DFARS (Defense Federal Acquisition Regulation Supplement)

DFARS is the Department of Defense's supplement to the Federal Acquisition Regulation (FAR). While FAR applies to all federal agencies, DFARS adds DoD-specific requirements, security mandates, compliance rules, and acquisition procedures that defense contractors must follow. DFARS covers cybersecurity requirements (CMMC, NIST SP 800-171), export controls, contractor liability, cost accounting, and numerous other areas. All contracts awarded by the DoD, and most subcontracts on DoD primes, are subject to DFARS. Understanding DFARS is essential for any company selling to the Department of Defense.

Opening Definition

DFARS is the Department of Defense's supplement to FAR, adding DoD-specific acquisition rules, security requirements, and compliance mandates. All DoD contracts require DFARS compliance; many subcontracts do as well.

Why It Matters for Tech Companies

If selling to DoD, DFARS is non-optional. DFARS adds significant compliance requirements beyond standard FAR—cybersecurity mandates (CMMC, NIST), export controls, cost accounting standards, and subcontracting requirements. Non-compliance can result in contract termination, liability, or debarment. For tech companies, DFARS compliance often requires: implementing specific security controls, establishing compliance processes, managing subcontractor compliance, and maintaining detailed documentation. Budget for compliance infrastructure, training, and third-party audits.

How It Works in Practice

Key DFARS Requirements: Cybersecurity (DFARS 7012): Contractors must implement NIST SP 800-171 security controls and achieve CMMC certification. Export Controls: Contractors must ensure technology doesn't violate ITAR or EAR. Cost Accounting Standards (CAS): Large contractors must maintain compliant cost accounting systems. Subcontracting Requirements: Primes must flow DFARS requirements down to subcontractors. Example: Software company wins $10M DoD cloud services contract. DFARS requires: (1) CMMC Level 3 certification ($50K-$100K+), (2) NIST SP 800-171 implementation, (3) Export control review, (4) Cost Accounting Standards compliance, (5) Flow-down requirements to subcontractors.

Common Mistakes to Avoid

• Not understanding DFARS before bidding: Read requirements carefully. Don't bid if you can't comply.
• Underestimating compliance costs: CMMC, NIST, export controls are expensive.
• Not flowing requirements to subcontractors: You're liable for subcontractor non-compliance.
• Neglecting export control review: If technology touches controlled items, conduct classification.
• Poor documentation: Maintain detailed compliance records.

Key Facts and Numbers

• DFARS applies to all DoD contracts and most subcontracts
• CMMC is DoD-mandated under DFARS (Clause 7012)
• NIST SP 800-171 implementation required for CUI handling
• Cost Accounting Standards apply to contracts exceeding $2M+ annually
• Subcontractor flow-down requirements apply to all subs handling CUI
• DFARS includes over 100 additional clauses beyond FAR

Related Terms

FAR • CMMC • CAGE Code

Related Guides

DFARS Compliance for Defense Contractors • Defense Contracting Essentials

Frequently Asked Questions

Do all DoD contracts require DFARS compliance?

Yes. All contracts awarded directly by DoD are DFARS-compliant. Most subcontracts to DoD primes are also DFARS-compliant via flow-down requirements.

What's the difference between FAR and DFARS?

FAR is the Federal Acquisition Regulation applying to all federal agencies. DFARS is DoD-specific, adding additional requirements. DFARS supplements FAR for DoD contracts.

Can I avoid DFARS compliance if I bid low?

No. DFARS compliance is mandatory. If you win contract and can't comply, you face termination and potential liability.

Who enforces DFARS compliance?

The Contracting Officer monitors compliance. DCSA conducts security inspections. Auditors review cost compliance.