In plain terms. DFARS is the Department of Defense's supplement to the Federal Acquisition Regulation (FAR). It adds defense-specific contract rules on top of the government-wide baseline, including the cybersecurity clauses that drive most contractor security obligations.
Who it applies to. Any contractor or subcontractor doing business with the Department of Defense or its components.
What it requires. Follow the FAR baseline plus DFARS additions. The central cyber clause, DFARS 252.204-7012, requires you to safeguard covered defense information using NIST SP 800-171 and report cyber incidents to DoD within 72 hours. Related clauses (7019/7020/7021) cover posting assessment scores to SPRS and CMMC.
Why it matters. DFARS is where the defense supply chain's cybersecurity duties live. Falling short can cost you eligibility for award and, if you misrepresent compliance, expose you under the False Claims Act.
Citation. DFARS, the Defense Federal Acquisition Regulation Supplement supplement to the Federal Acquisition Regulation (FAR), codified in the FAR System at Title 48 of the C.F.R.