Loading...
Practical FAR and DFARS quick reference for defense contractors. Covers the regulatory structure, critical clauses (DFARS 252.204-7012, CMMC 7021, CAS, TINA), flowdown requirements, FY2026 NDAA threshold changes, and small business compliance relief.
Cabrillo Club
Editorial Team · February 25, 2026 · 22 min read
If you are a defense contractor, the Federal Acquisition Regulation and its defense supplement are not background reading -- they are the operating system your business runs on. Every proposal you submit, every contract you perform, every subcontract you issue, and every compliance decision you make traces back to FAR and DFARS. And yet, for something so foundational, the regulatory framework remains remarkably difficult to navigate. The FAR alone spans 53 parts and thousands of clauses. The DFARS adds hundreds more. New rules, interim rules, and class deviations arrive regularly. The FY2026 NDAA just changed multiple thresholds that have been stable for years.
This guide cuts through the complexity. It is designed as a practical quick reference for defense contractors and GovCon professionals who need to understand the structure, key clauses, and compliance obligations of FAR and DFARS without reading 2,000 pages of regulatory text. Whether you are a contracts manager reviewing flowdown requirements, a compliance officer preparing for a DCAA audit, or a small business owner trying to figure out which rules apply to you, this is the resource that puts the critical information in one place.
For a broader look at how regulatory compliance fits into the operational framework of running a defense contracting business, start with our secure operations guide.
---
---
Before diving into specific clauses, it helps to understand how the regulatory framework is organized. The FAR and DFARS are not competing systems -- they are layered, with DFARS building on top of FAR to address defense-specific requirements.
The FAR is the primary set of rules governing how all executive branch agencies procure goods and services. Published as Title 48 of the Code of Federal Regulations (Chapter 1), it is maintained jointly by the Department of Defense, the General Services Administration, and NASA through the FAR Council.
The FAR is organized into 53 parts, grouped into eight subchapters:
| Subchapter | Parts | Coverage |
|---|---|---|
| A: General | 1-4 | Definitions, policies, administrative matters |
| B: Competition | 5-6 | Publicizing contract actions, competition requirements |
| C: Contracting Methods | 7-18 | Acquisition planning, sealed bidding, negotiation, contract types |
| D: Socioeconomic Programs | 19-26 | Small business, labor standards, environment, foreign acquisition |
| E: General Contracting | 27-33 | IP, bonds, taxes, disputes, protests |
| F: Contract Management | 34-51 | Administration, quality, inspection, termination |
| G: Contract Clauses | 52 | All standard solicitation provisions and contract clauses |
| H: Clauses and Forms | 53 | Standard forms |
For defense contractors, the most critical FAR parts are Part 15 (Contracting by Negotiation), Part 16 (Types of Contracts), Part 31 (Contract Cost Principles), Part 42 (Contract Administration), and Part 52 (the clause repository).
The DFARS supplements the FAR with policies and procedures specific to Department of Defense acquisitions. It follows the same numbering structure as the FAR but uses 2xx numbering -- so DFARS Part 215 supplements FAR Part 15, DFARS Part 252 supplements FAR Part 52, and so on.
Think of it this way: the FAR tells every federal contractor how to do business with the government. The DFARS tells defense contractors what additional rules apply when the customer is the DoD. If a DFARS clause conflicts with or adds to a FAR provision, the DFARS requirement takes precedence for DoD contracts.
The DFARS is maintained by the Defense Acquisition Regulations System (DARS) under the Office of the Under Secretary of Defense for Acquisition and Sustainment.
---
No section of the DFARS gets more attention -- or causes more confusion -- than the cybersecurity clauses in the 252.204 series. These clauses form the regulatory backbone of the DoD's effort to protect Controlled Unclassified Information (CUI) and Covered Defense Information (CDI) across the defense industrial base. If your company handles any form of sensitive unclassified DoD information, these clauses apply to you. For a detailed breakdown of the certification process, see our CMMC compliance guide.
DFARS 252.204-7012 is the foundational cybersecurity clause for defense contractors. It is included in virtually every DoD contract except those exclusively for commercial off-the-shelf (COTS) items. Here is what it requires:
Adequate Security. Contractors must provide "adequate security" on all covered contractor information systems -- systems that process, store, or transmit Covered Defense Information. For non-cloud systems, adequate security means implementing all 110 security controls in NIST SP 800-171. For cloud systems, the service must meet FedRAMP Moderate baseline or equivalent. If you are evaluating cloud platforms, our FedRAMP collaboration tools comparison breaks down which tools meet this standard.
