FAR and DFARS for Defense Contractors: The Essential Compliance Quick Reference
If you are a defense contractor, the Federal Acquisition Regulation and its defense supplement are not background reading -- they are the operating system your business runs on. Every proposal you submit, every contract you perform, every subcontract you issue, and every compliance decision you make traces back to FAR and DFARS. And yet, for something so foundational, the regulatory framework remains remarkably difficult to navigate. The FAR alone spans 53 parts and thousands of clauses. The DFARS adds hundreds more. New rules, interim rules, and class deviations arrive regularly. The FY2026 NDAA just changed multiple thresholds that have been stable for years.
This guide cuts through the complexity. It is designed as a practical quick reference for defense contractors and GovCon professionals who need to understand the structure, key clauses, and compliance obligations of FAR and DFARS without reading 2,000 pages of regulatory text. Whether you are a contracts manager reviewing flowdown requirements, a compliance officer preparing for a DCAA audit, or a small business owner trying to figure out which rules apply to you, this is the resource that puts the critical information in one place.
For a broader look at how regulatory compliance fits into the operational framework of running a defense contracting business, start with our secure operations guide.
---
---
Understanding the Regulatory Structure: FAR vs. DFARS
Before diving into specific clauses, it helps to understand how the regulatory framework is organized. The FAR and DFARS are not competing systems -- they are layered, with DFARS building on top of FAR to address defense-specific requirements.
The Federal Acquisition Regulation (FAR)
The FAR is the primary set of rules governing how all executive branch agencies procure goods and services. Published as Title 48 of the Code of Federal Regulations (Chapter 1), it is maintained jointly by the Department of Defense, the General Services Administration, and NASA through the FAR Council.
The FAR is organized into 53 parts, grouped into eight subchapters:
| Subchapter | Parts | Coverage |
|---|
| A: General | 1-4 | Definitions, policies, administrative matters |
| B: Competition | 5-6 | Publicizing contract actions, competition requirements |
| C: Contracting Methods | 7-18 | Acquisition planning, sealed bidding, negotiation, contract types |
| D: Socioeconomic Programs | 19-26 | Small business, labor standards, environment, foreign acquisition |
| E: General Contracting | 27-33 | IP, bonds, taxes, disputes, protests |
| F: Contract Management | 34-51 | Administration, quality, inspection, termination |
| G: Contract Clauses | 52 | All standard solicitation provisions and contract clauses |
| H: Clauses and Forms | 53 | Standard forms |
For defense contractors, the most critical FAR parts are Part 15 (Contracting by Negotiation), Part 16 (Types of Contracts), Part 31 (Contract Cost Principles), Part 42 (Contract Administration), and Part 52 (the clause repository).
The Defense Federal Acquisition Regulation Supplement (DFARS)
The DFARS supplements the FAR with policies and procedures specific to Department of Defense acquisitions. It follows the same numbering structure as the FAR but uses 2xx numbering -- so DFARS Part 215 supplements FAR Part 15, DFARS Part 252 supplements FAR Part 52, and so on.
Think of it this way: the FAR tells every federal contractor how to do business with the government. The DFARS tells defense contractors what additional rules apply when the customer is the DoD. If a DFARS clause conflicts with or adds to a FAR provision, the DFARS requirement takes precedence for DoD contracts.
The DFARS is maintained by the Defense Acquisition Regulations System (DARS) under the Office of the Under Secretary of Defense for Acquisition and Sustainment.
---
The DFARS Cybersecurity Clauses: 7012, 7019, 7020, and 7021
No section of the DFARS gets more attention -- or causes more confusion -- than the cybersecurity clauses in the 252.204 series. These clauses form the regulatory backbone of the DoD's effort to protect Controlled Unclassified Information (CUI) and Covered Defense Information (CDI) across the defense industrial base. If your company handles any form of sensitive unclassified DoD information, these clauses apply to you. For a detailed breakdown of the certification process, see our CMMC compliance guide.
