DFARS Part 204: Administrative requirements including safeguarding covered defense information and cybersecurity requirements (DFARS 252.204-7012)
DFARS Part 212: Special requirements for commercial item acquisitions by DoD, which apply even when buying commercial products
DFARS Part 215: DoD-specific requirements for contracting by negotiation, including cost or pricing data thresholds
DFARS Part 225: Foreign acquisition and domestic preference requirements, including qualifying country provisions
DFARS Part 227: Intellectual property rights in technical data and computer software, often more restrictive than commercial norms
DFARS Part 231: DoD contract cost principles and procedures, including compensation limits and allowable costs
DFARS Part 252: Contract clauses prescribed by DFARS, the source of most specific compliance obligations
Cybersecurity Requirements: DFARS 252.204-7012
CMMC: The Evolving Cybersecurity Framework
1
Determine your required CMMC level
Review current and target contracts to understand whether they involve FCI only (Level 1), standard CUI (Level 2), or high-value CUI (Level 3). This determines your compliance obligations.
2
Conduct gap assessment
Compare your current security posture against applicable NIST SP 800-171 controls. Identify gaps requiring remediation before certification assessment.
3
Develop System Security Plan
Document your CUI boundary, implemented controls, and security architecture. The SSP is foundational documentation for both self-assessment and third-party certification.
4
Create Plan of Action and Milestones
For any controls not fully implemented, document specific remediation plans with timelines. POA&Ms show assessors your path to full compliance.
5
Implement required controls
Execute your remediation plan to close gaps before assessment. Some controls require significant technical implementation; build adequate time into your schedule.
6
Prepare for assessment
Whether self-assessing or engaging a third-party assessor, gather evidence demonstrating control implementation. Prepare staff to explain and demonstrate security practices.
Cost Accounting and Pricing Requirements
Cost Accounting Standards Overview
CAS applicability: Contractors receiving CAS-covered contracts must follow specific standards for measuring, assigning, and allocating costs. Applicability depends on contract values and contractor characteristics.
Modified CAS coverage: Smaller contractors may qualify for modified coverage, requiring compliance with only CAS 401 (consistency) and CAS 402 (consistency between cost estimates and accumulation).
Full CAS coverage: Larger contractors with significant government business must comply with all 19 Cost Accounting Standards, requiring comprehensive cost accounting system changes.
Disclosure statements: CAS-covered contractors must file disclosure statements describing their cost accounting practices. Changes require advance notice and may trigger cost impacts.
Adequate accounting systems: DoD requires contractors to maintain accounting systems adequate for accumulating and reporting costs. DCAA audits verify system adequacy.
Technical Data and IP Rights
Foreign Acquisition Restrictions
Key Foreign Acquisition Provisions
Restricted sources: Certain countries are prohibited sources for defense procurement, with restrictions varying based on item type and contract purpose
Specialty metals: Required domestic or qualifying country sourcing for metals in defense applications, with limited exceptions
Qualifying country provisions: Defense trade agreements allow products from partner nations to receive domestic-like treatment
Berry Amendment: Additional restrictions on food, clothing, textiles, and certain other items requiring domestic sourcing
Domestic photovoltaic devices: Specific requirements for solar energy products used in defense applications
Information technology: Restrictions on IT products containing certain foreign components or software