Cyber Incident Reporting. Contractors must report any cyber incident that affects a covered contractor information system or the CDI residing on it. Reports must be submitted to the DoD Cyber Crimes Center (DC3) within 72 hours of discovery. This is not optional and it is not negotiable -- the clock starts when you discover the incident, not when you finish investigating it.
Data Preservation. After a cyber incident, contractors must preserve and protect images of all known affected information systems and all relevant monitoring and packet capture data for at least 90 days. This data must be made available to DoD upon request to support damage assessment activities.
Subcontractor Flowdown. The clause must be flowed down to all subcontractors whose performance involves CDI or operationally critical support. This includes the requirement to report cyber incidents to both the prime contractor and DC3.
The implications for data sovereignty are significant: any system touching CDI must maintain sovereign control over that data at every layer.
These two clauses historically required contractors to conduct self-assessments of their NIST SP 800-171 implementation, submit scores to the Supplier Performance Risk System (SPRS), and provide government access for higher-level assessments.
Important update for 2026: As the CMMC program has matured, DFARS 252.204-7019 has been deleted and DFARS 252.204-7020 has been renumbered to 252.240-7997. The assessment requirements these clauses addressed are now consolidated under the CMMC framework through clause 7021. However, contractors should be aware that legacy contracts awarded before the transition may still reference these clauses, and existing SPRS scores remain relevant during the phased CMMC rollout.
This is the clause that makes CMMC contractually binding. DFARS 252.204-7021 requires:
The practical impact is that CMMC compliance is no longer optional for defense contractors pursuing new DoD work. If your competitors are certified and you are not, you are ineligible -- full stop.
---
Controlled Unclassified Information marking is an area where many defense contractors stumble. The requirements come from 32 CFR Part 2002, DoD Instruction 5200.48, and the CUI Registry maintained by the National Archives. Understanding what to mark, how to mark it, and who is responsible is essential for maintaining compliance with both DFARS 7012 and CMMC.
CUI is government-created or government-possessed information that requires safeguarding or dissemination controls consistent with applicable laws, regulations, and government-wide policies -- but is not classified. For defense contractors, the most common CUI categories include:
CUI markings follow a standardized format defined by the CUI Registry:
The originator of a document is responsible for determining whether it contains CUI and applying appropriate markings. If you receive unmarked information that you believe qualifies as CUI, you must notify the contracting officer within 8 hours. When your organization generates CUI in the course of contract performance -- technical reports, engineering drawings, test data -- the marking obligation falls on you.
This intersects directly with your choice of tools and platforms. If you are managing customer relationships and contract data that includes CUI, your CRM must support CUI handling requirements. Our CUI-safe CRM guide covers what to look for.
---
FAR Part 15 governs how the government awards contracts through competitive and sole-source negotiations. For defense contractors, this is the acquisition method used for most significant contract opportunities, and understanding its mechanics gives you a material advantage in the competitive process.
The government's objective in any FAR Part 15 acquisition is to select the proposal that represents the "best value." This does not necessarily mean the lowest price. The FAR defines two primary evaluation approaches:
Lowest Price Technically Acceptable (LPTA). The government sets minimum technical requirements. Every proposal that meets them is technically acceptable, and the award goes to the lowest-priced acceptable offer. LPTA is most common for commodity services and well-defined requirements.
Best Value Tradeoff. The government evaluates proposals against multiple factors -- technical approach, past performance, management capability, price -- and makes a judgment about which proposal offers the best overall value. A higher-priced proposal can win if its technical advantages justify the premium. The rationale for any tradeoff must be documented in the source selection decision.
For defense contractors competing under best value tradeoffs, your proposal writing strategy matters enormously. Understanding the evaluation criteria and writing directly to them is the difference between winning and placing second.
After initial evaluation, the contracting officer determines the "competitive range" -- the set of proposals that have a reasonable chance of being selected for award. Proposals outside the competitive range are eliminated. The government then conducts discussions (negotiations) with offerors in the competitive range, identifying deficiencies and weaknesses and giving offerors an opportunity to revise their proposals.
This is a critical stage. The questions the government asks during discussions reveal what they care about. Responding effectively requires deep understanding of your technical approach, pricing rationale, and how both align with the evaluation criteria.