DFARS 252.204-7012 is the foundational cybersecurity clause for defense contractors. It is included in virtually every DoD contract except those exclusively for commercial off-the-shelf (COTS) items. Here is what it requires:
Adequate Security. Contractors must provide "adequate security" on all covered contractor information systems -- systems that process, store, or transmit Covered Defense Information. For non-cloud systems, adequate security means implementing all 110 security controls in NIST SP 800-171. For cloud systems, the service must meet FedRAMP Moderate baseline or equivalent. If you are evaluating cloud platforms, our FedRAMP collaboration tools comparison breaks down which tools meet this standard.
Cyber Incident Reporting. Contractors must report any cyber incident that affects a covered contractor information system or the CDI residing on it. Reports must be submitted to the DoD Cyber Crimes Center (DC3) within 72 hours of discovery. This is not optional and it is not negotiable -- the clock starts when you discover the incident, not when you finish investigating it.
Data Preservation. After a cyber incident, contractors must preserve and protect images of all known affected information systems and all relevant monitoring and packet capture data for at least 90 days. This data must be made available to DoD upon request to support damage assessment activities.
Subcontractor Flowdown. The clause must be flowed down to all subcontractors whose performance involves CDI or operationally critical support. This includes the requirement to report cyber incidents to both the prime contractor and DC3.
The implications for data sovereignty are significant: any system touching CDI must maintain sovereign control over that data at every layer.
DFARS 252.204-7019 and 7020: The Transition
These two clauses historically required contractors to conduct self-assessments of their NIST SP 800-171 implementation, submit scores to the Supplier Performance Risk System (SPRS), and provide government access for higher-level assessments.
Important update for 2026: As the CMMC program has matured, DFARS 252.204-7019 has been deleted and DFARS 252.204-7020 has been renumbered to 252.240-7997. The assessment requirements these clauses addressed are now consolidated under the CMMC framework through clause 7021. However, contractors should be aware that legacy contracts awarded before the transition may still reference these clauses, and existing SPRS scores remain relevant during the phased CMMC rollout.
DFARS 252.204-7021: CMMC Requirements
This is the clause that makes CMMC contractually binding. DFARS 252.204-7021 requires:
- Certification before award. The contractor must hold the appropriate CMMC level at the time of contract award and maintain it for the duration of the contract.
- Three CMMC levels. Level 1 (self-assessment against 15 basic safeguarding controls from FAR 52.204-21) for Federal Contract Information. Level 2 (third-party assessment against 110 NIST SP 800-171 controls) for CUI. Level 3 (government-led assessment against NIST SP 800-172 enhanced controls) for the most sensitive programs.
- Subcontractor compliance. The clause must be flowed down. Subcontractors must hold the CMMC level appropriate to the information they will handle.
- Phased rollout. DoD is implementing CMMC requirements in phases, with inclusion in solicitations expanding over time. The current phase and timeline details are tracked in our CMMC timeline guide.
The practical impact is that CMMC compliance is no longer optional for defense contractors pursuing new DoD work. If your competitors are certified and you are not, you are ineligible -- full stop.
---
CUI Marking and Handling Requirements
Controlled Unclassified Information marking is an area where many defense contractors stumble. The requirements come from 32 CFR Part 2002, DoD Instruction 5200.48, and the CUI Registry maintained by the National Archives. Understanding what to mark, how to mark it, and who is responsible is essential for maintaining compliance with both DFARS 7012 and CMMC.
