Federal — Cybersecurity & Supply Chain

DFARS clause 252.204-7012, "Safeguarding Covered Defense Information and Cyber Incident Reporting," is the Department of Defense's foundational cybersecurity flow-down for contractors handling unclassified Controlled Unclassified Information (CUI). The clause imposes two core obligations: (1) the contractor must provide "adequate security" on all covered contractor information systems that process, store, or transmit covered defense information, and (2) the contractor must rapidly report cyber incidents (within 72 hours of discovery) and cooperate with DoD damage assessment.

Prescription and coverage

Under DFARS 204.7304(c), contracting officers must use clause 252.204-7012 in all solicitations and contracts, including those using FAR Part 12 procedures for commercial products and commercial services, except for solicitations and contracts solely for the acquisition of commercially available off-the-shelf (COTS) items. The clause therefore reaches nearly the entire DoD contractor base—prime contractors and, by explicit flow-down obligation in paragraph (m) of the clause, subcontractors at all tiers who will handle covered defense information or whose information systems will process CUI in performance of a DoD contract.

Covered defense information (the triggering category)

"Covered defense information" is defined at DFARS 204.7301 and repeated in paragraph (a) of the clause: unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry at archives.gov/cui/registry/category-list, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies, and that is either (1) marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of contract performance, or (2) collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of contract performance. The definition captures technical data, engineering drawings, proprietary research generated under a development contract, export-controlled technical information, and other unclassified information within a CUI category when it is tied to contract performance and marked or otherwise identified in the contract.

The NIST SP 800-171 implementation mandate

Paragraph (b)(2) of the clause specifies the minimum-security baseline: the contractor must implement the security requirements in NIST Special Publication 800-171, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations." The clause at paragraph (b)(2)(i) directs the contractor to the current revision of NIST SP 800-171 published at csrc.nist.gov/publications/sp800. As of the May 2024 clause date, NIST SP 800-171 Revision 2 contains 110 security requirements organized into 14 control families: Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Contingency Planning, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, and System and Communications Protection. NIST published Revision 3 in May 2024, but DFARS Subpart 204.73 notes that contracting officers shall refer to applicable class deviations for the operative NIST revision required in contracts; the DFARS PGI and agency class deviations address the transition timeline.

Cyber incident reporting

Paragraph (c) of the clause defines "cyber incident" as actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein. Under paragraph (c)(1), the contractor must report cyber incidents to DoD at dibnet.dod.mil within 72 hours of discovery. Paragraph (a) defines "rapidly report" to mean within 72 hours of discovery of any cyber incident. Paragraph (d) obligates the contractor to preserve and protect images of all known affected information systems identified in paragraph (c)(1) and all relevant monitoring/packet-capture data for at least 90 days from the date of submission of the cyber incident report to allow DoD to request the media or decline interest. If requested by DoD, the contractor must provide access to additional equipment or technical information necessary for forensic analysis under paragraph (e).

Subcontract flow-down

Paragraph (m) of the clause requires the contractor to include the substance of the clause, including this flow-down requirement, in subcontracts and other contractual instruments (including purchase orders for other than COTS items) in which the subcontractor may have Federal contract information residing in or transiting through its information system. This creates a vertical compliance obligation throughout the supply chain.

Current clause date and scope exclusions

The clause was last revised in May 2024; the clause heading reads "SAFEGUARDING COVERED DEFENSE INFORMATION AND CYBER INCIDENT REPORTING (MAY 2024)." The May 2024 revision updated hyperlinks within paragraph (b)(2)(i) and paragraph (b)(2)(ii)(D) to reference the current NIST SP 800-171 publication repository at csrc.nist.gov and the FedRAMP Moderate baseline at fedramp.gov/documents-templates. Under DFARS 204.7304(c), the clause is not prescribed for solicitations and contracts solely for the acquisition of COTS items; paragraph (b) of DFARS Subpart 204.73 notes that the subpart does not abrogate other security requirements of the National Industrial Security Program or other contractor physical, personnel, or administrative security operations.

Source: DFARS 252.204-7012 Source: DFARS Subpart 204.73 Source: DFARS 204.7301 Source: 89 Fed. Reg. 46821 (May 30, 2024)

The Cybersecurity Maturity Model Certification (CMMC) Program is DoD's verification framework for assessing defense contractor implementation of required cybersecurity standards for Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The CMMC Program rule, codified at 32 C.F.R. Part 170, was published as a final rule on October 15, 2024, and became effective December 16, 2024. The complementary DFARS acquisition rule implementing CMMC in DoD contracts, codified at DFARS Subpart 204.75 and clause 252.204-7021, was published as a final rule on September 10, 2025, and became effective November 10, 2025. Under 32 C.F.R. § 170.3(e)(1), Phase 1 of the four-phase CMMC implementation begins on the effective date of the DFARS acquisition final rule — November 10, 2025.

CMMC does not replace DFARS 252.204-7012 or other existing cybersecurity requirements. DFARS Subpart 204.75 states that the subpart "does not abrogate any other requirements regarding contractor physical, personnel, information, technical, or general administrative security operations governing the protection of unclassified information, nor does it affect requirements of the National Industrial Security Program." Contractors must continue to comply with DFARS 252.204-7012's cyber incident reporting obligations and NIST SP 800-171 implementation requirements; CMMC adds a verification and certification layer on top of those existing baseline obligations.

The three-level structure

CMMC establishes three certification levels tied to the sensitivity of information a contractor handles. Under DFARS 204.7503(a), the program office or requiring activity determines the applicable CMMC level for each solicitation. The solicitation must include provision DFARS 252.204-7025, which specifies the required CMMC level, and the resulting contract includes clause DFARS 252.204-7021, which imposes the certification and maintenance obligations.

Level 1 — Federal Contract Information (self-assessment)

Level 1 applies when contractor information systems will process, store, or transmit FCI. DFARS 204.7501 defines "Federal contract information" as "information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government," excluding information provided by the Government to the public (such as on public websites) or simple transactional information such as payment processing. The October 2024 Federal Register preamble to 32 C.F.R. Part 170 states that Level 1 requires implementation of cybersecurity practices "set forth in the 48 CFR 52.204-21" (the FAR Basic Safeguarding clause, which lists 15 security requirements) and notes that the CMMC Program utilizes the security standards in FAR 52.204-21 "as applicable." Contractors handling only FCI must complete an annual self-assessment against these basic requirements and submit results to the Supplier Performance Risk System (SPRS) with an annual affirmation of continuous compliance by an affirming official. No third-party assessment is required for Level 1.

Level 2 — Controlled Unclassified Information (self-assessment or third-party certification)

Level 2 applies when contractor information systems will process, store, or transmit CUI. DFARS 204.7501 defines "Controlled unclassified information" as "information the Government creates or possesses, or information an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Governmentwide policy requires or permits an agency to handle using safeguarding or dissemination controls (32 CFR 2002.4(h))." Level 2 requires implementation of all 110 security requirements in NIST SP 800-171, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations," Revision 2 (February 2020, updated January 28, 2021). The 110 requirements are organized into 14 control families: Access Control, Awareness and Training, Audit and Accountability, Configuration Management, Contingency Planning, Identification and Authentication, Incident Response, Maintenance, Media Protection, Personnel Security, Physical Protection, Risk Assessment, Security Assessment, and System and Communications Protection.

The solicitation specifies whether Level 2 compliance is demonstrated through Level 2 (Self) — a self-assessment conducted every three years with annual affirmations of continuous compliance — or Level 2 (C3PAO) — an independent assessment by a Certified Third-Party Assessment Organization (C3PAO) conducted every three years with annual affirmations. Under the phased implementation plan in 32 C.F.R. § 170.3(e), Phase 1 (beginning November 10, 2025) provides that "DoD intends to include the requirement for CMMC Statuses of Level 1 (Self) or Level 2 (Self) for all applicable DoD solicitations and contracts as a condition of contract award," and further provides that "DoD may also, at its discretion, include the requirement for CMMC Status of Level 2 (C3PAO)" for certain solicitations and contracts. Phase 2 (beginning one calendar year after Phase 1 — November 10, 2026) expands the use of Level 2 C3PAO to additional solicitations as determined by program managers or requiring activities, and DoD may at its discretion include Level 3 requirements. The regulation makes clear that the inclusion of higher assessment requirements (C3PAO or DIBCAC) during early phases is discretionary based on program needs.

Both self-assessments and C3PAO assessments are entered into SPRS and assigned a CMMC Unique Identifier (CMMC UID). DFARS 204.7501 defines "Cybersecurity Maturity Model Certification unique identifier (CMMC UID)" as "10 alpha-numeric characters assigned to each CMMC assessment and reflected in the Supplier Performance Risk System (SPRS) for each contractor information system."

