybersecurity requirements are not optional, theoretical, or something to schedule for next quarter. They are contractual obligations with real consequences: lost awards, termination for cause, and increasingly, False Claims Act exposure for contractors who certify compliance without actually achieving it.

The core obligation flows from DFARS 252.204-7012, the clause that requires contractors to implement adequate security on all covered contractor information systems, report cyber incidents within 72 hours, and flow those same requirements down to subcontractors handling Controlled Unclassified Information. Understanding what this clause demands — in operational terms, not just regulatory language — is the starting point for every compliance program in the Defense Industrial Base.

This checklist is designed for compliance managers and executives at prime contractors and subcontractors who need a clear, actionable picture of where they stand and what they still need to do.

Understanding the Foundation: DFARS 252.204-7012 and NIST SP 800-171

DFARS 252.204-7012 does not contain a long list of specific security controls. Instead, it references NIST SP 800-171 as the security standard that defines "adequate security" for covered contractor information systems. That means your DFARS compliance is inseparable from your NIST SP 800-171 implementation across all 14 control families and 110 security requirements.

Before working through the checklist below, confirm the following baseline facts about your environment:

• Your organization processes, stores, or transmits Controlled Unclassified Information on behalf of the DoD.
• You have identified all covered contractor information systems — including cloud environments, mobile devices, and any system that touches CUI.
• You understand which of your subcontractors also handle CUI and are therefore subject to flow-down requirements.

If you are unclear on what qualifies as CUI in your environment, our post on Controlled Unclassified Information provides a solid starting reference before you move forward.

DFARS Cybersecurity Requirements Checklist

Use this checklist to assess your current compliance posture. Items are organized by functional area. Each gap identified becomes a line item in your Plan of Action and Milestones.

1. System Security Plan (SSP)

• A current, written SSP exists for every covered contractor information system.
• The SSP accurately describes the system boundary, hardware, software, users, and how each NIST SP 800-171 control is implemented.
• The SSP has been reviewed and updated within the past 12 months.
• The SSP is accessible to senior leadership and designated personnel, not buried in a shared drive no one reviews.

Your SSP and Plan of Action and Milestones are the two documents DoD assessors and DCSA will want to see first. Review our guidance on SSP and POA&M requirements to ensure both documents hold up under scrutiny.

2. Access Control

• User access to CUI systems is limited to authorized personnel with a documented need.
• Privileged user accounts are separated from standard user accounts.
• Multi-factor authentication is enforced for remote access and privileged accounts.
• User access is reviewed and recertified at defined intervals.
• Terminated employee accounts are disabled within a documented timeframe.

3. Incident Response

• A formal incident response plan exists and has been tested within the past year.
• The organization can detect, contain, and report a cyber incident within the 72-hour window required by DFARS 252.204-7012.
• Reporting procedures to US-CERT and the DoD are documented and assigned to specific personnel.
• Compromise indicators and media preservation processes are defined for post-incident analysis.

4. Configuration Management

• A baseline configuration exists for all systems processing CUI.
• Changes to system configurations go through a formal change control process.
• Unnecessary ports, protocols, and services are disabled.
• Software whitelisting or application control is implemented where feasible.

5. Identification and Authentication

• All users have unique identifiers — no shared accounts on CUI systems.
• Password complexity and expiration policies meet NIST SP 800-171 requirements.
• Multi-factor authentication is deployed for all remote access connections.

6. Audit and Accountability

• Audit logs are generated for login events, file access, and administrative actions on covered systems.
• Log retention meets the minimum period defined in your SSP.
• Logs are reviewed on a defined schedule and alerts are configured for anomalous activity.
• Audit log integrity is protected against tampering.

7. Risk Assessment

• A formal risk assessment has been conducted within the past year.
• Identified risks are documented and tracked through remediation.
• Vulnerability scanning is performed regularly and findings are acted upon.
• Your SPRS score reflects your actual implementation status — not an aspirational self-assessment.

Understanding how your SPRS score is calculated and how contracting officers use it is critical. An inflated or unsupported score now creates significant False Claims Act risk. Review our overview of SPRS cybersecurity assessments if you have not validated your score recently.

8. Media Protection

• Removable media containing CUI is encrypted and controlled.
• Policies exist for the sanitization and disposal of media containing CUI.
• Portable devices with access to CUI are tracked and subject to remote wipe capability.

9. Physical Protection

• Physical access to systems processing CUI is restricted to authorized personnel.
• Visitor access controls are enforced in areas where CUI is accessible.
• Physical security incidents are logged and reviewed.

10. Subcontractor Flow-Down Requirements

• All subcontracts that involve CUI include DFARS 252.204-7012 flow-down language.
• Subcontractors have been notified of their obligations and have confirmed awareness in writing.
• Your organization has a process for assessing subcontractor cybersecurity posture — not simply relying on their self-attestation.
• Subcontractor compliance status is reviewed at defined intervals and upon contract renewal.

Flow-down compliance is one of the most consistently overlooked areas for prime contractors. If a subcontractor suffers a breach involving CUI your company provided, your organization carries significant exposure. Our CMMC, CUI & DFARS compliance services include supply chain compliance support for primes managing complex subcontractor networks.

The Relationship Between DFARS and CMMC 2.0

DFARS 252.204-7012 has been in force since 2017. CMMC 2.0 layers on top of that foundation by adding third-party verification for contracts requiring Level 2 and Level 3 certification. If your contracts include CMMC requirements, satisfying DFARS is a prerequisite — not an alternative. The two frameworks share the NIST SP 800-171 control baseline, but CMMC adds the formal assessment process and certification requirement that DFARS alone did not mandate.

For a detailed look at how these two regulatory frameworks interact, our post on DFARS 252.204-7012 vs. CMMC 2.0 walks through the overlaps and distinctions compliance teams need to understand before their next contract award or renewal.

Common Gaps We See in Practice

After working with dozens of defense contractors across the federal and defense sector, the gaps we encounter most frequently include outdated or incomplete SSPs that no longer match actual system configurations, SPRS scores submitted years ago that have never been updated to reflect current implementation, and subcontractor flow-down processes that exist on paper but are not actually enforced. Incident response plans are another consistent weak point — many organizations have a document, but the personnel named in it have changed and the plan has never been tested.

These are not small administrative oversights. They are the gaps that draw scrutiny during DCSA assessments, CMMC audits, and increasingly, DoJ investigations under the Civil Cyber-Fraud Initiative.

Next Steps for Compliance Managers

If this checklist has surfaced gaps in your program, the priority actions are straightforward: update your SSP to reflect current reality, recalculate your SPRS score honestly, remediate the highest-risk gaps first, and confirm your subcontractors have taken their obligations seriously. If you need structured support for any of those steps, our federal risk assessment services provide the independent evaluation that gives your program a defensible foundation.

For organizations managing DFARS compliance across multiple contracts, entities, or business units, a Regulatory vCISO engagement can provide the ongoing oversight and expertise your compliance program needs without the cost of a full-time hire.

Ready to close your DFARS cybersecurity gaps before your next contract award or DoD assessment? Request a quote from Cleared Systems and let our team build a practical remediation plan tailored to your organization's size, contract scope, and timeline.