What Qualifies as CUI
CUI is government-created or government-possessed information that requires safeguarding or dissemination controls consistent with applicable laws, regulations, and government-wide policies -- but is not classified. For defense contractors, the most common CUI categories include:
- Controlled Technical Information (CTI): Technical data with military or space application subject to distribution controls
- Export-Controlled Information: Technical data or technology controlled under ITAR or EAR
- Critical Infrastructure Security Information: Information about vulnerabilities in defense infrastructure
- Proprietary Business Information: Cost data, trade secrets, and financial information submitted to the government
- Privacy Information: PII collected or maintained for the government
Marking Standards
CUI markings follow a standardized format defined by the CUI Registry:
- Banner marking: "CUI" or "CONTROLLED" at the top and bottom of every page
- Category marking: Specify the CUI category (e.g., "CUI//SP-CTI" for Specified Controlled Technical Information)
- Dissemination controls: Identify any dissemination limitations (e.g., "CUI//NOFORN" for no foreign dissemination, "CUI//FEDCON" for federal contract information only)
- Portion marking: While not universally required, portion marking individual paragraphs with "(CUI)" is encouraged for documents containing a mix of CUI and non-CUI content
Contractor Responsibilities
The originator of a document is responsible for determining whether it contains CUI and applying appropriate markings. If you receive unmarked information that you believe qualifies as CUI, you must notify the contracting officer within 8 hours. When your organization generates CUI in the course of contract performance -- technical reports, engineering drawings, test data -- the marking obligation falls on you.
This intersects directly with your choice of tools and platforms. If you are managing customer relationships and contract data that includes CUI, your CRM must support CUI handling requirements. Our CUI-safe CRM guide covers what to look for.
---
FAR Part 15: Contracting by Negotiation
FAR Part 15 governs how the government awards contracts through competitive and sole-source negotiations. For defense contractors, this is the acquisition method used for most significant contract opportunities, and understanding its mechanics gives you a material advantage in the competitive process.
Source Selection and Best Value
The government's objective in any FAR Part 15 acquisition is to select the proposal that represents the "best value." This does not necessarily mean the lowest price. The FAR defines two primary evaluation approaches:
Lowest Price Technically Acceptable (LPTA). The government sets minimum technical requirements. Every proposal that meets them is technically acceptable, and the award goes to the lowest-priced acceptable offer. LPTA is most common for commodity services and well-defined requirements.
Best Value Tradeoff. The government evaluates proposals against multiple factors -- technical approach, past performance, management capability, price -- and makes a judgment about which proposal offers the best overall value. A higher-priced proposal can win if its technical advantages justify the premium. The rationale for any tradeoff must be documented in the source selection decision.
For defense contractors competing under best value tradeoffs, your proposal writing strategy matters enormously. Understanding the evaluation criteria and writing directly to them is the difference between winning and placing second.
Competitive Range and Discussions
After initial evaluation, the contracting officer determines the "competitive range" -- the set of proposals that have a reasonable chance of being selected for award. Proposals outside the competitive range are eliminated. The government then conducts discussions (negotiations) with offerors in the competitive range, identifying deficiencies and weaknesses and giving offerors an opportunity to revise their proposals.
This is a critical stage. The questions the government asks during discussions reveal what they care about. Responding effectively requires deep understanding of your technical approach, pricing rationale, and how both align with the evaluation criteria.
Cost or Pricing Data and TINA
The Truth in Negotiations Act (TINA), codified at 10 U.S.C. 3702, requires contractors to submit certified cost or pricing data for negotiated contracts above a threshold amount. This data must be current, accurate, and complete as of the date of agreement on price, and submitting defective data can trigger price adjustments and penalties.
Key threshold change: The FY2026 NDAA (Section 1804(c)) raised the TINA threshold from $2.5 million to $10 million for contracts entered into after June 30, 2026. This is a significant change that will remove the certified cost or pricing data requirement from thousands of contracts annually. However, the $2.5 million threshold continues to apply to contracts entered into on or before June 30, 2026.
Even below the TINA threshold, the government can still require "data other than certified cost or pricing data" -- which means you may need to provide supporting information for your pricing even if formal certification is not required. See FAR 15.403-3 for the details.
---
FAR Part 16: Contract Types and Their Implications
Understanding contract types is fundamental to defense contracting. The type of contract determines how financial risk is allocated between the government and the contractor, and it directly affects your cost accounting, billing, and compliance obligations. For a detailed breakdown of each type and when they are used, see our guide on federal contract types explained.