Level 3 — High-value CUI (government assessment)

Level 3 applies when contractor information systems will process, store, or transmit CUI designated by DoD as involving "high-value assets." The October 2024 Federal Register preamble states that Level 3 requires a contractor to have achieved final CMMC Level 2 status and to additionally implement "selected requirements from the NIST SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171, February 2021." The preamble notes that 24 enhanced requirements from NIST SP 800-172 are included in the Level 3 assessment. Level 3 certification requires a government-led assessment conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), a component of the Defense Contract Management Agency (DCMA). DIBCAC assessments are conducted every three years with annual affirmations of continuous compliance.

Conditional vs. Final status and Plan of Action & Milestones

32 C.F.R. Part 170 and DFARS 252.204-7021 recognize two types of CMMC status: Conditional and Final. A contractor may receive a Conditional CMMC Status for Levels 2 and 3 if it achieves the minimum assessment score but has outstanding gaps documented in a Plan of Action and Milestones (POA&M). A Conditional status is valid for up to 180 days, during which the contractor must close all POA&M items to transition to Final CMMC Status. The September 2025 DFARS final rule preamble states that "the final rule allows contractors to hold a conditional Cybersecurity Maturity Model Certification (CMMC) status at Levels 2 and 3 for a period of up to 180 days," and that "the final rule clarifies that a conditional CMMC status is sufficient to permit a contract award." Both Conditional and Final statuses require annual affirmations of continuous compliance by an affirming official.

DFARS 204.7501 defines "current" CMMC status with precision. For Conditional Level 2 assessments (Self or C3PAO), a status is current if the assessment is not older than 180 days, there have been no changes in compliance with the requirements at 32 C.F.R. Part 170 since the Conditional CMMC Status date, and there is a corresponding affirmation of continuous compliance by an affirming official. For Final Level 2 assessments (Self or C3PAO), a status is current if the assessment is not older than three years, there have been no changes in compliance with 32 C.F.R. Part 170 since the Final CMMC Status date, and there is a corresponding affirmation of continuous compliance not older than one year by an affirming official. Parallel timing rules apply to Conditional and Final Level 3 assessments.

Prescription and exclusions

DFARS 204.7504(a) prescribes clause 252.204-7021 in solicitations and contracts (including task orders and delivery orders and those using FAR Part 12 procedures for commercial products and commercial services), except for contracts solely for the acquisition of commercially available off-the-shelf (COTS) items. For the first three years following the November 10, 2025 effective date (until November 9, 2028), the clause is required only "if the program office or requiring activity determines that the contractor is required to have a CMMC status." After November 9, 2028, the clause applies automatically in all non-COTS acquisitions where the contractor is required to process, store, or transmit FCI or CUI, unless a waiver under 32 C.F.R. § 170.5(d) is granted. This three-year transition period gives program offices discretion to phase in CMMC requirements across the defense industrial base while establishing universal coverage by the end of the transition window.

Award and option-exercise gates

DFARS 204.7503(b) imposes a hard gate at contract award: "Contracting officers shall check SPRS and not award a contract, task order, or delivery order to an offeror that does not have a current CMMC status posted in SPRS at the CMMC level (see 32 CFR 170.15 through 170.18) required by the solicitation, or higher, for each CMMC UID provided by the offeror." The CMMC UIDs are applicable to each of the contractor information systems that will process, store, or transmit FCI or CUI and that will be used in performance of the contract. A parallel gate applies at option exercise or period-of-performance extension under DFARS 204.7503(c): contracting officers must check SPRS and may not exercise an option or extend the period of performance unless the contractor has a current CMMC status at the required level. This makes CMMC compliance a continuing contractual obligation throughout performance, not merely a one-time condition of award.

Source: 32 C.F.R. Part 170 Source: DFARS Subpart 204.75 Source: DFARS 252.204-7021 Source: 89 Fed. Reg. 83092 (Oct. 15, 2024) Source: 90 Fed. Reg. 43564 (Sept. 10, 2025)

NIST Special Publication 800-171, Revision 2, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations," is the baseline cybersecurity standard mandated by DFARS 252.204-7012 for DoD contractors handling CUI and adopted as the verification target for CMMC Level 2. Published in February 2020 with errata updates as of January 28, 2021, Revision 2 establishes 110 security requirements organized into 14 control families. These requirements apply to all components of nonfederal systems and organizations that process, store, or transmit CUI, or that provide protection for such components.

Operative version and the May 2024 DFARS Class Deviation

Although NIST published Revision 3 of SP 800-171 on May 14, 2024—superseding Revision 2—the Department of Defense issued DFARS Class Deviation 2024-O0013, Revision 1, on May 22, 2024, locking DoD contractors to Revision 2 compliance. The deviation modifies DFARS 252.204-7012 to require contractors to comply with NIST SP 800-171 Revision 2 (rather than "the version of NIST SP 800-171 in effect at the time the solicitation is issued or as authorized by the Contracting Officer," as the base clause text provided). The deviation remains in effect indefinitely until rescinded by DoD. As a result, contractors subject to DFARS 252.204-7012—and those preparing for CMMC Level 2 assessments—must implement the 110 requirements in Revision 2, not the 97 requirements in Revision 3. The deviation provides industry time to transition and gives DoD time to align supporting mechanisms, including CMMC assessment procedures and the Supplier Performance Risk System (SPRS).

The 110 requirements: basic and derived

Revision 2 distinguishes between two types of requirements. The 14 basic security requirements are derived from Federal Information Processing Standards (FIPS) Publication 200, which specifies minimum security requirements for federal information and information systems. The remaining 96 derived security requirements are taken from NIST SP 800-53, Security and Privacy Controls for Information Systems and Organizations, specifically the moderate impact baseline tailored for nonfederal systems. Each requirement is numbered using a three-part identifier: the requirement family number, the family abbreviation, and the sequential requirement number (e.g., 3.1.1 for Access Control requirement 1). Basic requirements are listed first in each family, followed by derived requirements.

The 14 control families

The 110 requirements are organized into 14 families, each addressing a distinct category of security controls:

3.1 Access Control (AC) — 22 requirements. Limits information system access to authorized users, processes acting on behalf of users, and devices (including other systems). Covers account management, least privilege, separation of duties, unsuccessful logon attempts, session lock, remote access, wireless access, access control for mobile devices, and use of external systems.

3.2 Awareness and Training (AT) — 3 requirements. Ensures that managers, system administrators, and users understand their security responsibilities and receive appropriate cybersecurity awareness training and role-based training.

3.3 Audit and Accountability (AU) — 9 requirements. Creates, protects, and retains system audit logs to enable monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity. Covers audit record content, capacity planning, response to audit processing failures, audit review and reporting, time-stamp correlation, and protection of audit information.

3.4 Configuration Management (CM) — 9 requirements. Establishes and maintains baseline configurations and inventories of systems; restricts, disables, or prevents use of nonessential programs, functions, ports, protocols, and services; applies the principle of least functionality; and controls and monitors user-installed software.

3.5 Identification and Authentication (IA) — 11 requirements. Identifies system users, processes acting on behalf of users, and devices; authenticates (or verifies) those identities as a prerequisite to system access. Covers multifactor authentication for network access to privileged and non-privileged accounts and for local access to privileged accounts, identifier management, authenticator management (including replay-resistant mechanisms and strength), cryptographic module authentication, and device identification and authentication.

3.6 Incident Response (IR) — 3 requirements. Establishes an operational incident-handling capability that includes preparation, detection, analysis, containment, recovery, and user response activities; tracks, documents, and reports incidents to designated officials and authorities.

3.7 Maintenance (MA) — 6 requirements. Performs periodic and timely maintenance on systems; provides controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance; requires approval and monitoring of maintenance activities, including nonlocal maintenance; and sanitizes or destroys equipment before disposal or release for reuse.

3.8 Media Protection (MP) — 9 requirements. Protects system media, both paper and digital, during transport, storage, use, and disposal. Covers limiting access to CUI on system media to authorized users, sanitizing or destroying media containing CUI before disposal or release for reuse, marking media with necessary CUI markings and distribution limitations, controlling access to media storage areas, and controlling media during transport outside controlled areas.

3.9 Personnel Security (PS) — 2 requirements. Screens individuals prior to authorizing access to systems containing CUI and ensures that systems containing CUI are protected during and after personnel actions such as terminations and transfers.

3.10 Physical Protection (PE) — 6 requirements. Limits physical access to systems, equipment, and operating environments to authorized individuals; protects the physical plant and support infrastructure; provides supporting utilities; protects systems against environmental hazards; and monitors physical access and controls entry points, including visitor access and access records.

