dfars
Defence Federal Acquisition Regulation Supplements (DFARS).
How to comply to DFARS for cybersecurity.
Insights
We write about cyber, risk management and regulatory compliance.
Follow what we have to say here.
Services
The CMMC EU team are founding members of the US DoD CMMC program.
We inform, educate and engage.
Cybersecurity risk management is an ongoing and dynamic process, constantly adapting to shifts in national priorities, economic conditions, and organizational landscapes. It evolves in response to geopolitical developments, societal trends, and changes in strategy, operations, and financial performance. In today’s climate of heightened uncertainty, cyber threats have grown more sophisticated, closely mirroring broader national and economic challenges. These threats increasingly target Critical National Infrastructure, competitive advantages, and both national and economic security.
To mitigate these risks, several nation-states have implemented cybersecurity regulations aimed at protecting national interests. In the United States, the Department of War has played a key role in regulating cybersecurity within the Defense Industrial Base (DIB) since 2017, with a focus on securing sensitive defense-related intellectual property.
US Department of War Procurement Cyber Regulation (DFARS)
DFARS 252.204-7012 (“DFARS 7012”): In 2017, the US Department of Defence (known as the US Department of War) introduced requirements for suppliers of weapon systems through the Defence Federal Acquisition Regulation Supplement (DFARS), specifically DFARS 252.204-7012, to implement cybersecurity. DFARS 252.204-7012 sets out requirements for Covered Defence Contractors to provide adequate security on all covered Contractor Information Systems that process, store, or transmit covered defense information, as described in the Controlled Unclassified Information (CUI) register.
DFARS 252.204-7012 flows down from the contractor to the subcontractor. Adequate security requirements are set out in NIST SP 800-171Protecting Controlled Unclassified Information in Non-federal Systems and Organizations. (using the version at the time of the contract award). Compliance is evaluated through contractor self-attestation.
DFARS clause 252.204–7019 (“DFARS 2019”): Notice of NIST SP 800-171 DoD Assessment Requirements – was introduced in 2020 by the DoD. Contractors and subcontractors must submit a basic NIST SP 800 – 171 compliance score to the DoD Supplier Performance Risk System (SPRS) to be considered for contract award.
DFARS clause 252.204–7020 (“DFARS 7020”): NIST SP 800-171 DoD Assessment Requirements was introduced in 2020 by the DoD. Requiring contractors to provide access to facilities, systems, and personnel necessary for the Government to conduct a Medium or High NIST SP 800-171 DoD Assessment.
DFARS 252.204-7021 (“DFARS 7021”), known as Cybersecurity Maturity Model Certification (CMMC): CMMC was introduced in November 2025 by the Department of War to address failures in DIB cybersecurity compliance to DFARS 252.204-7012, for the protection of Controlled Unclassified Information (CUI), Federal Contract Information (FCI), and cyber incident reporting. DFARS 7021 strengthens DFARS 7012 and the minimum security requirements set out in NIST SP 800-171. DFARS 252.204-7021 flows down from contractors to subcontractors.
The DoW will set out a CMMC level 1, 2, or 3 compliance requirement based upon the weapon system. DFARS 7021 requires covered contractors to have a certificate of CMMC compliance registered in the DoW Supplier Performance Risk System (SPRS) at the time of contract award. Without a certificate of compliance, a contractor or subcontractor cannot be awarded a contract
NIST SP 800-171 (“NIST 171”) Protecting Controlled Unclassified Information in Non-Federal Systems and Organizations: NIST SP 800-171 is the cybersecurity standard for the protection of Controlled Unclassified Information (CUI) of Federal Contractors. It defines the 110 cybersecurity controls as the latest cybersecurity revision, as introduced in 2020 by the DoD. Contractors and subcontractors must submit a NIST SP 800 – 171 compliance score to the DoD Supplier Performance Risk System (SPRS) to be considered for contract award.
NIST SP 800-171A (“NIST 171A”) Assessing Security Requirements for Controlled Unclassified Information: Provides the assessment procedures required to assure NIST SP 800-171. NIST SP 800-171A is the authoritative source of the assessment procedures.
 |  |  |  |  |