Fixed-Price Contracts (FAR 16.2)
Under a firm-fixed-price (FFP) contract, the contractor agrees to deliver a defined product or service for a set price. The contractor absorbs all cost risk -- if your costs exceed the price, you eat the loss. If you deliver under budget, you keep the savings. FFP contracts are used when requirements are well-defined and cost risk is low.
Variants include fixed-price incentive contracts (where savings or overruns are shared with the government under a formula) and fixed-price with economic price adjustment (where the price adjusts based on published indices like labor rates or material costs).
Cost-Reimbursement Contracts (FAR 16.3)
Cost-reimbursement contracts pay the contractor for allowable, allocable, and reasonable costs incurred during performance, up to a ceiling amount, plus a fee. These contracts shift more risk to the government and are used when requirements are uncertain or the work involves significant R&D. Common types include cost-plus-fixed-fee (CPFF), cost-plus-incentive-fee (CPIF), and cost-plus-award-fee (CPAF).
Contractors on cost-reimbursement contracts face heavier compliance burdens: your accounting system must be adequate for accumulating costs, your indirect rates must be established and auditable, and you are subject to DCAA audit scrutiny on every dollar you bill.
Time-and-Materials and Labor-Hour Contracts (FAR 16.6)
T&M and labor-hour contracts pay for direct labor at specified hourly rates (which include overhead and profit) plus materials at cost. These are often used for service contracts where the level of effort is uncertain. The government bears cost risk because total cost depends on hours worked, but the contractor's hourly rates are fixed.
The choice of contract type has cascading effects on your compliance requirements -- particularly around cost accounting, earned value management, and DCAA audit exposure. Understanding these implications before you bid is essential.
---
Cost Accounting Standards (CAS)
The Cost Accounting Standards are a set of 19 standards (CAS 401 through CAS 420) that govern how defense contractors measure, assign, and allocate costs to government contracts. Administered by the CAS Board (part of the Office of Federal Procurement Policy), these standards exist to ensure consistency and prevent cost-shifting between government and commercial work.
CAS Coverage Thresholds
Not every contract triggers CAS. Coverage depends on the dollar value and the contractor's overall CAS-covered business:
Trigger Contract. A single CAS-covered contract award of $7.5 million or more is the threshold that establishes CAS applicability (unless an exemption applies).
Modified CAS Coverage. Applies to contractor business units that received less than $50 million in net CAS-covered awards in the preceding cost accounting period. Under modified coverage, contractors must comply with CAS 401 (Consistency in Estimating, Accumulating, and Reporting Costs) and CAS 402 (Consistency in Allocating Costs Incurred for the Same Purpose), plus a Disclosure Statement.
Full CAS Coverage. Applies to business units receiving $50 million or more in net CAS-covered awards. Full coverage requires compliance with all 19 applicable CAS standards. Note: The FY2026 NDAA (Section 1806(a)) raised this threshold from $50 million to $100 million, subject to inflation adjustments -- giving many mid-size contractors relief from full CAS compliance.
Key CAS Exemptions
Several important exemptions exist:
- Small business concerns are completely exempt from CAS, regardless of contract value
- Firm-fixed-price contracts awarded on the basis of adequate price competition without submission of certified cost or pricing data are exempt
- Contracts below the TINA threshold are exempt
- Contracts for commercial products or commercial services are exempt
- Contracts with foreign governments or international organizations are exempt
If you are a small business, CAS exemption is one of your most valuable regulatory advantages. Do not take it for granted -- if your company grows past the SBA size standard for your primary NAICS code, you lose this exemption.
Practical CAS Compliance
For contractors subject to CAS, compliance means three things:
- Disclosure Statement (CASB DS-1). You must file a Disclosure Statement describing your cost accounting practices with the cognizant federal agency official (usually the DCAA auditor or ACO). Any changes to your practices must be reported.
- Consistency. Your actual cost accounting practices must follow your disclosed practices. Deviations trigger corrective action and potential cost adjustments.
- Allocability. Costs must be allocated to contracts in a manner consistent with the CAS standards. Cross-subsidization -- charging costs to government contracts that benefit commercial work, or vice versa -- is a violation.