3.11 Risk Assessment (RA) — 3 requirements. Periodically assesses the risk to organizational operations, assets, and individuals resulting from the operation of systems and the processing, storage, or transmission of CUI; scans for vulnerabilities in systems and when new vulnerabilities affecting the system are identified; and remediates legitimate vulnerabilities in accordance with an organizational assessment of risk.

3.12 Security Assessment (CA) — 4 requirements. Periodically assesses the security controls in systems to determine whether the controls are effective in their application; develops and implements plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in systems; monitors security controls on an ongoing basis to ensure continued effectiveness; and develops, disseminates, and updates system security plans that describe the security requirements and controls in place or planned.

3.13 System and Communications Protection (SC) — 19 requirements. Monitors, controls, and protects communications (i.e., information transmitted or received by systems) at external and key internal boundaries of systems. Covers boundary protection, cryptographic protection (including transmission confidentiality and integrity, cryptographic key establishment and management, and public-key infrastructure certificates), network segmentation, denial-of-service protection, session authenticity, protection of information at rest, collaborative computing device and application control, mobile code restrictions, Voice over Internet Protocol, secure name/address resolution service, communications authenticity, and cryptographic module protections.

3.14 System and Information Integrity (SI) — 4 requirements. Identifies, reports, and corrects system flaws in a timely manner; provides protection from malicious code; monitors system security alerts and advisories and takes action in response; and updates malicious code protection mechanisms when new releases are available.

Scoping and tailoring: CUI security domains and the NFO designation

Nonfederal organizations may limit the scope of the 110 requirements by isolating CUI processing, storage, and transmission to designated system components within a separate CUI security domain. Isolation can be achieved by applying architectural and design concepts such as implementing subnetworks with firewalls or other boundary protection devices and using information flow control mechanisms; security domains may employ physical separation, logical separation, or a combination of both. This approach—often referred to as enclave architecture—allows contractors to apply the full 110-requirement rigor only to the enclave that handles CUI, rather than to the entire enterprise network.

Revision 2 also includes a tailoring category designated NFO (Nonfederal Organization), applied to certain requirements deemed appropriate for nonfederal organizations to tailor based on their specific circumstances. The NFO designation does not exempt a requirement; it signals that the requirement may be implemented in a manner that reflects the nonfederal organization's mission, operational environment, and risk tolerance, as opposed to federal-system-specific implementation approaches. Contractors preparing for CMMC Level 2 assessments should note that C3PAO assessors will evaluate all 110 requirements, including those marked NFO, for applicability and implementation within the contractor's CUI scope boundary.

Assessment methodology and scoring

NIST Special Publication 800-171A, "Assessing Security Requirements for Controlled Unclassified Information," provides the companion assessment procedures and methodology for evaluating implementation of the 110 requirements in Revision 2. Each requirement in SP 800-171 Revision 2 maps to one or more assessment objectives in SP 800-171A, which break down the requirement into specific determination statements (objectives) that an assessor verifies as satisfied or not satisfied. The CMMC Level 2 Self and Level 2 C3PAO assessment processes are built on the SP 800-171A framework. Contractors document implementation in a System Security Plan (SSP) as required by requirement 3.12.4, conduct self-assessments, and report their SPRS score (the sum of points for satisfied requirements, with a maximum score of 110) to DoD via the Supplier Performance Risk System.

Relationship to NIST SP 800-53 and the moderate baseline

SP 800-171 Revision 2 is a tailored subset of NIST SP 800-53, Revision 4, moderate baseline. SP 800-53 is the comprehensive catalog of security and privacy controls for federal information systems and organizations; the moderate baseline (one of three baselines: low, moderate, high) is intended for systems where loss of confidentiality, integrity, or availability could have a serious adverse effect on organizational operations, assets, or individuals. SP 800-171 extracts the subset of the moderate baseline controls relevant to protecting CUI confidentiality in nonfederal systems, simplifies control language for nonfederal implementation, and omits controls that are inherently federal-system-specific (e.g., continuity of operations planning, privacy controls managed by federal agencies). Appendix D of SP 800-171 Revision 2 maps each of the 110 requirements to the corresponding SP 800-53 Revision 4 control for practitioners who need to trace the derivation or compare implementation guidance.

Transition to Revision 3 and DoD timeline

NIST SP 800-171 Revision 3, published May 14, 2024, reduces the total requirement count from 110 to 97 (consolidating and withdrawing redundant requirements), adds three new control families (Planning, System and Services Acquisition, and Supply Chain Risk Management), eliminates the basic/derived distinction in favor of deriving all requirements from SP 800-53 Revision 5 as the single authoritative source, and introduces Organization-Defined Parameters (ODPs) that allow agencies to specify values for certain control parameters. However, DoD has not rescinded Class Deviation 2024-O0013, and as of the date of this section, DoD contractors remain obligated to implement SP 800-171 Revision 2. Industry observers anticipate that DoD will eventually update DFARS 252.204-7012 and the CMMC program to require Revision 3, likely with a transition period, but DoD has not announced a timeline or rescission date for the class deviation.

Source: NIST SP 800-171 Rev. 2 Source: DFARS Class Deviation 2024-O0013, Rev. 1 Source: NIST SP 800-171A

Section 889 of the John S. McCain National Defense Authorization Act for Fiscal Year 2019, Pub. L. 115-232, enacted August 13, 2018, imposes a two-part prohibition on the procurement and use of certain telecommunications and video surveillance equipment or services produced by entities the statute identifies as national-security risks tied to the People's Republic of China. The prohibitions apply government-wide—DoD, civilian agencies, and NASA—and reach every contract type, including commercial-item acquisitions under FAR Part 12 and micro-purchases under FAR Subpart 13.2. The FAR Council implemented Section 889 through FAR Subpart 4.21, adding representation provision FAR 52.204-24 and contract clause FAR 52.204-25, both of which are mandatory in all solicitations and contracts except purchases solely of commercially available off-the-shelf (COTS) items. Unlike DFARS 252.204-7012 and the CMMC program, which apply only to DoD contracts, Section 889 is a government-wide supply-chain security control with no agency carve-out.

The two-part structure: Part A (direct procurement ban) and Part B (contractor-use ban)

Section 889(a)(1)(A)—referred to as "Part A"—prohibits the head of an executive agency, on or after August 13, 2019, from procuring or obtaining, or extending or renewing a contract to procure or obtain, any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system, unless an exception applies or a waiver is granted under FAR 4.2104. This prohibition is direct and transactional: the government may not buy covered equipment or services, and contractors may not provide covered equipment or services to the government in performance of a contract, even as an incidental component of a larger deliverable.

Section 889(a)(1)(B)—"Part B"—took effect one year later, on August 13, 2020, and is significantly broader in scope. It prohibits the head of an executive agency from entering into a contract, or extending or renewing a contract, with an entity that uses any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system. The prohibition applies to contractor use regardless of whether that use is in performance of work under a Federal contract. In other words, if a contractor uses a Huawei router or a Hikvision surveillance camera anywhere in its enterprise—even in support of purely commercial work unrelated to any government contract—the contractor is prohibited from receiving new federal contracts, extensions, renewals, or option exercises absent a waiver. This sweeping "use" prohibition creates an enterprise-wide compliance burden: contractors must scrub their entire information-technology and physical-security infrastructure, not just systems that touch government data or contract deliverables.

Covered telecommunications equipment or services—the five named entities plus catch-all

FAR Subpart 4.21 defines "covered telecommunications equipment or services" in four categories. The first category, applicable under both Part A and Part B, is telecommunications equipment produced by Huawei Technologies Company or ZTE Corporation (or any subsidiary or affiliate of such entities). The second category, applicable only for specified national-security purposes—public safety, security of Government facilities, physical security surveillance of critical infrastructure, and other national security purposes—is video surveillance and telecommunications equipment produced by Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, or Dahua Technology Company (or any subsidiary or affiliate of such entities). The third category is telecommunications or video surveillance services provided by any of the five named entities or using equipment produced by them. The fourth category is a catch-all: telecommunications or video surveillance equipment or services produced or provided by an entity that the Secretary of Defense, in consultation with the Director of National Intelligence or the Director of the Federal Bureau of Investigation, reasonably believes to be an entity owned or controlled by, or otherwise connected to, the government of a covered foreign country. "Covered foreign country" is defined at FAR 4.2101 as the People's Republic of China.

