Understanding DFARS Structure

DFARS Part 204: Administrative requirements including safeguarding covered defense information and cybersecurity requirements (DFARS 252.204-7012)
DFARS Part 212: Special requirements for commercial item acquisitions by DoD, which apply even when buying commercial products
DFARS Part 215: DoD-specific requirements for contracting by negotiation, including cost or pricing data thresholds
DFARS Part 225: Foreign acquisition and domestic preference requirements, including qualifying country provisions
DFARS Part 227: Intellectual property rights in technical data and computer software, often more restrictive than commercial norms
DFARS Part 231: DoD contract cost principles and procedures, including compensation limits and allowable costs
DFARS Part 252: Contract clauses prescribed by DFARS, the source of most specific compliance obligations

Cybersecurity Requirements: DFARS 252.204-7012

1
Determine your required CMMC level
Review current and target contracts to understand whether they involve FCI only (Level 1), standard CUI (Level 2), or high-value CUI (Level 3). This determines your compliance obligations.
2
Conduct gap assessment
Compare your current security posture against applicable NIST SP 800-171 controls. Identify gaps requiring remediation before certification assessment.
3
Develop System Security Plan
Document your CUI boundary, implemented controls, and security architecture. The SSP is foundational documentation for both self-assessment and third-party certification.
4
Create Plan of Action and Milestones
For any controls not fully implemented, document specific remediation plans with timelines. POA&Ms show assessors your path to full compliance.
5
Implement required controls
Execute your remediation plan to close gaps before assessment. Some controls require significant technical implementation; build adequate time into your schedule.
6
Prepare for assessment
Whether self-assessing or engaging a third-party assessor, gather evidence demonstrating control implementation. Prepare staff to explain and demonstrate security practices.

CAS applicability: Contractors receiving CAS-covered contracts must follow specific standards for measuring, assigning, and allocating costs. Applicability depends on contract values and contractor characteristics.
Modified CAS coverage: Smaller contractors may qualify for modified coverage, requiring compliance with only CAS 401 (consistency) and CAS 402 (consistency between cost estimates and accumulation).
Full CAS coverage: Larger contractors with significant government business must comply with all 19 Cost Accounting Standards, requiring comprehensive cost accounting system changes.
Disclosure statements: CAS-covered contractors must file disclosure statements describing their cost accounting practices. Changes require advance notice and may trigger cost impacts.
Adequate accounting systems: DoD requires contractors to maintain accounting systems adequate for accumulating and reporting costs. DCAA audits verify system adequacy.

Restricted sources: Certain countries are prohibited sources for defense procurement, with restrictions varying based on item type and contract purpose
Specialty metals: Required domestic or qualifying country sourcing for metals in defense applications, with limited exceptions
Qualifying country provisions: Defense trade agreements allow products from partner nations to receive domestic-like treatment
Berry Amendment: Additional restrictions on food, clothing, textiles, and certain other items requiring domestic sourcing
Domestic photovoltaic devices: Specific requirements for solar energy products used in defense applications
Information technology: Restrictions on IT products containing certain foreign components or software