---
FAR Part 31: Cost Principles and DCAA Audit Readiness
FAR Part 31 defines which costs are allowable, allocable, and reasonable on government contracts. If you bill costs to the government -- whether on a cost-reimbursement contract, a T&M contract, or through indirect rate recovery on any contract type -- these principles determine what you can and cannot charge.
The Three Tests
Every cost charged to a government contract must pass three tests:
Allowability. The cost must not be expressly unallowable under FAR 31.205. Unallowable costs include entertainment, alcoholic beverages, donations, fines and penalties, lobbying, and certain advertising costs. The list is long and specific -- review FAR 31.205 carefully.
Allocability. The cost must be assignable to the contract based on a causal or beneficial relationship. Direct costs must benefit a specific contract. Indirect costs (overhead, G&A) must be allocated across all benefiting cost objectives using a consistent allocation base.
Reasonableness. A cost is reasonable if it does not exceed what a prudent businessperson would incur in similar circumstances. The government can challenge any cost that appears excessive, even if it is technically allowable and allocable.
Indirect Rate Structure
Most defense contractors operate with a multi-tier indirect rate structure:
- Fringe benefits: Applied to direct labor (health insurance, retirement, payroll taxes)
- Overhead: Applied to direct labor or total direct costs (facilities, equipment, supervision)
- General and Administrative (G&A): Applied to total cost input (executive management, accounting, legal, business development)
Establishing and maintaining defensible indirect rates is one of the most important financial management tasks for any defense contractor. DCAA auditors will examine your rate structure, allocation bases, and supporting documentation. If you need help understanding how wrap rates work, our federal contract wrap rate calculator provides a practical framework.
---
Key FAR Part 52 Clauses Every Defense Contractor Must Know
FAR Part 52 is the repository for all standard contract clauses. There are over 1,900 clauses in the FAR system, but a relatively small number show up in nearly every defense contract. Here are the ones you need to know:
- FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems): Establishes 15 basic safeguarding requirements for Federal Contract Information (FCI). This is the baseline that CMMC Level 1 is built on.
- FAR 52.204-23 (Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab): Prohibits use of Kaspersky products in government contract performance.
- FAR 52.204-25 (Prohibition on Contracting for Certain Telecommunications Equipment): Implements Section 889 of the 2019 NDAA, prohibiting use of equipment from Huawei, ZTE, Hytera, Hikvision, and Dahua.
Representations and Certifications
- FAR 52.204-8 (Annual Representations and Certifications): Requires contractors to maintain current representations and certifications in SAM.gov. These are legal attestations -- inaccurate representations can trigger False Claims Act liability.
- FAR 52.209-5 (Certification Regarding Responsibility Matters): Requires disclosure of any criminal, civil, or administrative proceedings within the last five years.
Small Business
- FAR 52.219-8 (Utilization of Small Business Concerns): Requires prime contractors to provide maximum practicable opportunity to small business subcontractors.
- FAR 52.219-9 (Small Business Subcontracting Plan): Requires prime contractors receiving contracts over $750,000 (or $1.5 million for construction) to submit subcontracting plans with goals for small business, small disadvantaged business, women-owned, HUBZone, veteran-owned, and service-disabled veteran-owned small businesses.
Changes and Disputes
- FAR 52.243-1 through 52.243-5 (Changes clauses): Establish the government's right to make unilateral changes within the scope of the contract and the contractor's right to an equitable adjustment in price and schedule.
- FAR 52.233-1 (Disputes): Implements the Contract Disputes Act, establishing the process for resolving disagreements about contract performance, payment, or interpretation.
Pricing and Payment
- FAR 52.215-10 (Price Reduction for Defective Certified Cost or Pricing Data): If the government determines you submitted defective cost or pricing data, the contract price is reduced plus interest. This is the enforcement mechanism for TINA.
- FAR 52.232-25 (Prompt Payment): Establishes payment terms and interest penalties for late government payments.