The statute and the FAR define "substantial or essential component" as any component necessary for the proper function or performance of a piece of equipment, system, or service. "Critical technology" is defined by cross-reference to the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA), codified at 50 U.S.C. § 4565(a)(6)(A), and encompasses defense articles on the U.S. Munitions List, items on the Commerce Control List, nuclear equipment and material, select agents and toxins, and emerging and foundational technologies controlled under the Export Control Reform Act. The breadth of these definitions means that covered telecommunications equipment or services embedded as firmware, routers, switches, or cloud-hosting infrastructure can trigger the prohibition even when the contractor does not recognize the component as "Chinese."

Representation and disclosure requirements—FAR 52.204-24 and 52.204-26

Offerors must complete two representations under FAR 52.204-24, which is prescribed in all solicitations. The first representation, tied to Part A, asks whether the offeror "will" or "will not" provide covered telecommunications equipment or services to the Government in the performance of any contract, subcontract, or other contractual instrument resulting from the solicitation. The second representation, tied to Part B and triggered by the offeror's duty to conduct a "reasonable inquiry," asks whether the offeror "does" or "does not" use covered telecommunications equipment or services, or use any equipment, system, or service that uses covered telecommunications equipment or services. FAR 4.2101 defines "reasonable inquiry" as an inquiry designed to uncover any information in the entity's possession about the identity of the producer or provider of covered telecommunications equipment or services used by the entity; the definition explicitly excludes the need to conduct an internal or third-party audit, but it is not a free pass—contractors must investigate supply chains, review vendor documentation, and confirm the origin of telecommunications and video-surveillance systems.

If an offeror responds affirmatively to either representation—indicating it will provide covered equipment or does use covered equipment—FAR 52.204-24 requires detailed disclosure in paragraph (e) of the provision. For Part A, the offeror must disclose the covered telecommunications equipment or services being provided, the entity producing or providing the equipment or services, a description of the equipment or services, and an explanation of why the offeror considers the disclosure permissible under an exception or waiver. For Part B, disclosure requirements vary depending on whether the procurement is for equipment, maintenance-related services, or other services; in all cases, the offeror must identify the covered equipment, the producer, and, if applicable, the system in which it is used.

To reduce repeated representations, FAR 52.204-26, "Covered Telecommunications Equipment or Services—Representation," allows offerors to complete an annual representation in the System for Award Management (SAM) at SAM.gov. If an offeror has represented in SAM that it does not provide and does not use covered telecommunications equipment or services, the offeror may skip the offer-by-offer representation in FAR 52.204-24. However, if the SAM representation is affirmative, the offeror must complete the full FAR 52.204-24 representation and disclosure in every offer. The SAM annual representation does not relieve the offeror of the duty to update if facts change during the year; FAR 52.204-25 imposes a continuing obligation to report discoveries during performance.

Contract clause and the one-business-day reporting rule—FAR 52.204-25

FAR 52.204-25 is prescribed in all contracts and reiterates the Part A and Part B prohibitions. Paragraph (d) of the clause imposes a rapid-reporting obligation: if a contractor identifies covered telecommunications equipment or services during contract performance, or is notified by a subcontractor at any tier, the contractor must report the discovery to the contracting officer within one business day from the date of identification or notification. The report must include the contract number, order number (if applicable), supplier name, brand, model number, item description, and any readily available information about mitigation actions already undertaken or recommended. Within ten business days of the initial report, the contractor must provide any further available information about mitigation actions and describe the efforts undertaken to prevent use or submission of covered telecommunications equipment or services and any additional measures that will be incorporated to prevent future use or submission. The one-business-day reporting window is a hard deadline; late reporting can trigger a show-cause action under the clause or a mandatory-disclosure event under FAR Subpart 9.4 and 52.203-13 if the contractor had knowledge before the triggering event.

The clause flows down to subcontracts. Paragraph (e) requires the contractor to insert the substance of FAR 52.204-25, including the flow-down requirement and excluding the Part A prohibition in paragraph (b)(1) (which applies only to direct government procurement), in all subcontracts and other contractual instruments, including subcontracts for the acquisition of commercial products or commercial services. This makes Section 889 compliance a vertical supply-chain obligation; prime contractors are responsible for ensuring that every tier of subcontractor either does not use covered telecommunications equipment or services or has obtained an exception or waiver.

Exceptions and waiver procedures

FAR 4.2102(b) lists five narrow exceptions to the Part A and Part B prohibitions. The exceptions do not prohibit contractors from providing: (1) a service that connects to the facilities of a third party, such as backhaul, roaming, or interconnection arrangements; (2) telecommunications equipment that cannot route or redirect user data traffic or cannot permit visibility into any user data or packets that such equipment transmits or otherwise handles; (3) security surveillance or video surveillance not used for covered purposes (i.e., not for public safety, security of Government facilities, physical security surveillance of critical infrastructure, or other national security purposes); (4) equipment, systems, or services used for research, law enforcement, security, or intelligence purposes conducted on a temporary basis; or (5) other national security purposes. These exceptions are self-executing—if an exception applies, the offeror may proceed without a waiver—but the contracting officer may require the offeror to provide supporting documentation if the CO has reason to question the representation.

If no exception applies, a contractor may request a waiver under FAR 4.2104. For Part A waivers, the agency head (or designee) may grant a waiver on a case-by-case basis if the agency determines that the equipment, system, or service is essential to the mission or to national security, and that the agency has implemented a plan to eliminate the use of or dependence on such equipment, system, or service. For Part B waivers, the waiver authority is the same, but the standard is higher: the agency must determine that the entity's use of covered telecommunications equipment or services is in a system that is not a substantial or essential component, and that adequate safeguards are in place. Waiver requests must be submitted to the contracting officer, who forwards the request to the agency head or designee; DoD's waiver procedures are implemented through memoranda from the Under Secretary of Defense for Acquisition and Sustainment and are published on the Defense Pricing and Contracting website at acq.osd.mil/asda/dpc/cp/cyber/section-889.html. Waivers are rare; as of the date of this section, publicly reported waivers have been limited to mission-critical systems where immediate replacement would disrupt operations.

Applicability to contract modifications, option exercises, and indefinite-delivery contracts

FAR Subpart 4.21 specifies precise applicability rules tied to the Part A and Part B effective dates. For Part A (August 13, 2019), contracting officers must include FAR 52.204-24 and 52.204-25 in solicitations issued on or after August 13, 2019, and in solicitations issued before August 13, 2019 if award occurs on or after August 13, 2019. The clause must also be included in modifications that extend the period of performance (including option exercises) beyond August 12, 2019. For indefinite-delivery contracts awarded before August 13, 2019, contracting officers must modify the contract under FAR 1.108(d) to include FAR 52.204-25 prior to placing any order on or after August 13, 2019.

For Part B (August 13, 2020), the same applicability rules apply with the later trigger date. Importantly, the Part B prohibition applies at contract award, contract extension, contract renewal, and option exercise. FAR 4.2103 provides that the contracting officer "may rely" on a contractor's representation in FAR 52.204-24, 52.204-26, or FAR 52.212-3(v) unless the contracting officer has reason to question the representation. But the regulation does not relieve the contractor of the obligation to re-certify current compliance at each option exercise or modification that extends or renews the contract. A contractor that was compliant at award but subsequently deployed a Hikvision camera system for office security must disclose that change before the government exercises the next option period; failure to do so is a False Claims Act and suspension-and-debarment risk.

SAM exclusions list and RPA lookup capability

Under FAR 4.2102(d), the General Services Administration maintains a list in SAM.gov of entities excluded from receiving federal awards for covered telecommunications equipment or services. The list includes the five named entities and known subsidiaries or affiliates. Contracting officers are directed to check the SAM exclusions list when evaluating offers, and DoD has deployed a robotic process automation (RPA) lookup capability, announced in a November 30, 2020 memorandum from the Director, Defense Pricing and Contracting, to allow contracting officers to quickly review SAM representations and cross-check them against the exclusions list. The RPA tool flags affirmative representations and prompts the CO to request additional documentation or refer the matter for a waiver determination before proceeding with award.

Relationship to DFARS telecommunications prohibitions

Section 889 is distinct from, and in addition to, DFARS Subpart 204.73 and the related DFARS clauses 252.204-7016 (Covered Defense Telecommunications Equipment or Services—Representation), 252.204-7017 (Prohibition on the Acquisition of Covered Defense Telecommunications Equipment or Services—Representation by Offerors), and 252.204-7018 (Prohibition on the Acquisition of Covered Defense Telecommunications Equipment or Services). The DFARS clauses, finalized in January 2021, implement a separate statutory prohibition codified at 10 U.S.C. § 3252 (formerly 10 U.S.C. § 2279) and define "covered defense telecommunications equipment or services" with overlapping but not identical scope to Section 889's definitions. Contractors performing DoD contracts must comply with both the FAR Section 889 regime (through FAR 52.204-24 and 52.204-25) and the DFARS regime (through DFARS 252.204-7016, -7017, and -7018). The DFARS provisions add reporting obligations into the Supplier Performance Risk System (SPRS) for covered defense telecommunications and impose additional subcontract flow-down requirements; they do not provide relief from Section 889. Where the FAR and DFARS prohibitions overlap, both apply, and the more restrictive standard governs.

