DFARS Compliance Guide: What Defense Contractors Must Know in 2026

Posted: December 31, 1969 to Cybersecurity.

DFARS Compliance Guide: What Defense Contractors Must Know in 2026

If your company holds a contract with the U.S. Department of Defense, or if you are a subcontractor anywhere in the defense supply chain, DFARS compliance is not a suggestion. It is a legal obligation embedded in your contract terms that carries real consequences for non-compliance, including contract termination, financial penalties, suspension, and debarment from future government work.

Yet despite these stakes, many defense contractors still struggle with the specifics. What exactly does DFARS require? How does it relate to NIST 800-171 and CMMC? What counts as Controlled Unclassified Information? Where do most organizations fall short? This guide addresses these questions directly, drawing on our experience helping defense contractors throughout the Raleigh, NC area and beyond navigate these requirements over more than two decades.

What DFARS 252.204-7012 Actually Requires

DFARS stands for Defense Federal Acquisition Regulation Supplement. It is a set of regulations that augment the Federal Acquisition Regulation specifically for DoD procurements. The clause that has consumed the most attention in cybersecurity circles is DFARS 252.204-7012, formally titled "Safeguarding Covered Defense Information and Cyber Incident Reporting."

This clause imposes four primary obligations on defense contractors:

First, adequate security. Contractors must provide adequate security on all covered contractor information systems. For systems that are not part of an IT service or system operated on behalf of the government, "adequate security" means implementing the security requirements specified in NIST Special Publication 800-171. This is not a menu of optional best practices. It is a defined set of 110 security requirements that your organization must implement.

Second, cyber incident reporting. When a contractor discovers a cyber incident that affects covered defense information, a covered contractor information system, or the contractor's ability to perform operationally critical support, the contractor must report the incident to the DoD within 72 hours. This is not 72 business hours. It is 72 hours from discovery, period. The report must be submitted through the DoD's Defense Industrial Base Cybersecurity portal.

Third, malicious software submission. If malicious software is discovered in connection with a reported cyber incident, the contractor must submit the malware to the DoD Cyber Crime Center. This supports government-wide threat intelligence and helps protect other contractors from similar attacks.

Fourth, media preservation and access. Upon a reported cyber incident, the contractor must preserve and protect images of all known affected information systems and relevant monitoring data for at least 90 days. The contractor must also provide the DoD with access to additional information or equipment necessary to conduct forensic analysis.

The Relationship Between DFARS, NIST 800-171, and CMMC

Understanding how these three frameworks connect is essential for navigating compliance efficiently. They are not separate, competing requirements. They are layers of the same system.

DFARS 252.204-7012 is the contractual clause that establishes the legal requirement. It is the "why" you must comply.

NIST SP 800-171 is the technical standard that defines the security requirements. It specifies 110 controls across 14 families, covering everything from access control and awareness training to incident response and system integrity. It is the "what" you must implement.

CMMC (Cybersecurity Maturity Model Certification) is the verification mechanism. It is the "how" the government confirms that you actually implemented the controls you claim. CMMC requires third-party assessments for organizations handling CUI, replacing the previous self-attestation model that allowed contractors to claim compliance without independent verification.

In practical terms, if you fully implement NIST 800-171 and can demonstrate that implementation to a third-party assessor, you will satisfy both your DFARS obligations and CMMC Level 2 requirements. The frameworks are intentionally aligned so that compliance with one supports compliance with the others.

Identifying Controlled Unclassified Information

CUI identification is where many organizations get stuck. DFARS requirements apply specifically to "covered defense information," which includes CUI that is provided to the contractor by or on behalf of the DoD, or collected, developed, received, transmitted, used, or stored by the contractor in support of contract performance.

CUI is information that requires safeguarding or dissemination controls but is not classified. It includes categories such as:

• Technical data: Engineering drawings, specifications, standards, process sheets, manuals, technical reports, and other technical information related to defense articles or defense services.
• Export-controlled information: Data subject to International Traffic in Arms Regulations or Export Administration Regulations.
• Proprietary business information: Source selection information, contract pricing data, and other sensitive business information provided by the government.
• Operations security information: Information about DoD operations, vulnerabilities, capabilities, and plans that requires protection.
• Critical infrastructure information: Details about defense-related infrastructure that could be exploited by adversaries.

The challenge is that CUI is not always clearly marked when it arrives. Contracting officers do not always label documents correctly, and CUI can be generated during contract performance rather than delivered at the start. Your organization needs a process for identifying, marking, and tracking CUI throughout its lifecycle, not just at the point of receipt.

A practical approach is to start with your contract. Review the DD Form 254, the statement of work, and any contract data requirements lists. Identify what types of information you will handle, where it will reside in your systems, who will access it, and how it flows between your organization and any subcontractors or partners.

The System Security Plan: Your Compliance Foundation

NIST 800-171 requires organizations to develop, document, and maintain a System Security Plan that describes the system boundary, the operating environment, how security requirements are implemented, and the relationships with other systems. The SSP is not just a compliance document. It is the artifact that assessors will review first and most thoroughly during a CMMC assessment.