The Truth in Negotiations Act (TINA), codified at 10 U.S.C. 3702, requires contractors to submit certified cost or pricing data for negotiated contracts above a threshold amount. This data must be current, accurate, and complete as of the date of agreement on price, and submitting defective data can trigger price adjustments and penalties.
Key threshold change: The FY2026 NDAA (Section 1804(c)) raised the TINA threshold from $2.5 million to $10 million for contracts entered into after June 30, 2026. This is a significant change that will remove the certified cost or pricing data requirement from thousands of contracts annually. However, the $2.5 million threshold continues to apply to contracts entered into on or before June 30, 2026.
Even below the TINA threshold, the government can still require "data other than certified cost or pricing data" -- which means you may need to provide supporting information for your pricing even if formal certification is not required. See FAR 15.403-3 for the details.
---
Understanding contract types is fundamental to defense contracting. The type of contract determines how financial risk is allocated between the government and the contractor, and it directly affects your cost accounting, billing, and compliance obligations. For a detailed breakdown of each type and when they are used, see our guide on federal contract types explained.
Under a firm-fixed-price (FFP) contract, the contractor agrees to deliver a defined product or service for a set price. The contractor absorbs all cost risk -- if your costs exceed the price, you eat the loss. If you deliver under budget, you keep the savings. FFP contracts are used when requirements are well-defined and cost risk is low.
Variants include fixed-price incentive contracts (where savings or overruns are shared with the government under a formula) and fixed-price with economic price adjustment (where the price adjusts based on published indices like labor rates or material costs).
Cost-reimbursement contracts pay the contractor for allowable, allocable, and reasonable costs incurred during performance, up to a ceiling amount, plus a fee. These contracts shift more risk to the government and are used when requirements are uncertain or the work involves significant R&D. Common types include cost-plus-fixed-fee (CPFF), cost-plus-incentive-fee (CPIF), and cost-plus-award-fee (CPAF).
Contractors on cost-reimbursement contracts face heavier compliance burdens: your accounting system must be adequate for accumulating costs, your indirect rates must be established and auditable, and you are subject to DCAA audit scrutiny on every dollar you bill.
T&M and labor-hour contracts pay for direct labor at specified hourly rates (which include overhead and profit) plus materials at cost. These are often used for service contracts where the level of effort is uncertain. The government bears cost risk because total cost depends on hours worked, but the contractor's hourly rates are fixed.
The choice of contract type has cascading effects on your compliance requirements -- particularly around cost accounting, earned value management, and DCAA audit exposure. Understanding these implications before you bid is essential.
---
The Cost Accounting Standards are a set of 19 standards (CAS 401 through CAS 420) that govern how defense contractors measure, assign, and allocate costs to government contracts. Administered by the CAS Board (part of the Office of Federal Procurement Policy), these standards exist to ensure consistency and prevent cost-shifting between government and commercial work.
Not every contract triggers CAS. Coverage depends on the dollar value and the contractor's overall CAS-covered business:
Trigger Contract. A single CAS-covered contract award of $7.5 million or more is the threshold that establishes CAS applicability (unless an exemption applies).
Modified CAS Coverage. Applies to contractor business units that received less than $50 million in net CAS-covered awards in the preceding cost accounting period. Under modified coverage, contractors must comply with CAS 401 (Consistency in Estimating, Accumulating, and Reporting Costs) and CAS 402 (Consistency in Allocating Costs Incurred for the Same Purpose), plus a Disclosure Statement.
Full CAS Coverage. Applies to business units receiving $50 million or more in net CAS-covered awards. Full coverage requires compliance with all 19 applicable CAS standards. Note: The FY2026 NDAA (Section 1806(a)) raised this threshold from $50 million to $100 million, subject to inflation adjustments -- giving many mid-size contractors relief from full CAS compliance.
Several important exemptions exist:
If you are a small business, CAS exemption is one of your most valuable regulatory advantages. Do not take it for granted -- if your company grows past the SBA size standard for your primary NAICS code, you lose this exemption.
For contractors subject to CAS, compliance means three things:
---
FAR Part 31 defines which costs are allowable, allocable, and reasonable on government contracts. If you bill costs to the government -- whether on a cost-reimbursement contract, a T&M contract, or through indirect rate recovery on any contract type -- these principles determine what you can and cannot charge.
Every cost charged to a government contract must pass three tests:
Allowability. The cost must not be expressly unallowable under FAR 31.205. Unallowable costs include entertainment, alcoholic beverages, donations, fines and penalties, lobbying, and certain advertising costs. The list is long and specific -- review FAR 31.205 carefully.