Source: Pub. L. 115-232, Section 889 Source: FAR Subpart 4.21 Source: FAR 52.204-24 Source: FAR 52.204-25 Source: 84 Fed. Reg. 40208 (Aug. 13, 2019) Source: 85 Fed. Reg. 42665 (July 14, 2020)

FAR clause 52.204-21, "Basic Safeguarding of Covered Contractor Information Systems," establishes the minimum cybersecurity baseline for all federal contractors—DoD, civilian agencies, and NASA—whose information systems process, store, or transmit Federal Contract Information (FCI). Finalized in the May 16, 2016 Federal Register final rule and effective June 15, 2016, the clause prescribes 15 basic security controls that contractors must implement to protect the confidentiality and integrity of FCI on contractor-owned or contractor-operated information systems. Unlike DFARS 252.204-7012 and the CMMC program, which apply only to DoD contracts, FAR 52.204-21 is a government-wide requirement: every federal acquisition (except COTS-only procurements) triggers the clause whenever the contractor or any subcontractor may have FCI residing in or transiting through its information system. The clause is also the foundation for CMMC Level 1; the October 15, 2024 CMMC Program rule at 32 C.F.R. § 170.3 references the "security requirements set forth in 48 CFR 52.204-21" as the verification target for Level 1 self-assessments.

Federal Contract Information — the triggering category

FAR Subpart 4.19 and FAR 52.204-21 define "Federal contract information" as information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government. The definition explicitly excludes information provided by the Government to the public (such as on public websites) and simple transactional information, such as that necessary to process payments. FCI is broader than Controlled Unclassified Information (CUI): FCI includes non-public government-provided specifications, statements of work, deliverable data (technical reports, software, research results generated under a contract), and any other contract-related information the government does not intend for public release. The triggering event is the possibility that FCI may reside in or transit through a contractor information system in performance of the contract; contracting officers are instructed in FAR Subpart 4.19 to include the clause when the contractor or a subcontractor at any tier may have FCI in its information system, and the regulation places the burden on the government's technical team to assess that possibility during acquisition planning under FAR 7.105(b)(18).

Covered contractor information system — the scope boundary

A "covered contractor information system" is an information system that is owned or operated by a contractor that processes, stores, or transmits Federal contract information. "Information system" is defined at FAR 2.101 as a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information (44 U.S.C. § 3502). This definition captures servers, desktops, laptops, mobile devices, email systems (cloud-based or on-premises), file shares, and any other IT infrastructure component that handles FCI. Contractors may limit the scope of the 15 requirements by isolating FCI processing to designated systems or enclaves—an architectural approach permitted under the clause—but any system that processes, stores, or transmits FCI, even temporarily, is a covered contractor information system and must implement the 15 controls.

The 15 basic safeguarding requirements

Paragraph (b)(1) of FAR 52.204-21 mandates 15 security controls, enumerated in subparagraphs (i) through (xv). These controls are drawn from NIST SP 800-171 and represent a simplified, entry-level subset of the full 110 NIST SP 800-171 Revision 2 requirements applicable to CUI systems under DFARS 252.204-7012. The 15 controls address access control, authentication, physical security, communications protection, media sanitization, vulnerability management, and malware defense:

(i) Access control — authorized users only. Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

(ii) Least privilege — function and transaction limitations. Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

(iii) External system connections. Verify and control/limit connections to and use of external information systems.

(iv) Public-facing systems. Control information posted or processed on publicly accessible information systems.

(v) Identification. Identify information system users, processes acting on behalf of users, or devices.

(vi) Authentication. Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

(vii) Media sanitization. Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.

(viii) Physical access control. Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.

(ix) Visitor control and physical access audit. Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.

(x) Communications protection. Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.

(xi) Boundary separation — public subnetworks. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.

(xii) Flaw remediation. Identify, report, and correct information and information system flaws in a timely manner.

(xiii) Malicious code protection. Provide protection from malicious code at appropriate locations within organizational information systems.

(xiv) Malware updates. Update malicious code protection mechanisms when new releases are available.

(xv) Scanning. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

Paragraph (b)(1) of the clause states that these requirements are the minimum ("at a minimum"); contractors may need to implement additional controls to meet the standard if their particular environment or threat profile demands it. The controls are technology-neutral: the clause does not prescribe specific products or configurations, leaving contractors discretion to implement the controls in a manner appropriate to their IT environment.

Relationship to other safeguarding requirements — the floor, not the ceiling

Paragraph (b)(2) of FAR 52.204-21 includes a critical non-abrogation provision: the clause does not relieve the contractor of any other specific safeguarding requirements specified by Federal agencies and departments relating to covered contractor information systems generally or other Federal safeguarding requirements for controlled unclassified information (CUI) as established by Executive Order 13556. This means FAR 52.204-21 is a floor, not a ceiling. Contractors performing DoD contracts subject to DFARS 252.204-7012 must comply with both the 15 FAR controls (for FCI) and the 110 NIST SP 800-171 Revision 2 requirements (for CUI). Contractors working on contracts that involve CUI or other agency-specific information types (personally identifiable information under the Privacy Act, export-controlled technical data under ITAR or EAR, classified information under the National Industrial Security Program) must layer the applicable controls on top of the FAR 52.204-21 baseline. The clause does not consolidate or replace those requirements; it adds a uniform government-wide floor for all FCI.

Prescription and applicability — FAR Subpart 4.19

FAR 4.1903 (redesignated as FAR 4.404-3 in the January 15, 2025 CUI final rule, effective in future FAR releases) prescribes FAR 52.204-21 in solicitations and contracts when the contractor or a subcontractor at any tier may have Federal contract information residing in or transiting through its information system. Under FAR Subpart 4.19, the clause applies to all acquisitions, including acquisitions of commercial products or commercial services, except solicitations and contracts solely for the acquisition of commercially available off-the-shelf (COTS) items. There is no dollar-threshold exclusion: the clause applies to acquisitions below the simplified-acquisition threshold if FCI may be involved. The clause applies to FAR Part 12 commercial-item procurements unless the procurement is solely for COTS items; the May 16, 2016 Federal Register preamble notes that agencies may not exclude contracts falling under FAR Part 12 from the safeguarding requirement because information may still need to be protected despite the use of Part 12 procedures.

The clause became effective June 15, 2016. Contracting officers must include FAR 52.204-21 in solicitations issued on or after June 15, 2016, and in contract modifications executed on or after that date when FCI may be involved. The Federal Register preamble states that the rule is mandatory and effective immediately upon contract award or contract modification execution.

Subcontract flow-down — mandatory at all tiers

Paragraph (c) of FAR 52.204-21 imposes a vertical flow-down obligation: the contractor must include the substance of the clause, including the flow-down requirement in paragraph (c), in subcontracts under the contract (including subcontracts for the acquisition of commercial products or commercial services, other than commercially available off-the-shelf items), in which the subcontractor may have Federal contract information residing in or transiting through its information system. This makes FAR 52.204-21 compliance a supply-chain obligation at all tiers. Prime contractors must assess whether each subcontractor will handle FCI and, if so, flow the clause down. The COTS exclusion applies to subcontracts: if a subcontract is solely for COTS items, the prime need not include FAR 52.204-21 in that subcontract. But if the subcontract includes commercial services or non-COTS commercial items, and the subcontractor may have FCI, the clause must flow down.

No explicit incident-reporting obligation — contrast with DFARS 252.204-7012

Unlike DFARS 252.204-7012, which imposes a 72-hour cyber-incident reporting obligation to DoD at dibnet.dod.mil, FAR 52.204-21 does not contain an explicit cyber-incident reporting requirement tied to FCI. The clause requires contractors to implement the 15 controls, but it does not mandate reporting of breaches or incidents involving FCI to the contracting officer or to a central government repository. However, contractors should be aware that other legal obligations may trigger reporting duties: the Procurement Integrity Act (41 U.S.C. § 2102) and FAR 52.203-13 impose mandatory disclosure of credible evidence of certain violations, including situations where a contractor knows that FCI was improperly disclosed or accessed; the Federal Information Security Modernization Act of 2014 (FISMA) may impose breach-notification obligations when the contractor is operating a federal information system on behalf of an agency; and agency-specific cybersecurity clauses may add incident-reporting requirements. The absence of an explicit FCI incident-reporting requirement in FAR 52.204-21 does not create a safe harbor; it reflects the clause's focus on system safeguarding (controls on the information system) rather than information protection (controls on the data itself). The May 16, 2016 Federal Register preamble notes that the final rule removed proposed requirements relating to transmission of electronic information, voice, and fax because those requirements addressed "protection of information" outside the scope of the final rule, which deals with safeguards for the contractor's information system.

