Home     |     Steps to Compliance     |     Understanding CMMC

minutes remaining

What is DFARS?

The Federal Acquisition Regulation (FAR) is the primary set of guidelines that regulate all federal agencies’ contracting and acquisition procedures. The Secretary of Defense, Administrator of General Services, and Administrator of NASA have authority to issue and maintain the FAR1. An addendum to the FAR, the Defense Federal Acquisition Regulation Supplement (DFARS) regulates the acquisition of goods and services within the defense industry.

Specifically, DFARS establishes the cybersecurity expectations of the CMMC program for the Department of Defense (DoD). These requirements are designed to protect the integrity of Controlled Unclassified Information (CUI), sensitive government information held in non-government information systems.

Who Does DFARS Apply To?

In short, DFARS applies to every organization in the DoD. DoD federal acquisition officers, also known as contracting officers, are required to follow its requirements. Likewise, defense contractors and subcontractors are also subject to compliance.

CMMC DFARS Documents

The DFARS contains rules and clauses whose announcement are often accompanied by memorandums and guides. Officers will add these clauses into contracts to inform prospective contractors of the procedures they must implement. Below are some of the supplement’s most significant rules relating to CMMC.

DFARS Clause 252.204-7012

Date Published: September 19, 2017

Subject: “Safeguarding Covered Defense Information and Cyber Incident Reporting” — Implementing the Security Requirements of NIST SP 800-171

This rule stated that any contractor that has CUI in their system is required to document and protect that information by following the guidelines in NIST SP 800-171. Self-attestation to NIST compliance was required by the end of December 2017. Published two years before the program, this clause complements CMMC.

DFARS Rule 2019-D041 (DFARS Interim Rule)

Date Published: September 29, 2020

Subject: Assessing Contractor Implementation of Cybersecurity Requirements

Published in tandem with Clause 252.204-7019, Rule 2019-D041, also known as the DFARS Interim Rule, announces the phased implementation plan for the CMMC Framework. It also amends Clause 252.204-7012 to implement the NIST SP 800-171 DoD Assessment Methodology in the acquisition process.

The rule requires contracting officers to take actions prior to awarding a contract on or after November 30, 2020:

  • The contracting officer must verify an offeror has a NIST SP 800-171 DoD Assessment on record in the SPRS system before granting the contract.
  • The contracting officer must verify an offerer has a CMMC certificate at the level required by the solicitation. (CMMC requirements will only apply to certain new contracts until September 30, 2025 when all contracts are expected to contain CMMC certification requirements.)

DFARS Clause 252.204-7019

Date Published: November 2020

Subject: Notice of NIST SP 800-171 DoD Assessment Requirements

The government issued Clause 252.204-7019 in November 2020, which requires contractors to submit a basic assessment score (the number of controls compliant out of 110) into the Supplier Performance Risk System (SPRS) demonstrating their current level of compliance with NIST requirements. Also required is a brief summary of a contractor’s system security plan and the date that all requirements are expected to be implemented.

DFARS Clause 252.204-7020

Date Published: November 2020

Subject: NIST SP 800-171 DoD Assessment Requirements

Published concurrently with Clause 252.204-7019, this clause outlines new regulations for the acquisition process. Contractors must now perform a basic assessment and enter their current compliance score into the Supplier Performance Risk System (SPRS) to be considered for a contract.

For some contractors with an increased risk, a basic assessment may not be sufficient. Because of this, contractors must provide access to its buildings, information systems, and employees so that the DoD can conduct a medium or high assessment, if necessary. These assessments are described in the DoD Assessment Methodology.

DFARS Clause 252.204-7021

Date Published: November 2020

Subject: Cybersecurity Maturity Model Certification Requirements

Clause 252.204-7021 definitively announces the Cybersecurity Maturity Model Certification requirements for future contracts. The clause states that contractors must have a current CMMC certificate at the CMMC level specified by the individual contract. In this case, “current” refers to the required certification renewal every three years. Contractors must maintain certification for the duration of their contract.

In order to comply with DFARS requirements, contractors will need to assess and report their current compliance score and remediate gaps. To get started, request our free self-calculating CMMC 2.0 Level 2 Self-Assessment Tool.


1 https://www.acquisition.gov/sites/default/files/current/far/pdf/FAR.pdf





{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Never Miss a Post

Sign up to be updated with the newest CMMC Insights.

Approx. 2 emails per month. Read our Privacy policy.