If you work with the Department of Defense — directly or through a prime contractor — you have almost certainly encountered the acronym DFARS. And if you are like most contractors, you have also found that the official documentation reads like it was written to be intentionally impenetrable. This DFARS compliance guide cuts through the legal language and answers the questions that actually matter: what is DFARS, who does it apply to, what does it require, and what happens if you are not compliant?

What Is DFARS?

DFARS stands for Defense Federal Acquisition Regulation Supplement. It is a set of regulations that supplements the Federal Acquisition Regulation (FAR) and applies specifically to contractors doing business with the Department of Defense. The cybersecurity component — specifically DFARS clause 252.204-7012 — requires contractors to safeguard Covered Defense Information (CDI) and to report cyber incidents to the DoD within 72 hours. It also requires contractors to provide the DoD with access to systems and data that may have been affected by a cyber incident, and to preserve relevant media for 90 days following the incident.

The cybersecurity standard underlying DFARS 252.204-7012 is NIST SP 800-171 — a framework of 110 security controls covering 14 families of requirements, from access control and incident response to system integrity and configuration management. If your organization is not currently implementing all 110 controls, you have a DFARS compliance gap that needs to be addressed.

Who Does This DFARS Compliance Guide Apply To?

DFARS 252.204-7012 applies to any contractor or subcontractor that processes, stores, or transmits Covered Defense Information on a non-federal information system. The "flow-down" requirement is the part most subcontractors underestimate: if your prime contractor handles CDI and you handle any of it in your work for them, DFARS applies to you too — whether your contract explicitly states it or not. Prime contractors are increasingly aware of their obligation to ensure their supply chain is compliant, which means subcontractors are being asked to demonstrate DFARS compliance as a condition of doing business, not just as a contractual clause.

If your organization provides services or products to the DoD supply chain and handles any sensitive technical, operational, or financial information related to that work, assume DFARS applies until you have confirmed otherwise through a proper contract review.

What DFARS Compliance Requires: Breaking It Down

1. Implement All 110 NIST SP 800-171 Controls

The 110 controls span 14 requirement families: access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity. Each family has multiple specific controls, and all of them apply. There is no "partial credit" under DFARS — either the controls are implemented or they are not.

2. Maintain a System Security Plan (SSP)

Your SSP documents how your organization implements each of the 110 NIST SP 800-171 controls, describes your system boundary, and identifies any controls that are planned but not yet in place (with completion dates). It is a living document that must be updated as your environment changes. Auditors and assessors will request it. It needs to be current, accurate, and complete — a generic template that doesn't reflect your actual environment is worse than no plan at all, because it creates liability.

3. Post an Accurate SPRS Score

Your organization must conduct a self-assessment of your NIST SP 800-171 implementation using the DoD assessment methodology and post the resulting score to the Supplier Performance Risk System (SPRS). The DoD uses this score to evaluate contractor risk when awarding contracts. An inaccurate or falsely inflated score can expose your organization to False Claims Act liability with treble damages — a risk that has resulted in significant settlements and enforcement actions against defense contractors in recent years.

4. Report Cyber Incidents Within 72 Hours

If a cyber incident occurs that affects a system covered by DFARS, you must report it to the DoD via the DIBNet portal within 72 hours of discovery. The clock starts when you discover the incident — not when you finish investigating it, and not when you determine whether it was serious. The obligation to report applies broadly, and organizations that delay notification while they assess the scope of an incident often find themselves in violation of this requirement.

5. Preserve and Provide Access to Media

Following a cyber incident, you must preserve system images and other relevant data for 90 days and provide the DoD access to affected systems and data upon request. This requires having the technical capability to capture and preserve system images in a forensically sound manner — a capability many smaller contractors do not have in place until they need it.

DFARS and CMMC: How They Connect

CMMC was built on top of DFARS. While DFARS 252.204-7012 requires contractors to self-attest compliance with NIST SP 800-171, CMMC adds mandatory third-party verification for higher-risk contracts. If you are already working toward DFARS compliance — implementing the 110 controls, maintaining your SSP, posting an accurate SPRS score — you are building the foundation for CMMC Level 2. The two frameworks are closely aligned, and organizations that approach them as a unified effort rather than separate compliance projects save significant time and resources.

Need Help With Your DFARS Compliance?

OCD Tech helps defense contractors and their subcontractors navigate DFARS compliance — from gap assessments and SSP development to SPRS scoring and CMMC readiness. Contact our team today and get a clear picture of where you stand and what it takes to get compliant.