CMMC Level 1 and the FAR 52.204-21 baseline

The CMMC Program at 32 C.F.R. Part 170 designates FAR 52.204-21 as the security-requirements baseline for CMMC Level 1. Under DFARS 204.7501, CMMC Level 1 applies when contractor information systems will process, store, or transmit Federal Contract Information (FCI), and the required certification is a self-assessment conducted annually with an affirmation of continuous compliance by an affirming official. The assessment is entered into the Supplier Performance Risk System (SPRS) and assigned a CMMC Unique Identifier (CMMC UID). The October 15, 2024 CMMC Program final rule preamble states that Level 1 requires implementation of cybersecurity practices "set forth in 48 CFR 52.204-21" and notes that the CMMC Program utilizes the security standards in FAR 52.204-21 "as applicable." This makes FAR 52.204-21 compliance the necessary and sufficient condition for CMMC Level 1 status: a contractor that has implemented the 15 controls for its FCI systems, documented the implementation in a self-assessment, and submitted the results to SPRS with an annual affirmation has satisfied CMMC Level 1. Contractors performing on DoD contracts that require CMMC Level 1 (Self) status under DFARS 252.204-7021 are implementing FAR 52.204-21; there is no separate set of CMMC Level 1 requirements.

Enforcement and remedies — contractual breach and suspension-and-debarment risk

Failure to implement the 15 FAR 52.204-21 controls is a breach of contract. The May 16, 2016 Federal Register preamble includes a significant qualification: "Generally, as long as the safeguards are in place, failure of the controls to adequately protect the information does not constitute a breach of contract." This language suggests that the government's focus is on implementation of the controls, not on the outcome of perfect protection. A contractor that has implemented the 15 controls in good faith but suffers a breach due to a zero-day exploit or an advanced persistent threat would not automatically be in breach of FAR 52.204-21. However, a contractor that fails to implement one or more of the 15 controls—no authentication mechanism, no malware protection, no media sanitization process—is in breach, and the government may pursue contractual remedies including cure notices, show-cause actions, and termination for default under FAR Part 49.

Additionally, knowing or reckless failure to implement FAR 52.204-21 controls may trigger False Claims Act (FCA) liability under 31 U.S.C. §§ 3729–3733 if the contractor submitted invoices or certifications (such as a CMMC Level 1 self-assessment or a representation under FAR 52.204-26) falsely representing compliance. The FCA's scienter standard—knowledge, deliberate ignorance, or reckless disregard of the truth—can be satisfied when a contractor certifies compliance with FAR 52.204-21 or CMMC Level 1 without conducting the required assessment or implementing the required controls. Material noncompliance with FAR 52.204-21 may also support suspension or debarment under FAR Subpart 9.4 if the contractor's conduct demonstrates a lack of present responsibility or business integrity. The mandatory-disclosure obligation under FAR 52.203-13 requires contractors to disclose credible evidence of violations of federal criminal law or the civil False Claims Act relating to the award or performance of a government contract; a contractor that discovers after contract award that it was not compliant with FAR 52.204-21 at the time of its compliance representation should evaluate whether mandatory disclosure is required.

January 2025 FAR CUI rule — redesignation and revised FCI definition

The Federal Register published a final rule on January 15, 2025, reorganizing FAR Subpart 4.19 into a new FAR Section 4.404 as part of a broader FAR CUI implementation. The January 2025 rule redesignates FAR 4.1903 (the prescription for FAR 52.204-21) as FAR 4.404-3, moves the definition of "covered contractor information system" to FAR 4.404-1, and changes the term "Federal contract information" to "covered Federal information" in the FAR text (though not in the clause itself as of the current effective date). The revised definition of "covered Federal information" clarifies that the term excludes CUI and classified information, addressing practitioner confusion about overlap. The January 2025 rule also updates the prescription in FAR 4.404-3 to exclude not only solicitations and contracts solely for COTS items, but also Federally-funded basic and applied research in science, technology, and engineering at colleges, universities, and laboratories in accordance with National Security Decision Directive 189 when the agency does not provide any covered Federal information to the contractor. These changes will take effect when incorporated into the FAR through a future Federal Acquisition Circular; as of the date of this section, FAR 52.204-21 and FAR Subpart 4.19 remain in effect as published in the June 15, 2016 final rule, and the operative term in the clause remains "Federal contract information," not "covered Federal information."

Source: FAR 52.204-21 Source: FAR Subpart 4.19 Source: 81 Fed. Reg. 30439 (May 16, 2016) Source: 32 C.F.R. § 170.3 Source: 90 Fed. Reg. 4278 (Jan. 15, 2025)

The CMMC Program requires contractors to obtain and maintain a current CMMC status—not merely to implement the underlying security requirements—before a DoD contracting officer may award a contract, exercise an option, or extend a period of performance. Under DFARS 204.7503(b), contracting officers must check the Supplier Performance Risk System (SPRS) at award and may not award a contract, task order, or delivery order to an offeror that does not have a current CMMC status posted in SPRS at the CMMC level required by the solicitation, or higher, for each CMMC Unique Identifier (CMMC UID) provided by the offeror. A parallel gate applies at option exercise under DFARS 204.7503(c). The mechanics of how a contractor obtains a current CMMC status—assessment procedures, Plan of Action and Milestones (POA&M) conditions, SPRS submission, and annual affirmations—are codified at 32 C.F.R. Part 170 Subparts C and D and implemented contractually through DFARS 252.204-7021.

Level 1 (Self) — annual self-assessment with no third-party verification

Level 1 applies when contractor information systems will process, store, or transmit Federal Contract Information (FCI). Under 32 C.F.R. § 170.15, the contractor (termed the "Organization Seeking Assessment" or OSA for self-assessments) must conduct an annual self-assessment against the 15 basic safeguarding requirements in FAR 52.204-21, document the results, and submit the assessment to SPRS with an affirmation of continuous compliance by an affirming official. The assessment is entered by the contractor itself; there is no C3PAO involvement and no government-led verification. The contractor assigns a CMMC UID to the assessment in SPRS, and the UID becomes the tracking identifier for that information system. A Level 1 status is current if the self-assessment is not older than one year and there is a corresponding affirmation of continuous compliance by an affirming official not older than one year. No Plan of Action and Milestones (POA&M—a remediation plan for outstanding control gaps) is permitted for Level 1; the contractor must achieve full implementation of all 15 requirements to obtain a valid Level 1 (Self) status.

Level 2 (Self) — triennial self-assessment with annual affirmations

Level 2 (Self) applies when the solicitation specifies Level 2 compliance demonstrated through self-assessment. The contractor must conduct a self-assessment every three years against all 110 security requirements in NIST SP 800-171 Revision 2 and submit the results to SPRS. Under 32 C.F.R. § 170.16, the contractor may achieve Conditional Level 2 (Self) status if the assessment results in a POA&M and the POA&M meets the conditions in § 170.21(a)(2): (i) the assessment score divided by the total number of CMMC Level 2 security requirements (110) is greater than or equal to 0.8, and (ii) none of the security requirements included in the POA&M have a point value greater than 1 as specified in the CMMC Scoring Methodology at § 170.24, except that SC.L2-3.13.11 (CUI encryption at rest) may be included even though it has a point value of 3. This means a contractor may receive Conditional status with up to 22 NOT MET requirements (an assessment score of 88 or higher) if the outstanding requirements are all 1-point requirements (plus the CUI-encryption exception). High-value requirements—those worth 3 or 5 points under the CMMC Scoring Methodology—cannot be placed on a POA&M; a NOT MET finding for a high-value requirement results in an assessment failure, not a Conditional status.

The contractor must remediate all POA&M items and complete a POA&M closeout self-assessment within 180 days of the CMMC Status Date associated with the Conditional Level 2 (Self). If the POA&M is successfully closed out, the contractor achieves Final Level 2 (Self) status. If the POA&M is not closed out within 180 days, the Conditional status expires, and the contractor is ineligible for additional awards requiring Level 2 status until a new assessment is completed. A Final Level 2 (Self) status is current if the assessment is not older than three years, there have been no changes in compliance with 32 C.F.R. Part 170 since the Final CMMC Status date, and there is a corresponding affirmation of continuous compliance by an affirming official not older than one year.

