US (FED) - DFARS 252.204-70XX

Name: Defense Federal Acquisition Regulation Supplement (DFARS)

Type: Regulatory (Regulation)

Authoritative Source: Acquisition.gov

Certification Available: Yes. The US Department of Defense (DoD) has the Cybersecurity Maturity Model Certification (CMMC) as the method to certify contractors for compliance purposes.

Too Long / Didn’t Read (TL/DR): DFARS cybersecurity clauses, particularly 252.204-7012, -7019, -7020 and -7021,are no longer dormant regulatory obligations. They now represent a current compliance regime, grounded in NIST SP 800-171 and enforced through contractual terms, government assessments and civil litigation.

These DFARS clauses marked the end of the self-certification era. Defense contractors must now invest in defensible documentation, technical rigor and third-party assurance. Organizations that treat these clauses as operational mandates and not legal formalities will be better positioned to retain contracts, protect national security information and navigate DoD’s evolving cybersecurity landscape.

As enforcement continues to expand, the ability to prove compliance at any point in time through validated controls, accurate scoring and robust documentation has become the cornerstone of doing business in the Defense Industrial Base (DIB).

GRC-Focused Overview of DFARS

In response to escalating threats to defense supply chains, the US Department of Defense (DoD) codified a robust cybersecurity framework through a series of Defense Federal Acquisition Regulation Supplement (DFARS) clauses. These clauses are designed to enforce cybersecurity standards on DoD contractors and subcontractors, particularly those who handle Controlled Unclassified Information (CUI).

The five main DFARS clauses, 252.204-7008, 252.204-7012, 252.204-7019, 252.204-7020 and 252.204-7021, collectively establish the cybersecurity baseline for defense suppliers. Together, they impose prescriptive requirements for system security, incident reporting, assessment and third-party certification. From mandatory implementation of NIST SP 800-171 to the emerging Cybersecurity Maturity Model Certification (CMMC) program, these regulations fundamentally alter how defense contractors manage cybersecurity compliance.

This page provides a cybersecurity-focused summary of GLBA from a GRC practitioner's perspective, including:

  • The history of these laws;
  • The consequences of non-compliance;
  • Practical compliance strategies;
  • High-profile enforcement actions; and
  • The role of high-quality documentation in audit readiness and breach resilience.

DFARS - Origins and Purpose

The DFARS cybersecurity clauses emerged from a decade of rising concern within the DoD over the theft of sensitive defense information. With adversaries exploiting cyber weaknesses in the DIB, the DoD sought to impose enforceable cybersecurity obligations on contractors.

Key milestones include:

  • 2015: DFARS 252.204-7012 mandates implementation of NIST SP 800-171 controls for safeguarding CUI and reporting cyber incidents;
  • 2017–2020: Contractors self-certify compliance through Supplier Performance Risk System (SPRS);
  • 2020: Interim DFARS rule introduces DFARS 252.204-7019, -7020 and -7021, formalizing assessments and launching CMMC; and
  • 2021–Present: The DoD refines CMMC 2.0, emphasizing third-party certification and harmonization with NIST requirements.

While each clause serves a distinct purpose, they function collectively to create a structured compliance pathway that links contractual eligibility with cybersecurity maturity.

Summary of Key DFARS Clauses

DFARS 252.204-7008 – Compliance with Safeguarding Covered Defense Information Controls

This clause is a pre-award requirement asserting that contractors must represent their ability to comply with the security requirements of NIST SP 800-171, or list out variances via a System Security Plan (SSP) and Plan of Action and Milestones (POA&M):

  • Requires contractor systems to comply with NIST SP 800-171 when handling CUI;
  • Acknowledges that not all 110 controls may be immediately met but demands documented remediation timelines; and
  • Precludes award unless the contractor affirms a valid implementation path.

Key compliance action: Maintain current and accurate SSP and POA&M documentation prior to contract award.

DFARS 252.204-7012 – Safeguarding Covered Defense Information and Cyber Incident Reporting

The core DFARS cybersecurity clause, -7012 mandates both preventive and responsive controls for handling CUI. Highlights include:

  • Implement all 110 NIST SP 800-171 controls in covered contractor information systems;
  • Report cyber incidents to the DoD within 72 hours of discovery;
  • Preserve and protect forensic data and support damage assessments;
  • Flow down requirements to subcontractors handling CUI; and
  • Use only FedRAMP Moderate or higher cloud services for processing CUI.

Compliance with -7012 is not optional. It is enforceable under contract law and is often a focal point during audits and investigations.

DFARS 252.204-7019 – Notice of NIST SP 800-171 DoD Assessment Requirements

Clause -7019 formalizes the requirement for contractors to perform and submit cybersecurity assessments to the DoD's Supplier Performance Risk System (SPRS). Requirements include:

  • Submit a Basic, Medium, or High assessment based on NIST SP 800-171;
  • Basic assessments are self-generated, based on contractor SSPs;
  • Scores are calculated by subtracting unmet controls from 110; and
  • Assessments must be current (within 3 years) for contract eligibility.

SPRS scores are used by contracting officers during source selection and acquisition reviews, creating a direct link between cybersecurity posture and business opportunity.

DFARS 252.204-7020 – NIST SP 800-171 DoD Assessment Requirements

Clause -7020 mandates that contractors:

  • Allow the DoD to conduct Medium or High assessments, including on-site reviews;
  • Flow down -7020 to all subcontractors that process, store, or transmit CUI; and
  • Provide documentation (SSPs, POA&Ms, evidence) upon DoD request.