Termination
- FAR 52.249-1 through 52.249-14 (Termination clauses): Provide for termination for convenience (the government can end the contract at any time for its convenience) and termination for default (the government can end the contract if you fail to perform). Understanding the difference -- and your recovery rights under each -- is critical.
---
Flowdown Requirements: What Must Go Into Subcontracts
Flowdown is the mechanism by which prime contract requirements extend to subcontractors. When a FAR or DFARS clause contains language such as "include this clause in subcontracts" or "include the substance of this clause in all subcontracts," the prime contractor is legally obligated to incorporate that requirement into its subcontracts. Failure to flow down mandatory clauses exposes the prime to liability for subcontractor noncompliance.
Mandatory vs. Discretionary Flowdown
A review of the FAR and DFARS reveals approximately 150 clauses with mandatory flowdown language. The most critical categories include:
- Cybersecurity: DFARS 252.204-7012 must be flowed down to any subcontractor whose performance will involve CDI or operationally critical support. DFARS 252.204-7021 (CMMC) must be flowed down with the appropriate CMMC level for the information the subcontractor will handle.
- Equal opportunity: FAR 52.222-26 (Equal Opportunity) must be included in every subcontract.
- Anti-kickback: FAR 52.203-7 (Anti-Kickback Procedures) flows down to all subcontracts.
- Restrictions on subcontractor sales: FAR 52.203-6 flows down to subcontracts exceeding the simplified acquisition threshold.
- CAS and TINA: When applicable, cost accounting and certified cost or pricing data requirements flow down to subcontracts that meet the respective thresholds.
Commercial Subcontract Restrictions
An important development: DFARS 252.244-7000 now restricts prime contractors from flowing down FAR and DFARS clauses to commercial subcontracts unless the flowdown is specifically required by the clause itself (for DFARS clauses) or the clause is listed at FAR 12.301(d) or FAR 52.212-5(e)(1) (for FAR clauses). This rule, implementing Section 877 of the FY2017 NDAA, is designed to reduce administrative burden on commercial subcontractors and prevent over-flowdown.
The practical impact: you cannot simply attach your entire set of prime contract clauses to a commercial subcontract. You must conduct a clause-by-clause analysis to determine which clauses are mandatory flowdowns for commercial subcontracts. Getting this wrong in either direction -- flowing down too many clauses or too few -- creates risk.
Managing Subcontractor Compliance
Under FAR 42.202(e)(2), the prime contractor is responsible for managing its subcontracts. This means:
- Verifying subcontractor representations and certifications
- Monitoring subcontractor performance and compliance
- Ensuring mandatory clauses are properly incorporated
- Collecting and validating subcontractor cost data when required
- Confirming cybersecurity compliance (CMMC level, SPRS score) before subcontract award
If you are managing a complex supply chain, this oversight responsibility can be substantial. Building compliance verification into your subcontract management process -- rather than treating it as an afterthought -- is the only scalable approach. For firms managing contractor relationships at scale, a CUI-safe CRM system that tracks compliance status alongside business data is worth serious consideration.
---
Small Business Compliance: What Is Different
Small business defense contractors operate under the same FAR and DFARS framework as large businesses, but several important exemptions and special provisions apply. Understanding these can save you significant compliance cost while avoiding the trap of assuming "small business" means "less regulation."
What Small Businesses Are Exempt From
- Cost Accounting Standards: Complete exemption. No CAS coverage regardless of contract value.
- Earned Value Management Systems: Generally not required for small business contracts.
- Certain subcontracting plan requirements: Small businesses are not required to submit small business subcontracting plans under FAR 52.219-9 (though this does not mean you should ignore subcontracting to other small businesses).
What Small Businesses Are NOT Exempt From
- DFARS 252.204-7012: Cybersecurity requirements apply to all contractors handling CDI, regardless of size. There is no small business carve-out for NIST SP 800-171 compliance.
- CMMC: If the solicitation requires a CMMC level, your company must hold that certification. Period. Our guide on CMMC for small business covers strategies for achieving compliance on a limited budget.