Allocability. The cost must be assignable to the contract based on a causal or beneficial relationship. Direct costs must benefit a specific contract. Indirect costs (overhead, G&A) must be allocated across all benefiting cost objectives using a consistent allocation base.
Reasonableness. A cost is reasonable if it does not exceed what a prudent businessperson would incur in similar circumstances. The government can challenge any cost that appears excessive, even if it is technically allowable and allocable.
Most defense contractors operate with a multi-tier indirect rate structure:
Establishing and maintaining defensible indirect rates is one of the most important financial management tasks for any defense contractor. DCAA auditors will examine your rate structure, allocation bases, and supporting documentation. If you need help understanding how wrap rates work, our federal contract wrap rate calculator provides a practical framework.
---
FAR Part 52 is the repository for all standard contract clauses. There are over 1,900 clauses in the FAR system, but a relatively small number show up in nearly every defense contract. Here are the ones you need to know:
---
Flowdown is the mechanism by which prime contract requirements extend to subcontractors. When a FAR or DFARS clause contains language such as "include this clause in subcontracts" or "include the substance of this clause in all subcontracts," the prime contractor is legally obligated to incorporate that requirement into its subcontracts. Failure to flow down mandatory clauses exposes the prime to liability for subcontractor noncompliance.
A review of the FAR and DFARS reveals approximately 150 clauses with mandatory flowdown language. The most critical categories include:
An important development: DFARS 252.244-7000 now restricts prime contractors from flowing down FAR and DFARS clauses to commercial subcontracts unless the flowdown is specifically required by the clause itself (for DFARS clauses) or the clause is listed at FAR 12.301(d) or FAR 52.212-5(e)(1) (for FAR clauses). This rule, implementing Section 877 of the FY2017 NDAA, is designed to reduce administrative burden on commercial subcontractors and prevent over-flowdown.
The practical impact: you cannot simply attach your entire set of prime contract clauses to a commercial subcontract. You must conduct a clause-by-clause analysis to determine which clauses are mandatory flowdowns for commercial subcontracts. Getting this wrong in either direction -- flowing down too many clauses or too few -- creates risk.
Under FAR 42.202(e)(2), the prime contractor is responsible for managing its subcontracts. This means:
If you are managing a complex supply chain, this oversight responsibility can be substantial. Building compliance verification into your subcontract management process -- rather than treating it as an afterthought -- is the only scalable approach. For firms managing contractor relationships at scale, a CUI-safe CRM system that tracks compliance status alongside business data is worth serious consideration.
---
Small business defense contractors operate under the same FAR and DFARS framework as large businesses, but several important exemptions and special provisions apply. Understanding these can save you significant compliance cost while avoiding the trap of assuming "small business" means "less regulation."
The flip side of compliance obligations is competitive advantage. Small businesses benefit from set-aside programs under FAR Part 19 that reserve certain contracts for competition exclusively among small businesses. Categories include:
These programs are a powerful channel for building past performance and revenue. Understanding how to leverage them effectively is part of the broader strategy for winning federal contracts.
---
Knowing what the rules are is necessary but not sufficient. Defense contractors need a systematic approach to monitoring compliance across the organization. Here is a framework that works for companies of all sizes.
Maintain a living document -- a clause matrix -- that maps every active contract to its applicable FAR and DFARS clauses, the compliance requirements of each clause, and the responsible person or team in your organization. This matrix should be updated whenever you receive a new contract or modification. It sounds basic, but a surprising number of defense contractors cannot answer the question "which clauses apply to this contract?" without digging through the contract file.
Several FAR and DFARS requirements have time-based triggers:
Build these deadlines into a compliance calendar with reminders well before due dates. A missed deadline is a compliance failure, even if you are substantively compliant with the underlying requirement.
Do not wait for DCAA to audit you. Conduct periodic internal reviews of:
Finding problems yourself is always better than having the government find them for you.
---
The FAR (Federal Acquisition Regulation) is the baseline regulation governing all federal procurement. It applies to every executive branch agency. The DFARS (Defense Federal Acquisition Regulation Supplement) is an additional layer of regulation that applies specifically to Department of Defense contracts. DFARS adds defense-specific requirements on top of the FAR -- particularly in areas like cybersecurity (252.204-7012, 7021), cost accounting, and subcontractor management. If you hold a DoD contract, you must comply with both the FAR and the DFARS. For contracts with civilian agencies, only the FAR applies (plus any agency-specific FAR supplement).
