The Defense Federal Acquisition Regulation Supplement (DFARS) is a set of regulations that governs how the Department of Defense (DoD) works with contractors and subcontractors to ensure compliance with strict cybersecurity and acquisition policies. It supplements the broader Federal Acquisition Regulation (FAR) by adding specific rules for protecting sensitive defense-related information.
One key requirement under DFARS is Clause 252.204-7012, which mandates that contractors safeguard Controlled Unclassified Information (CUI) by following security guidelines outlined in NIST SP 800-171. Any cyber incidents that could impact this data must be reported to the DoD.
To strengthen cybersecurity across the defense supply chain, the DoD introduced the Cybersecurity Maturity Model Certification (CMMC). This framework builds on DFARS by requiring contractors to meet specific cybersecurity levels based on the sensitivity of the information that they handle. The CMMC 2.0 update enhances security enforcement by clearly defining required CMMC levels in DoD contracts and ensuring contractors remain compliant for the entire contract period. For defense contractors, meeting DFARS and CMMC requirements is essential for securing DoD contracts and protecting sensitive military data.