DFARS Clauses Guide
The 30 most important DFARS clauses for defense contractors — covering cybersecurity, intellectual property, supply chain, small business, and contract administration requirements.
Cybersecurity & CMMC
Clauses governing NIST 800-171 compliance, CMMC certification, and cyber incident reporting.
252.204-7008|Compliance with Safeguarding Covered Defense Information Controls
This solicitation provision requires offerors to represent whether they have implemented NIST SP 800-171 security requirements. Offerors must certify their compliance status and identify any security requirements not yet implemented at the time of proposal submission. This representation becomes a material part of the contract award decision.
252.204-7009|Limitations on the Use or Disclosure of Third-Party Contractor Reported Cyber Incident Information
This clause restricts how the government may use or disclose cyber incident information reported by contractors under DFARS 252.204-7012. It protects contractor proprietary information submitted during cyber incident reporting and limits government sharing to authorized purposes only.
252.204-7012|Safeguarding Covered Defense Information and Cyber Incident Reporting
The most important cybersecurity clause in defense contracting. DFARS 252.204-7012 requires contractors to implement all 110 NIST SP 800-171 security controls to protect Covered Defense Information (CDI) and report cyber incidents to the DoD Cyber Crime Center (DC3) within 72 hours. This clause is the foundation for CMMC and applies to virtually all DoD contracts involving CUI.
252.204-7019|Notice of NIST SP 800-171 DoD Assessment Requirements
This clause requires contractors to have a current NIST SP 800-171 assessment on record in the Supplier Performance Risk System (SPRS) before contract award. The assessment uses a 110-point scoring methodology and results must be posted to SPRS and kept current.
252.204-7020|NIST SP 800-171 DoD Assessment Requirements
This clause establishes the three-tier assessment methodology for NIST SP 800-171 compliance: Basic (self-assessment), Medium (government-conducted), and High (government-conducted with on-site validation). Contractors must cooperate with government assessors and provide documentation demonstrating implementation of security controls.
252.204-7021|Cybersecurity Maturity Model Certification Requirements
This clause implements the CMMC program, requiring contractors to achieve a specified CMMC level before contract award. CMMC Level 1 requires basic safeguarding, Level 2 requires NIST 800-171 compliance (assessed by C3PAO), and Level 3 requires enhanced security controls. The CMMC program is being phased in across DoD contracts starting in 2025.
252.239-7010|Cloud Computing Services
This clause establishes requirements for cloud computing services used in DoD contracts. Cloud service providers must meet FedRAMP authorization requirements and comply with the DoD Cloud Computing Security Requirements Guide (SRG). Data must be stored within the United States unless specifically authorized otherwise.
Intellectual Property & Data Rights
Clauses governing technical data rights, software rights, and IP protections.
252.227-7013|Rights in Technical Data—Noncommercial Items
This clause governs the government's rights in technical data for noncommercial items. The government receives unlimited rights in data developed exclusively at government expense, limited rights in data developed exclusively at private expense, and government purpose rights in data developed with mixed funding. Proper data rights marking is essential to protect contractor IP.
252.227-7014|Rights in Other Than Commercial Computer Software and Other Than Commercial Computer Software Documentation
This clause governs the government's rights in noncommercial computer software and documentation. Similar to 7013 for technical data, it establishes three tiers of rights based on funding source. Contractors retain restricted rights in software developed entirely at private expense, while the government gets unlimited rights in software it funded.
252.227-7015|Technical Data—Commercial Items
This clause provides the government with a license to use technical data for commercial items. The government receives only the rights customarily provided with the commercial item, which is typically a limited license. However, the government has unlimited rights in form, fit, and function data regardless of funding source.
252.227-7017|Identification and Assertion of Use, Release, or Disclosure Restrictions
This clause requires offerors to identify and assert any restrictions on the government's use, release, or disclosure of technical data and software before contract award. The assertions help the government understand what restrictions will apply and negotiate accordingly.
252.227-7018|Rights in Other Than Commercial Technical Data and Computer Software—Small Business Innovation Research Program
This clause provides enhanced data rights protection for SBIR and STTR contractors. Contractors receive a 20-year data rights protection period during which the government has limited rights. After the protection period expires, the government receives unlimited rights unless the contractor has commercialized the technology.
252.227-7019|Validation of Asserted Restrictions—Computer Software
This clause establishes the government's right to challenge contractor assertions of restrictive legends on computer software. If the government believes restrictions are improper, it can initiate a validation process requiring the contractor to justify its assertions within 60 days.
Supply Chain & Buy American
Clauses governing domestic sourcing, counterfeit prevention, and supply chain security.