- FAR 52.204-21: Basic safeguarding of FCI applies to all contractors.
- Anti-kickback, equal opportunity, and other statutory requirements: These apply universally.
- TINA (above the threshold): If your contract exceeds the threshold, small business status does not exempt you from certified cost or pricing data requirements -- though the new $10 million threshold will significantly reduce the number of small business contracts affected.
Set-Aside Advantages
The flip side of compliance obligations is competitive advantage. Small businesses benefit from set-aside programs under FAR Part 19 that reserve certain contracts for competition exclusively among small businesses. Categories include:
- Small Business Set-Aside
- 8(a) Business Development Program
- HUBZone Program
- Service-Disabled Veteran-Owned Small Business (SDVOSB)
- Women-Owned Small Business (WOSB)
- Economically Disadvantaged Women-Owned Small Business (EDWOSB)
These programs are a powerful channel for building past performance and revenue. Understanding how to leverage them effectively is part of the broader strategy for winning federal contracts.
---
Building a Compliance Monitoring Program
Knowing what the rules are is necessary but not sufficient. Defense contractors need a systematic approach to monitoring compliance across the organization. Here is a framework that works for companies of all sizes.
Clause Matrix
Maintain a living document -- a clause matrix -- that maps every active contract to its applicable FAR and DFARS clauses, the compliance requirements of each clause, and the responsible person or team in your organization. This matrix should be updated whenever you receive a new contract or modification. It sounds basic, but a surprising number of defense contractors cannot answer the question "which clauses apply to this contract?" without digging through the contract file.
Compliance Calendar
Several FAR and DFARS requirements have time-based triggers:
- Annual SAM.gov renewal: Registration must be renewed annually
- CAS Disclosure Statement updates: Must be filed within 60 days of any change in cost accounting practices
- SPRS score updates: Required when your assessment results change (even as 7019/7020 transition out, maintaining current scores is prudent)
- CMMC certification maintenance: Certifications have defined validity periods
- Cyber incident reporting: 72-hour reporting window from discovery
- Small business subcontracting reports: Required semi-annually (Individual Subcontracting Report) and annually (Summary Subcontracting Report) in the Electronic Subcontracting Reporting System (eSRS)
Build these deadlines into a compliance calendar with reminders well before due dates. A missed deadline is a compliance failure, even if you are substantively compliant with the underlying requirement.
Internal Audits
Do not wait for DCAA to audit you. Conduct periodic internal reviews of:
- Timekeeping practices: Are employees recording time accurately? Are labor charges going to the correct contracts?
- Indirect rate calculations: Are your rates consistent with your Disclosure Statement? Are unallowable costs properly excluded?
- Purchasing system: Are you complying with competition requirements for subcontracts? Are mandatory flowdown clauses included?
- Cybersecurity controls: Are your NIST SP 800-171 controls implemented and functioning? Are you documenting your Plan of Action and Milestones (POA&M)?
Finding problems yourself is always better than having the government find them for you.
---
Frequently Asked Questions
What is the difference between FAR and DFARS?
The FAR (Federal Acquisition Regulation) is the baseline regulation governing all federal procurement. It applies to every executive branch agency. The DFARS (Defense Federal Acquisition Regulation Supplement) is an additional layer of regulation that applies specifically to Department of Defense contracts. DFARS adds defense-specific requirements on top of the FAR -- particularly in areas like cybersecurity (252.204-7012, 7021), cost accounting, and subcontractor management. If you hold a DoD contract, you must comply with both the FAR and the DFARS. For contracts with civilian agencies, only the FAR applies (plus any agency-specific FAR supplement).
Does DFARS 252.204-7012 apply to small businesses?
Yes. There is no small business exemption for DFARS 252.204-7012. If your contract involves Covered Defense Information, you must implement all 110 NIST SP 800-171 security controls regardless of your company's size. This is one of the most common misconceptions in the defense industrial base. The CAS exemption for small businesses does not extend to cybersecurity requirements. If you are a small business preparing for compliance, our CMMC for small business guide provides a practical roadmap.
