AuditXYZ

Compliance Framework

Defense Federal Acquisition Regulation Supplement (DFARS 252.204-7012)

DFARS cybersecurity requirements mandate protection of Controlled Unclassified Information in the defense supply chain. This guide covers NIST 800-171, CMMC 2.0, and compliance for defense contractors.

$50,000–$500,0006–18 monthsAudit Required2024 (with CMMC 2.0 transition)
Request a ConsultationSee process
Issuing BodyUnited States Department of Defense (DoD)
First Published2013-11-18
Latest Version2024 (with CMMC 2.0 transition)
Typical Cost$50,000–$500,000
Typical Timeline6–18 months
Audit RequiredYes
Audit FrequencyCMMC 2.0 requires Level 2 triennial assessment by C3PAO for CUI. Level 1 requires annual self-assessment. Level 3 requires government-led assessment.
Geographyunited-states

DFARS: Defense Federal Acquisition Regulation Supplement Guide

The DFARS cybersecurity clause (252.204-7012) requires all defense contractors and subcontractors handling Controlled Unclassified Information (CUI) to implement the 110 security controls specified in NIST SP 800-171. The Cybersecurity Maturity Model Certification (CMMC 2.0) program builds on DFARS by adding third-party assessment requirements, making cybersecurity compliance a verified prerequisite for defense contract awards.

What DFARS/CMMC Covers

DFARS 252.204-7012 requires contractors to implement NIST SP 800-171's 110 controls across 14 families: Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, System and Communications Protection, and System and Information Integrity.

CMMC 2.0 defines three levels. Level 1 (Foundational) requires 17 basic safeguarding practices for Federal Contract Information (FCI). Level 2 (Advanced) requires all 110 NIST SP 800-171 controls for CUI. Level 3 (Expert) adds controls from NIST SP 800-172 for the most sensitive programs. Contractors must also report cyber incidents to the DoD within 72 hours.

Who Needs DFARS/CMMC Compliance

All DoD contractors and subcontractors handling FCI or CUI must comply. This includes prime contractors, subcontractors at all tiers, and cloud service providers hosting defense data. The defense industrial base includes over 300,000 companies, many of them small and medium-sized businesses. CMMC 2.0 is being phased into all DoD contracts, making compliance a prerequisite for continuing to do defense business.

Implementation Approach

Conduct a gap assessment against NIST SP 800-171 controls. Develop a System Security Plan (SSP) documenting your control implementation. Create a Plan of Action and Milestones (POA&M) for any gaps. Implement required controls — key areas include multi-factor authentication, encryption of CUI, audit logging, incident response, and access management. For CMMC Level 2, prepare for third-party assessment by a CMMC Third Party Assessment Organization (C3PAO).

Cost Considerations

CMMC Level 1 compliance costs $50,000 to $100,000 including self-assessment preparation. Level 2 compliance ranges from $100,000 to $500,000 including control implementation, managed security services, and C3PAO assessment fees. For small businesses, DoD has acknowledged the cost burden and is exploring mechanisms to support compliance. The cost of non-compliance is loss of eligibility for DoD contracts — an existential risk for companies dependent on defense revenue.

Get the DFARS starter pack

By submitting, you agree to our privacy policy.

Framework Mappings

Related frameworks

nist-csfiso-27001itarfedramp

Get matched with a DFARS auditor in 24 hours

Free, no-obligation — just tell us your email and we'll do the rest.

By submitting, you agree to our privacy policy.

Related Frameworks

FedRAMP
Framework
FedRAMP is the US government's standardized approach to cloud security authorization. This guide covers impact levels, the authorization process, 3PAO assessments, and the path to ATO.
View
ISO 27001
Framework
ISO 27001 is the international gold standard for information security management. This guide covers everything from scoping to certification, with real costs, timelines, and practical implementation advice.
View
ITAR
Framework
ITAR controls the export of defense articles, services, and technical data. This guide covers USML classification, licensing, technology control plans, and compliance for defense industry companies.
View
NIST CSF
Framework
The NIST Cybersecurity Framework provides a flexible, risk-based approach to managing cybersecurity risk. Learn how CSF 2.0 helps organizations of all sizes improve their security posture.
View

Recommended Tools

6clicks Review 2026: Pricing, Features, and Verdict
Tool
Review of 6clicks, the AI-powered GRC platform with hub-and-spoke architecture. Covers Hailey AI, multi-entity support, pricing, and ideal use cases.
View
Akitra Review 2026: Pricing, Features, and Verdict
Tool
Review of Akitra, a compliance automation platform with broad framework coverage including FedRAMP and CMMC. Covers pricing, features, and who should use it.
View
Anecdotes Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes, a compliance OS that aggregates security tool data. Covers the aggregation approach, AI gap analysis, and comparison with Vanta.
View
Anecdotes Trust Center Review 2026: Pricing, Features, and Verdict
Tool
Review of Anecdotes Trust Center, the compliance-as-code trust portal. Covers live compliance sync, developer-friendly approach, pricing, and positioning.
View