What Are DFARS Cybersecurity Requirements?
If your company holds a Department of Defense contract or subcontract, you are almost certainly subject to the Defense Federal Acquisition Regulation Supplement, better known as DFARS. The cybersecurity provisions embedded in DFARS are not optional guidance or best-practice suggestions. They are binding contractual obligations. Failure to meet them puts your contracts, your revenue, and your reputation at serious risk.
At the center of these requirements sits DFARS clause 252.204-7012, which mandates that contractors implement adequate security on all covered contractor information systems that process, store, or transmit Covered Defense Information (CDI). Understanding exactly what that means in practice is the first step toward building a defensible compliance program.
Who Must Comply with DFARS Cybersecurity Requirements?
Compliance obligations extend throughout the defense supply chain. Prime contractors must flow down DFARS clause 252.204-7012 to subcontractors who handle Controlled Unclassified Information (CUI) or operate systems that support a covered DoD program. That means a small machine shop, a software developer, or a logistics firm can all fall under the same requirements as a large defense integrator.
If your contract includes the word "adequate security" in relation to covered systems, you are covered. When in doubt, review your contract clauses or consult a qualified compliance advisor before assuming you are exempt.
Organizations operating in the federal and defense sector should treat DFARS compliance as a standing obligation, not a one-time checkbox exercise.
The Core DFARS Cybersecurity Requirements You Must Meet
1. Implement NIST SP 800-171 Controls
DFARS 252.204-7012 requires contractors to implement the security requirements in NIST Special Publication 800-171, which defines 110 security controls across 14 practice families. These controls address everything from access control and audit logging to incident response and system integrity.
This is the most technically demanding component of DFARS compliance. The 14 domains include:
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
For a thorough breakdown of each domain, our post on NIST 800-171 security requirements explained is a strong starting point.
2. Protect Controlled Unclassified Information (CUI)
DFARS compliance centers on protecting CUI, which is government-created or government-controlled information that requires safeguarding per law, regulation, or policy. CUI is not classified, but it is sensitive. Examples include export-controlled technical data, procurement-sensitive information, and certain law enforcement records.
Contractors must be able to identify where CUI lives across their environment, control who can access it, and document how it is protected. If you are unclear on the distinction between different CUI categories, our resources on Controlled Unclassified Information and CUI Basic provide useful context.
3. Conduct and Submit a NIST SP 800-171 Self-Assessment
Contractors must assess their implementation of the 110 NIST SP 800-171 controls and submit a score to the Supplier Performance Risk System (SPRS). This score ranges from -203 (zero controls implemented) to 110 (full compliance). DoD contracting officers can view your score and use it as a factor in source selection decisions.
A low or inaccurate SPRS score is not just a compliance problem. It is a competitive liability. Understanding how the SPRS cybersecurity assessment works is essential for any contractor pursuing or renewing DoD work.
4. Develop and Maintain a System Security Plan (SSP)
A System Security Plan documents how your organization implements each of the 110 NIST SP 800-171 controls. It describes your system boundary, the data processed within it, and the specific technical and administrative controls in place. The SSP is the evidentiary backbone of your compliance posture.
Paired with a Plan of Action and Milestones (POA&M), the SSP demonstrates that you are either fully compliant or actively remediating identified gaps. Both documents are non-negotiable for any serious DFARS compliance program. Our post on SSP and POA&M as critical components of a strong security program walks through both in detail.
5. Report Cyber Incidents Within 72 Hours
DFARS 252.204-7012 requires contractors to report cyber incidents affecting covered contractor information systems or CDI to the DoD within 72 hours of discovery. This is a hard deadline. The report must be submitted through the DoD's secure web portal, and it must include a description of the technique or method used, a description of the compromised information, and any other requested details.
Contractors must also preserve and protect images of compromised systems and related media for at least 90 days following the report, to support any potential DoD damage assessment.
6. Use Cloud Services That Meet FedRAMP Moderate Equivalency
If your organization uses cloud services to process, store, or transmit CDI, those services must provide security protections equivalent to the FedRAMP Moderate baseline. This requirement has significant implications for contractors using commercial cloud platforms such as Microsoft 365 or Google Workspace.
Many contractors do not realize that standard commercial editions of these platforms do not meet the requirement. Purpose-built government cloud environments, such as Microsoft 365 GCC High, are designed to address this gap. Our analysis of which Microsoft cloud version meets DFARS, NIST, and ITAR security requirements breaks down the options clearly.
7. Flow Down Requirements to Subcontractors
Prime contractors bear responsibility for ensuring their subcontractors who handle CDI also comply with DFARS requirements. Flow-down obligations must be written into subcontracts. This is an area where prime contractors are frequently exposed. A breach at a subcontractor can trigger liability and investigation at the prime level.
How DFARS Cybersecurity Requirements Connect to CMMC
DFARS 252.204-7012 is the contractual foundation. The Cybersecurity Maturity Model Certification (CMMC) program is the enforcement mechanism being layered on top of it. Under CMMC 2.0, contractors who handle CUI will be required to obtain a third-party assessment to verify their NIST SP 800-171 implementation rather than relying solely on self-attestation.
CMMC Level 2 aligns directly with the 110 controls of NIST SP 800-171. If you are building your DFARS compliance program correctly, you are simultaneously building toward CMMC Level 2 certification. Our CMMC, CUI, and DFARS compliance services are designed to address both frameworks as an integrated program rather than separate workstreams.
For a closer look at how the two frameworks compare, see our post on DFARS 252.204-7012 vs. CMMC 2.0.
Common Gaps in DFARS Compliance Programs
After working with dozens of defense contractors across the DIB, the gaps we see most frequently include:
- Incomplete or outdated System Security Plans that do not reflect current system architecture
- SPRS scores based on optimistic self-assessments rather than defensible evidence
- No documented incident response plan capable of meeting the 72-hour reporting requirement
- CUI handled in commercial cloud environments that do not meet FedRAMP Moderate equivalency
- No subcontractor flow-down process, leaving the prime exposed at the supply chain level
- Missing or inadequate multi-factor authentication across covered systems
Each of these gaps can be identified and remediated before a DoD audit or CMMC assessment puts them on the record. A structured federal risk assessment is often the most efficient way to establish your current baseline and prioritize remediation efforts.
Building a Defensible DFARS Compliance Program
Compliance is not a product. It is a program. An effective DFARS cybersecurity compliance program includes four operational components working in concert:
- Documentation: SSP, POA&M, incident response plan, and supporting policies covering all 14 NIST domains
- Technical Controls: Implemented, tested, and maintained security controls that can be demonstrated to an assessor
- Governance: Defined roles, ongoing training, and executive accountability for cybersecurity performance
- Continuous Monitoring: Processes to detect, log, and respond to security events in real time
Organizations that treat these as separate initiatives rather than an integrated program consistently struggle during assessments. A Regulatory vCISO can provide the strategic oversight needed to keep all four components aligned and audit-ready without the cost of a full-time executive hire.
Take Action Before Your Next Contract Award
DFARS cybersecurity requirements are already in your contracts. CMMC enforcement is accelerating. Waiting until a contracting officer asks for your SPRS score or a C3PAO arrives for your assessment is not a compliance strategy. The contractors who protect their position in the defense industrial base are the ones building their programs now, with expert guidance and documented evidence behind every control.
Cleared Systems works exclusively with defense contractors, federal agencies, and regulated organizations to design and implement compliance programs that hold up under scrutiny. If you are ready to understand exactly where you stand and what it will take to get compliant, request a quote or review our engagement models to find the right fit for your organization.