252.239-7018|Supply Chain Risk
This clause authorizes the government to exclude certain supplies or services from a contract based on supply chain risk assessments. The government may determine that a particular supply chain poses unacceptable risks to national security and require the contractor to use alternative sources.
252.225-7001|Buy American and Balance of Payments Program
This clause implements the Buy American Act for DoD contracts, requiring the use of domestic end products and components unless a qualifying country exception applies. Contractors must certify that end products are domestic (manufactured in the U.S. with more than 55% domestic component cost) or from a qualifying country.
252.225-7002|Qualifying Country Sources as Subcontractors
This clause allows products from qualifying countries (NATO allies and other partner nations with reciprocal procurement agreements) to be treated as domestic products for Buy American Act purposes. It facilitates international defense cooperation while maintaining supply chain requirements.
252.204-7018|Prohibition on the Acquisition of Covered Defense Telecommunications Equipment or Services
This clause implements Section 889 of the 2019 NDAA, prohibiting the DoD from acquiring telecommunications equipment or services from covered entities including Huawei, ZTE, Hytera, Hikvision, and Dahua. Contractors must report any discovery of covered equipment in their supply chain.
252.211-7003|Item Unique Identification and Valuation
This clause requires unique identification (IUID) marking on delivered items valued over $5,000 or items determined to be mission-essential regardless of value. The unique identifier enables lifecycle tracking of defense articles through the IUID Registry.
252.246-7007|Contractor Counterfeit Electronic Part Detection and Avoidance System
This clause requires contractors to maintain a system for detecting and avoiding counterfeit electronic parts. The system must include risk-based policies, approved supplier lists, GIDEP reporting, and traceability procedures.
252.246-7008|Sources of Electronic Parts
This clause requires contractors to purchase electronic parts from authorized sources (original manufacturers or authorized distributors). When authorized sources are unavailable, contractors must test and inspect parts to verify authenticity.
Small Business
Clauses governing small business subcontracting plans and set-aside requirements.
252.219-7003|Small Business Subcontracting Plan (DoD Contracts)
This clause requires large business prime contractors on DoD contracts over $750,000 to submit a small business subcontracting plan. The plan must establish goals for awarding subcontracts to small, small disadvantaged, women-owned, HUBZone, SDVOSB, and WOSB businesses.
252.219-7004|Small Business Subcontracting Plan (Test Program)
This clause implements the DoD comprehensive subcontracting plan test program. Approved contractors may negotiate a single plan covering all DoD contracts rather than individual plans per contract, reducing administrative burden while maintaining small business goals.
252.219-7011|Notification to Delay Performance
This clause requires small business contractors on set-aside contracts to notify the contracting officer before subcontracting more than 50% of the contract value to non-small businesses. This prevents pass-through arrangements that undermine small business programs.
General Contract Administration
Clauses governing business systems, payments, disclosure, and other administrative requirements.
252.215-7002|Cost Estimating System Requirements
This clause requires contractors with large negotiated DoD contracts to maintain a DCMA-approved cost estimating system. The system must produce consistent, verifiable, and accurate cost estimates. Contractors with deficiencies face payment withholds of up to 10% of interim payments.
252.232-7003|Electronic Submission of Payment Requests and Receiving Reports
This clause requires contractors to submit payment requests and receiving reports electronically through WAWF/iRAPT. Electronic submission replaces paper-based invoicing and accelerates payment processing through DFAS.
252.232-7006|Wide Area WorkFlow Payment Instructions
This clause provides contract-specific payment instructions for WAWF, including the payment office code, document type, and routing information. It complements DFARS 252.232-7003.
252.237-7010|Prohibition on Interrogation of Detainees by Contractor Personnel
This clause prohibits contractor personnel from conducting interrogations of detainees under DoD custody. Contractors may provide support services such as interpretation and analysis, but interrogation is an inherently governmental function.
252.242-7005|Contractor Business Systems
This clause requires contractors to maintain six DCMA-approved business systems: accounting, estimating, EVMS, MMAS, property management, and purchasing. Contractors with deficiencies face payment withholds of up to 5% per deficient system (10% maximum total). This is one of the most impactful DFARS clauses for large defense contractors.
252.247-7023|Transportation of Supplies by Sea
This clause implements the Cargo Preference Act for DoD contracts, requiring the use of U.S.-flag vessels for ocean transportation of supplies. Foreign-flag vessels may be used only when U.S. vessels are unavailable.
252.204-7000|Disclosure of Information
This clause prohibits contractors from publicly disclosing information related to a DoD contract without prior written authorization from the contracting officer. It covers press releases, marketing materials, presentations, and publications.
Get notified when DFARS clauses are amended
Cabrillo Club tracks regulatory changes so you stay compliant with the latest DFARS requirements.
Join Free