Yes. There is no small business exemption for DFARS 252.204-7012. If your contract involves Covered Defense Information, you must implement all 110 NIST SP 800-171 security controls regardless of your company's size. This is one of the most common misconceptions in the defense industrial base. The CAS exemption for small businesses does not extend to cybersecurity requirements. If you are a small business preparing for compliance, our CMMC for small business guide provides a practical roadmap.
Failure to flow down mandatory clauses creates legal risk for the prime contractor. If a subcontractor violates a requirement that should have been flowed down, the prime contractor bears responsibility. In the cybersecurity context, if your subcontractor experiences a data breach involving CDI and you failed to flow down DFARS 7012, you face potential False Claims Act liability, contract termination, and suspension or debarment proceedings. The government takes flowdown seriously -- it is the mechanism that extends regulatory requirements across the entire defense supply chain.
The FY2026 NDAA made two significant threshold changes. First, the TINA threshold for certified cost or pricing data increased from $2.5 million to $10 million for contracts entered into after June 30, 2026. This means far fewer contracts will require contractors to submit certified cost or pricing data. Second, the full CAS coverage threshold increased from $50 million to $100 million in net CAS-covered awards, meaning contractor business units with between $50 million and $100 million in CAS-covered awards move from full to modified CAS coverage. Both changes are designed to reduce administrative burden on contractors while maintaining government oversight where it matters most.
FAR 52.204-21 establishes 15 basic safeguarding requirements for Federal Contract Information (FCI) -- the minimal cybersecurity baseline for all federal contractors. DFARS 252.204-7012 requires the full set of 110 NIST SP 800-171 controls for Covered Defense Information (CDI), which is a higher standard. Think of it as a hierarchy: FAR 52.204-21 is the floor that every federal contractor must meet, and DFARS 7012 is the more comprehensive requirement for contractors handling sensitive defense information. CMMC Level 1 maps to FAR 52.204-21, while CMMC Level 2 maps to the NIST SP 800-171 requirements in DFARS 7012.
The official source for the FAR is acquisition.gov/far. The official source for the DFARS is acquisition.gov/dfars. Both are maintained by the government and are free to access. The Electronic Code of Federal Regulations at ecfr.gov also provides the full text with search capability. For clause-by-clause analysis, the DAU Acquipedia is an excellent supplement that provides plain-language explanations of regulatory provisions.
---
FAR and DFARS compliance is not a one-time project -- it is an ongoing operational discipline. The regulatory landscape will continue to evolve as CMMC matures, TINA and CAS thresholds adjust, and new cybersecurity requirements emerge. But the fundamentals remain constant: understand the rules, build systems to comply with them, verify your compliance regularly, and maintain documentation that proves it.
The defense contractors who thrive are the ones who treat regulatory compliance as a competitive advantage rather than an administrative burden. When your compliance infrastructure is solid, you can pursue opportunities with confidence, respond to audits without panic, and demonstrate to prime contractors and government customers that you are a reliable partner.
Start with the basics: know which clauses apply to your contracts, understand your cybersecurity obligations under DFARS 7012 and CMMC, get your cost accounting right, and build compliance monitoring into your daily operations. From there, the rest follows.
For more on building the operational infrastructure that supports compliance across your organization, explore our secure operations guide. And if you need help navigating DFARS compliance, evaluating your cybersecurity posture, or preparing for CMMC assessment, contact the Cabrillo Club team -- we help defense contractors build the systems, processes, and technology stack that make compliance sustainable.
---
This guide is part of Cabrillo Club's [secure operations](/insights/secure-operations-guide) content hub. For related topics, explore our guides on [CMMC compliance](/insights/cmmc-compliance-guide), [data sovereignty for defense contractors](/insights/data-sovereignty-defense-contractors), [FedRAMP collaboration tools](/insights/fedramp-collaboration-tools-comparison-2026), [federal contract types](/insights/federal-contract-types-explained), and [winning federal contracts](/insights/winning-federal-contracts).
Most operations teams spend their time on tasks that should be automated. Get a 25-minute assessment of your automation potential.
Get Operations Assessment
Cabrillo Club
Editorial Team
Cabrillo Club is a defense technology company building AI-powered tools for government contractors. Our editorial team combines deep expertise in CMMC compliance, federal acquisition, and secure AI infrastructure to produce actionable guidance for the defense industrial base.