A strong SSP should include:

• System boundary definition: A clear description of which systems, networks, and devices are in scope for CUI processing, including hardware inventory, software inventory, and network diagrams.
• Security requirement implementation: For each of the 110 NIST 800-171 requirements, a detailed description of how your organization implements that control. Generic statements like "we use firewalls" are insufficient. Assessors want specifics: which products, which configurations, which policies, and which procedures.
• Plan of Action and Milestones: For any security requirements that are not fully implemented, a POA&M that documents the weakness, the planned corrective action, the responsible individual, and the target completion date. POA&Ms are acceptable during the transition period, but they must demonstrate a credible plan for full implementation.
• Roles and responsibilities: Who is responsible for each aspect of your security program, from the system administrator who manages access controls to the executive who authorizes the SSP.

This is where our ComplianceArmor platform provides significant value. We built ComplianceArmor specifically to automate the documentation burden that defense contractors face. The platform generates SSPs, POA&Ms, and supporting documentation that map directly to NIST 800-171 controls and CMMC assessment requirements. Instead of spending weeks assembling compliance documents manually, organizations can produce audit-ready documentation in a fraction of the time and keep it current as their environment changes.

The 72-Hour Incident Reporting Requirement

The incident reporting obligation in DFARS 252.204-7012 is one of the most operationally demanding requirements, and one of the most commonly underestimated. When a cyber incident affecting CUI is discovered, the clock starts immediately.

Within 72 hours, you must report the incident through the DIBNet portal with details including:

• The date the incident was discovered
• The location and type of the compromised systems
• A description of the incident, including the attack vector
• An assessment of what CUI was potentially compromised
• The status of your response and remediation efforts

Meeting this requirement under the pressure of an active incident is extremely difficult without preparation. You need an incident response plan that specifically addresses DFARS reporting obligations, pre-designated personnel authorized to submit reports, and a DIBNet account that is already established and tested before an incident occurs.

The 72-hour window is aggressive. Consider that incident discovery is not the same as incident occurrence. You may not realize a breach has happened for days, weeks, or even months. But once discovered, the reporting clock starts. Organizations that lack robust monitoring capabilities may find themselves trying to assess the scope of a major incident while simultaneously racing a 72-hour deadline. This is why continuous monitoring and detection capabilities are not just good practice but operationally essential for DFARS compliance.

Subcontractor Flow-Down: Your Compliance Does Not End at Your Walls

DFARS 252.204-7012 includes a flow-down requirement that extends its obligations to subcontractors at every tier. If you share CUI with a subcontractor, that subcontractor must also comply with NIST 800-171 and report cyber incidents through you to the DoD.

This creates both a legal obligation and a practical challenge. You are responsible for ensuring that your subcontractors meet the same security standards you do. If a subcontractor suffers a breach involving your contract's CUI, you bear the reporting obligation and potentially the contractual consequences.

Effective flow-down management requires:

• Contract language: Including DFARS 252.204-7012 in every subcontract where CUI will be shared.
• Due diligence: Verifying that subcontractors have implemented NIST 800-171 controls before sharing CUI.
• Ongoing assessment: Periodically reviewing subcontractor security posture, not just at contract award but throughout performance.
• Incident coordination: Establishing procedures for subcontractors to report incidents to you quickly enough that you can meet the 72-hour DoD reporting window.

Common Mistakes That Jeopardize Compliance

After more than 23 years working with defense contractors and organizations in regulated industries, we have seen the same mistakes repeated consistently. Awareness of these common pitfalls can save your organization significant time, money, and risk:

Underscoping the CUI environment. Organizations frequently define their CUI boundary too narrowly, excluding systems that actually touch CUI. If your email system handles CUI-containing messages, it is in scope. If your backup system stores copies of CUI, it is in scope. If your personal mobile device accesses CUI through a webmail interface, it is in scope.

Relying on self-attestation without evidence. Under the previous regime, contractors could self-attest to NIST 800-171 compliance with minimal accountability. CMMC changes that calculus dramatically. Organizations that claimed compliance without actually implementing controls now face the prospect of failing a third-party assessment. Start building evidence of implementation now.

Treating compliance as a point-in-time event. A compliant SSP is only compliant on the day you wrote it if you do not keep it updated. Systems change, personnel change, threats change. Compliance requires continuous maintenance, not annual reviews.

Ignoring physical security controls. NIST 800-171 includes physical protection requirements that organizations focused on technical controls sometimes overlook. Access control for server rooms, visitor management, media protection, and equipment disposal all fall within scope.

Neglecting awareness training. Every person who accesses CUI must receive security awareness training. This is not optional, and generic annual training videos do not satisfy the requirement. Training must address CUI handling, incident reporting procedures, and the specific threats facing your organization.

How PTG Helps Defense Contractors Achieve and Maintain Compliance

At Petronella Technology Group, DFARS and CMMC compliance are not side offerings we added to fill out a services list. They are core to what we do. Our founder, Craig Petronella, is the author of 15 cybersecurity books and a certified expert witness who has provided testimony in cases involving cybersecurity standards and compliance. That depth of expertise informs every compliance engagement we conduct.

Our approach combines technical implementation with documentation automation through our ComplianceArmor platform, which generates the SSPs, POA&Ms, and policy documents that CMMC assessors require. We handle the full lifecycle: CUI scoping, gap assessment, control implementation, documentation, training, and assessment preparation.

For defense contractors in Raleigh, Durham, the Research Triangle, and throughout the eastern seaboard, we offer managed IT services that maintain DFARS-compliant environments on an ongoing basis, not just at assessment time. If your organization needs to achieve or verify DFARS compliance, contact us to discuss your specific requirements and timeline.