Level 2 (C3PAO) — triennial third-party certification with annual affirmations

Level 2 (C3PAO) applies when the solicitation specifies Level 2 compliance demonstrated through independent assessment by a Certified Third-Party Assessment Organization (C3PAO). C3PAOs are commercial companies authorized by the CMMC Accreditation Body (Cyber AB) and accredited under ISO/IEC 17020:2012(E) to conduct CMMC Level 2 assessments. Under 32 C.F.R. § 170.9, C3PAOs must employ Certified CMMC Assessors (CCAs) who have undergone Tier 3 background investigations resulting in a determination of national security eligibility. The Assessment Team must include at least two people: a Lead CCA and at least one other CCA. C3PAO personnel must complete the background investigation using Standard Form (SF) 86, but the investigation does not result in a security clearance and is not for the purpose of government employment; the positions are designated as non-critical sensitive with a risk designation of "Moderate Risk."

The contractor (termed the "Organization Seeking Certification" or OSC for C3PAO and DIBCAC assessments) selects a C3PAO from the Cyber AB's publicly accessible marketplace and engages the C3PAO under contract. The C3PAO conducts the Level 2 certification assessment by evaluating all 110 NIST SP 800-171 Revision 2 requirements using the assessment procedures in NIST SP 800-171A and the CMMC Assessment Guide Level 2 published by DoD. The assessment methods are examine (review of documentation and artifacts), interview (discussions with personnel), and test (hands-on verification of controls). Each of the 110 requirements is assessed and scored as MET, NOT MET, or NOT APPLICABLE. The C3PAO uploads the assessment results into the CMMC instantiation of eMASS (the DoD Enterprise Mission Assurance Support Service), which provides automated transmission to SPRS. The assessment inputs into eMASS must include, at minimum, the contractor's Commercial and Government Entity (CAGE) codes associated with the information systems addressed by the CMMC Assessment Scope, the OSC name, the C3PAO name, the assessment unique identifier (which becomes the CMMC UID), and the assessment results for all 110 requirements.

Under 32 C.F.R. § 170.17(a)(1)(ii), the OSC achieves Conditional Level 2 (C3PAO) status if the Level 2 certification assessment results in a POA&M and the POA&M meets the same conditions as Level 2 (Self): assessment score ≥ 88 (0.8 × 110), and no requirements with point value > 1 except the CUI-encryption requirement on the POA&M. The contractor must remediate all POA&M items and undergo a POA&M closeout certification assessment from a C3PAO within 180 days of the CMMC Status Date. The C3PAO posts the closeout results into eMASS. If the closeout is successful, the contractor achieves Final Level 2 (C3PAO) status. If the POA&M is not closed out within 180 days, the Conditional status expires, and standard contractual remedies apply.

Achieving a CMMC Status of Level 2 (C3PAO) also satisfies the requirements for Level 1 (Self) and Level 2 (Self) for the same CMMC Assessment Scope. A contractor with a current Final Level 2 (C3PAO) status does not need a separate Level 1 or Level 2 (Self) assessment for the same information system.

Level 3 (DIBCAC) — government-led triennial assessment with dual annual affirmations

Level 3 applies when contractor information systems will process, store, or transmit CUI designated by DoD as involving "high-value assets." Level 3 certification assessments are conducted exclusively by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), a component of the Defense Contract Management Agency (DCMA). Under 32 C.F.R. § 170.18, a contractor must achieve a CMMC Status of Final Level 2 (C3PAO) for the Level 3 CMMC Assessment Scope as a prerequisite to initiating a Level 3 assessment. This means any Level 2 POA&M must be closed out and the contractor must hold a Final (not Conditional) Level 2 status before DIBCAC will schedule a Level 3 assessment. The Level 3 Assessment Scope may be equal to, or a subset of, the Level 2 Assessment Scope, but it cannot be broader.

The contractor initiates a Level 3 certification assessment by emailing a request to DCMA DIBCAC at the point of contact published at www.dcma.mil/DIBCAC. The request must include the Level 2 certification assessment unique identifier (the CMMC UID from the Final Level 2 C3PAO assessment). DIBCAC validates that the OSC has achieved Final Level 2 (C3PAO) status and contacts the OSC to schedule the Level 3 assessment.

DIBCAC performs the Level 3 certification assessment in accordance with NIST SP 800-171A (for the 110 Level 2 requirements) and NIST SP 800-172A, "Assessing Enhanced Security Requirements for Controlled Unclassified Information" (for the 24 additional Level 3 requirements). The 24 enhanced requirements are selected controls from NIST SP 800-172, "Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171," published February 2021. The OSC must achieve a MET result for all 134 requirements (110 from Level 2 plus 24 from Level 3) to achieve a Final Level 3 (DIBCAC) status. DIBCAC submits the assessment results into the CMMC instantiation of eMASS, which transmits the results to SPRS.

Under 32 C.F.R. § 170.18(a)(1)(ii), the OSC achieves Conditional Level 3 (DIBCAC) status if the assessment results in a POA&M and the POA&M meets all CMMC Level 3 POA&M requirements listed in § 170.21(a)(3). The contractor must remediate any NOT MET requirements and undergo a POA&M closeout certification assessment from DIBCAC within 180 days of the CMMC Status Date. If the POA&M is successfully closed out, the contractor achieves Final Level 3 (DIBCAC) status. If the POA&M is not closed out within 180 days, the Conditional Level 3 (DIBCAC) status expires, and standard contractual remedies apply.

To maintain Level 3 (DIBCAC) status, the contractor must undergo a new Level 3 certification assessment every three years and a new Level 2 (C3PAO) certification assessment every three years. The two assessments are independent and must both remain current. Because Final Level 2 (C3PAO) is a prerequisite for Level 3, the contractor must maintain dual compliance and submit dual annual affirmations—one for the Level 2 (C3PAO) UID and one for the Level 3 (DIBCAC) UID. Achieving a CMMC Status of Level 3 (DIBCAC) satisfies the requirements for Level 1 (Self), Level 2 (Self), and Level 2 (C3PAO) for the same CMMC Assessment Scope.

DoD reserves the right under 32 C.F.R. § 170.17(a)(1)(iv) to conduct a DIBCAC assessment of any OSC with a Level 2 (C3PAO) status to validate the C3PAO's assessment results. If the investigative results show that adherence to the provisions of 32 C.F.R. Part 170 have not been achieved or maintained, the DIBCAC results take precedence over the pre-existing C3PAO CMMC Status, and standard contractual remedies apply.

CMMC Unique Identifier (CMMC UID) — the system-level tracking mechanism

DFARS 204.7501 defines "Cybersecurity Maturity Model Certification unique identifier (CMMC UID)" as "10 alpha-numeric characters assigned to each CMMC assessment and reflected in the Supplier Performance Risk System (SPRS) for each contractor information system." The CMMC UID is the tracking identifier contracting officers check in SPRS to verify that a contractor has a current CMMC status for each information system that will process, store, or transmit FCI or CUI in performance of the contract. A single contractor may have multiple CMMC UIDs—one for each assessed information system or assessment scope. Under DFARS 252.204-7025 (the solicitation provision), offerors must provide the CMMC UID for each information system that will be used in performance of the contract. Under DFARS 252.204-7021 (the contract clause), the contractor must notify the contracting officer within 30 days of a change to a CMMC UID (such as when a reassessment generates a new UID or when a new system is brought into scope), and must maintain a current CMMC status for each UID throughout the contract period of performance.

SPRS submission and the affirming official — annual attestation of continuous compliance

The Supplier Performance Risk System (SPRS) is the DoD's centralized database for contractor cybersecurity assessment results and CMMC status. SPRS is accessible via the DoD Procurement Integrated Enterprise Environment (PIEE) at piee.eb.mil. For Level 1 and Level 2 (Self) assessments, the contractor enters the assessment results directly into SPRS using the "Add New CMMC Level 1 Self-Assessment" or "Add New CMMC Level 2 Self-Assessment" function, which requires an active "SPRS Cyber Vendor Role" in PIEE. For Level 2 (C3PAO) and Level 3 (DIBCAC) assessments, the C3PAO or DIBCAC uploads the results into the CMMC instantiation of eMASS, and eMASS transmits the results automatically to SPRS.

After the assessment is entered into SPRS, an affirming official must complete an affirmation of continuous compliance in SPRS. DFARS 204.7501 defines "affirming official" as "a designated senior official within the contractor's organization responsible for completing and maintaining annual affirmations of continuous compliance in the Supplier Performance Risk System (SPRS) for each CMMC unique identifier (UID)." The affirming official must be a senior official with the authority to attest to the company's continued compliance with all applicable security requirements; for many small businesses, this is the chief executive officer, chief information officer, or chief financial officer. The affirmation must be completed at least once every 12 months for each CMMC UID. Under 32 C.F.R. § 170.22, the affirmation must state that there have been no changes in compliance with the requirements at 32 C.F.R. Part 170 since the CMMC Status date (for Final status) or since the last affirmation (for subsequent annual affirmations), or, if there have been changes, that the changes have been addressed and the system remains compliant.