What happens if I fail to flow down mandatory DFARS clauses to subcontractors?
Failure to flow down mandatory clauses creates legal risk for the prime contractor. If a subcontractor violates a requirement that should have been flowed down, the prime contractor bears responsibility. In the cybersecurity context, if your subcontractor experiences a data breach involving CDI and you failed to flow down DFARS 7012, you face potential False Claims Act liability, contract termination, and suspension or debarment proceedings. The government takes flowdown seriously -- it is the mechanism that extends regulatory requirements across the entire defense supply chain.
How does the FY2026 NDAA change TINA and CAS thresholds?
The FY2026 NDAA made two significant threshold changes. First, the TINA threshold for certified cost or pricing data increased from $2.5 million to $10 million for contracts entered into after June 30, 2026. This means far fewer contracts will require contractors to submit certified cost or pricing data. Second, the full CAS coverage threshold increased from $50 million to $100 million in net CAS-covered awards, meaning contractor business units with between $50 million and $100 million in CAS-covered awards move from full to modified CAS coverage. Both changes are designed to reduce administrative burden on contractors while maintaining government oversight where it matters most.
What is the relationship between FAR 52.204-21 and DFARS 252.204-7012?
FAR 52.204-21 establishes 15 basic safeguarding requirements for Federal Contract Information (FCI) -- the minimal cybersecurity baseline for all federal contractors. DFARS 252.204-7012 requires the full set of 110 NIST SP 800-171 controls for Covered Defense Information (CDI), which is a higher standard. Think of it as a hierarchy: FAR 52.204-21 is the floor that every federal contractor must meet, and DFARS 7012 is the more comprehensive requirement for contractors handling sensitive defense information. CMMC Level 1 maps to FAR 52.204-21, while CMMC Level 2 maps to the NIST SP 800-171 requirements in DFARS 7012.
Where can I find the full text of FAR and DFARS clauses?
The official source for the FAR is acquisition.gov/far. The official source for the DFARS is acquisition.gov/dfars. Both are maintained by the government and are free to access. The Electronic Code of Federal Regulations at ecfr.gov also provides the full text with search capability. For clause-by-clause analysis, the DAU Acquipedia is an excellent supplement that provides plain-language explanations of regulatory provisions.
---
Your Regulatory Compliance Roadmap
FAR and DFARS compliance is not a one-time project -- it is an ongoing operational discipline. The regulatory landscape will continue to evolve as CMMC matures, TINA and CAS thresholds adjust, and new cybersecurity requirements emerge. But the fundamentals remain constant: understand the rules, build systems to comply with them, verify your compliance regularly, and maintain documentation that proves it.
The defense contractors who thrive are the ones who treat regulatory compliance as a competitive advantage rather than an administrative burden. When your compliance infrastructure is solid, you can pursue opportunities with confidence, respond to audits without panic, and demonstrate to prime contractors and government customers that you are a reliable partner.
Start with the basics: know which clauses apply to your contracts, understand your cybersecurity obligations under DFARS 7012 and CMMC, get your cost accounting right, and build compliance monitoring into your daily operations. From there, the rest follows.
For more on building the operational infrastructure that supports compliance across your organization, explore our secure operations guide. And if you need help navigating DFARS compliance, evaluating your cybersecurity posture, or preparing for CMMC assessment, contact the Cabrillo Club team -- we help defense contractors build the systems, processes, and technology stack that make compliance sustainable.
---
This guide is part of Cabrillo Club's [secure operations](/insights/secure-operations-guide) content hub. For related topics, explore our guides on [CMMC compliance](/insights/cmmc-compliance-guide), [data sovereignty for defense contractors](/insights/data-sovereignty-defense-contractors), [FedRAMP collaboration tools](/insights/fedramp-collaboration-tools-comparison-2026), [federal contract types](/insights/federal-contract-types-explained), and [winning federal contracts](/insights/winning-federal-contracts).