This clause operationalizes enforcement by granting the DoD access to audit and validate contractor claims and is often triggered by risk-based criteria or anomalies in SPRS scoring.

DFARS 252.204-7021 – Cybersecurity Maturity Model Certification (CMMC) Requirements

Clause -7021 codifies the requirement for contractors to meet the CMMC level specified in the solicitation before contract award.

  • CMMC Level 1 aligns with FAR 52.204-21 (basic safeguarding of FCI);
  • CMMC Level 2 aligns with NIST SP 800-171 and requires third-party certification by a CMMC Third-Party Assessor Organization (C3PAO); and
  • CMMC Level 3 (for critical programs) remains under development but will likely integrate selected NIST SP 800-172 controls.

No self-attestation is permitted under this clause. Certification must be verified prior to award and maintained throughout contract performance.

Ramifications of Non-Compliance with DFARS

Failure to comply with DFARS cybersecurity clauses carries serious consequences—both contractual and legal.

  • Loss of Contract Eligibility. Non-compliance with -7008, -7019, or -7021 can render a company ineligible to bid or win DoD contracts. Contracting officers are required to confirm compliance as part of source selection.
  • Breach of Contract. Failure to meet -7012 obligations (e.g., inadequate safeguarding, delayed incident reporting) can constitute breach of contract, potentially resulting in:
    • Termination for default;
    • Withheld payments; and
    • Suspension or debarment from future contracts.
  • False Claims Act (FCA) Liability. This adds a significant layer of legal risk, particularly for contractors who overstate their cyber maturity to win awards. False attestation of compliance, especially SPRS score inflation or fabricated SSPs, can trigger FCA investigations by the Department of Justice:
    • Penalties can include treble damages and civil penalties per false claim; and
    • Whistleblowers can initiate suits under qui tam provisions.

Public Examples of DFARS Enforcement Actions

While DoD has not widely publicized contract terminations under these clauses, recent legal activity suggests growing enforcement momentum.

Aerojet Rocketdyne (2022) – False Claims Act Settlement

  • Allegation: Misrepresentation of cybersecurity compliance with DFARS -7012 and NIST SP 800-171.
  • Outcome: Settled for $9 million.
  • Precedent: Marked the first known FCA case focused on cybersecurity misrepresentation tied to DoD compliance.

This case confirmed that internal whistleblowers, even without a breach event, can bring FCA claims based on inadequate SSPs and security gaps.

DOJ Civil Cyber-Fraud Initiative (2021 – Present)

  • The Department of Justice has launched a targeted enforcement initiative to pursue government contractors that knowingly fail to meet cybersecurity obligations.
  • Focuses on misrepresentations, failure to report breaches and poor internal controls.
  • Cyber fraud is now treated as contract fraud and the DoD's Inspector General has increased audit referrals.

These developments show that DFARS cybersecurity compliance is no longer a passive or symbolic requirement—it is a measurable legal duty.

Common Methods to Achieve and Maintain DFARS Compliance

DFARS compliance is not achieved with a policy document or one-time assessment—it requires a sustained operational program rooted in NIST SP 800-171.

  • Implement NIST SP 800-171. Contractors must fully implement the 110 controls from NIST SP 800-171. POA&Ms may exist, but must be realistic, resourced and time-bound.
  • Maintain a Current System Security Plan (SSP). DoD assessors scrutinize SSPs for completeness and accuracy. The SSP is the foundational document for DFARS compliance. It must:
    • Describe how each of the 110 controls is implemented;
    • Map controls to responsible roles and evidence sources; and
    • Reflect actual, operational practices (not future intentions).
  • Submit Accurate SPRS Scores. Inflated scores without supporting evidence present legal risk. To satisfy -7019 and -7020:
    • Calculate a Basic Assessment score using DoD’s scoring methodology;
    • Enter the score, date and system boundary into the SPRS portal; and
    • Retain all supporting documentation for review.
  • Prepare for DoD Assessments. High assessments can last multiple days and require on-site engagement. Contractors selected for Medium or High assessments must:
    • Undergo interviews, technical reviews and evidence-based audits;
    • Provide real-time system access or screenshots; and
    • Remediate deficiencies per DoD timelines.
  • Obtain CMMC Certification (if required). CMMC Level 2 certification is valid for 3 years, but annual affirmation of compliance is still required. To meet -7021, contractors must:
    • Engage a certified C3PAO via the CMMC-AB Marketplace;
    • Conduct pre-assessments to validate readiness; and
    • Resolve any POA&Ms prior to certification.

Understanding The Value of Quality Cybersecurity Documentation in DFARS Success

Documentation is not a formality in DFARS compliance, but is the primary evidence used by DoD and legal authorities to assess security posture and contract eligibility.  Failure to produce documentation upon request can be interpreted as failure to implement the control.

Key Documents Include:

  • System Security Plan (SSP): Master control document detailing implementation and responsibilities;
  • Plan of Action and Milestones (POA&M): Active remediation tracker;
  • Security Assessment Reports (SAR): Results of internal or external control reviews;
  • Incident Response Logs: Evidence of triage, containment and reporting timelines;
  • Access Control Logs: Proof of access enforcement, termination and review;
  • Configuration and Patch Management Records; and
  • Third-Party Audit Reports or CMMC Assessments.

** SPONSORED CONTENT **

NIST 800-171 CMMC policy standard procedures template example