A CMMC status is only "current" if both the assessment timeliness requirement and the affirmation timeliness requirement are met. For Final Level 2 (C3PAO) status, the assessment must be not older than three years, there must have been no changes in compliance since the Final CMMC Status date (or changes must have been remediated), and there must be a corresponding affirmation of continuous compliance by an affirming official not older than one year. If the annual affirmation lapses, the CMMC status is no longer current, and the contractor is ineligible for new awards or option exercises requiring that level until the affirmation is updated.

Certificate of CMMC Status — issued by C3PAOs and DIBCAC, not by DoD for self-assessments

Under 32 C.F.R. § 170.9(b)(18), C3PAOs must issue Certificates of CMMC Status to OSCs in accordance with the Level 2 certification assessment requirements, including at a minimum all industry CAGE codes associated with the information systems addressed by the CMMC Assessment Scope, the C3PAO name, the assessment unique identifier (the CMMC UID), the OSC name, and the CMMC Status date and level. DIBCAC issues parallel certificates for Level 3 assessments. Contractors that complete Level 1 (Self) or Level 2 (Self) assessments do not receive a certificate from DoD; the SPRS record itself is the authoritative evidence of CMMC status. Contractors may generate screenshots or exports from SPRS to provide evidence of their status to prime contractors or to contracting officers upon request, but there is no official certificate issued by DoD for self-assessments.

POA&M scoring methodology and the 1/3/5-point structure

32 C.F.R. § 170.24 establishes the CMMC Scoring Methodology. Each of the 110 NIST SP 800-171 Revision 2 requirements is assigned a point value: 1, 3, or 5 points. The scoring is additive for MET requirements and subtractive for NOT MET requirements. The maximum score is 110 (all requirements MET). Higher-value requirements represent foundational or high-impact controls; missing a 5-point requirement has five times the scoring impact of missing a 1-point requirement. The passing score for Final Level 2 status is 110 (all requirements MET). For Conditional Level 2 status, the minimum score is 88 (0.8 × 110), which means a contractor may have up to 22 points of NOT MET findings. But those 22 points may only be accumulated from 1-point requirements (plus the one 3-point exception for CUI encryption). If a contractor receives a NOT MET on a 5-point requirement, the assessment score drops below the Conditional threshold unless the contractor has perfect scores on all other requirements, which is unlikely. As a practical matter, NOT MET findings on high-value (3- or 5-point) requirements typically result in an assessment failure, not a Conditional certificate. Contractors preparing for a C3PAO assessment should identify the high-value requirements in advance—often foundational controls in Access Control, Identification and Authentication, and System and Communications Protection families—and prioritize full implementation of those requirements before the assessment.

Appeals process — OSC to C3PAO to Accreditation Body

Under 32 C.F.R. § 170.9(b)(19), C3PAOs must address all OSC appeals arising from Level 2 certification assessment activities. If the OSC or the C3PAO is not satisfied with the result of the appeal, either party may elevate the matter to the Accreditation Body (Cyber AB) for final determination. The C3PAO must submit assessment appeals, review records, and decision results to DoD using the CMMC instantiation of eMASS. This provides a formal dispute-resolution path when a contractor believes an assessor's NOT MET determination was incorrect or when the assessor believes the contractor is misrepresenting the state of a control. There is no parallel appeals process for self-assessments; the contractor's self-assessment results are submitted as-is, subject to potential government validation through DIBCAC or other oversight mechanisms.

Relationship to DFARS 252.204-7020 — DoD validation authority

DFARS clause 252.204-7020, "NIST SP 800-171 DoD Assessment Requirements," is a separate clause that gives DoD the right to conduct a "Medium" or "High" assessment of the contractor's NIST SP 800-171 implementation to validate the contractor's self-assessment score submitted under DFARS 252.204-7019. Medium assessments are conducted by DCMA DIBCAC at contractor locations and include interviews and examination of artifacts. High assessments are also conducted by DIBCAC and include hands-on testing in addition to interviews and examination. If DoD conducts a validation assessment and the results differ from the contractor's SPRS score, the government assessment score takes precedence. The CMMC Program leverages this validation authority at Level 2 (C3PAO) under 32 C.F.R. § 170.17(a)(1)(iv) and explicitly at Level 3 through the mandatory DIBCAC assessment. Contractors should recognize that a CMMC Level 2 (Self) status or even a Level 2 (C3PAO) status issued by a C3PAO is not immune from challenge; DoD may validate the assessment at any time and may invalidate the CMMC status if the validation reveals noncompliance.

Source: 32 C.F.R. Part 170 Subpart D Source: 32 C.F.R. § 170.17 Source: 32 C.F.R. § 170.18 Source: 32 C.F.R. § 170.21 Source: 32 C.F.R. § 170.24 Source: DFARS 204.7501 Source: DFARS 204.7503 Source: DFARS 252.204-7021 Source: DFARS 252.204-7020 Source: SPRS CMMC page

When a DoD contractor uses an external cloud service provider (CSP) to store, process, or transmit covered defense information (CDI) in performance of a contract, DFARS 252.204-7012 and DFARS 252.239-7010 impose overlapping security obligations that go beyond the contractor's own NIST SP 800-171 implementation. The contractor must require and ensure that the CSP meets security requirements equivalent to the FedRAMP Moderate baseline and that the CSP complies with the cyber-incident-reporting, malicious-software, media-preservation, forensic-access, and damage-assessment obligations in DFARS 252.204-7012 paragraphs (c) through (g). This is not a pass-through obligation — the contractor remains responsible for verifying CSP compliance and for any breach or noncompliance by the CSP under the prime contract.

DFARS 252.204-7012(b)(2)(ii)(D) — the FedRAMP Moderate gate for external CSPs

Paragraph (b)(2) of DFARS 252.204-7012 establishes a two-tier security framework. Subparagraph (b)(2)(i) requires contractors to implement NIST SP 800-171 on covered contractor information systems that are not IT services or systems operated on behalf of the Government. Subparagraph (b)(2)(ii) addresses IT services or systems operated on behalf of the contractor — the contractor's use of third-party managed IT services, including cloud computing. For IT services other than cloud computing (such as managed security services or network operations centers), paragraph (b)(2)(ii) states that the service shall be subject to security requirements specified elsewhere in the contract.

For cloud computing services, paragraph (b)(2)(ii)(D) provides the operative rule: "If the Contractor intends to use an external cloud service provider to store, process, or transmit any covered defense information in performance of this contract, the Contractor shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline (https://www.fedramp.gov/documents-templates/) and that the cloud service provider complies with requirements in paragraphs (c) through (g) of this clause for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment."

The clause does not permit the contractor to self-certify FedRAMP equivalency or to accept a CSP's marketing claim of compliance. The contractor must "require and ensure" — language that imposes a continuing verification and flow-down obligation. The May 2024 revision of DFARS 252.204-7012 retained this language unchanged from prior versions, and the clause date (MAY 2024) does not alter the FedRAMP Moderate standard or add new requirements; the May 2024 update refreshed hyperlinks within paragraphs (b)(2)(i) and (b)(2)(ii)(D) to reference current NIST and FedRAMP publication repositories.

What "FedRAMP Moderate baseline" means — 325 controls from NIST SP 800-53

The FedRAMP Moderate baseline is a security-authorization framework for cloud service offerings (CSOs) used by federal agencies. It consists of 325 security controls selected from NIST SP 800-53, "Security and Privacy Controls for Information Systems and Organizations," organized into 17 control families. The Moderate impact level is appropriate for CSPs that will handle government data that is not publicly available but does not rise to the High impact level (which is reserved for national-security systems, law-enforcement-sensitive information, and other high-value data). The 325 controls exceed the 110 requirements in NIST SP 800-171 Revision 2; FedRAMP Moderate fully subsumes SP 800-171.

FedRAMP authorization is granted by a federal agency Authorizing Official (AO) through an Agency Authority to Operate (ATO) or by the FedRAMP Joint Authorization Board (JAB) — a multi-agency board comprising the General Services Administration, the Department of Homeland Security, and the Department of Defense — through a Provisional Authority to Operate (P-ATO). A CSP with a FedRAMP Moderate P-ATO or Agency ATO at the Moderate baseline is listed on the FedRAMP Marketplace at marketplace.fedramp.gov. Contractors should verify CSP authorization status by checking the FedRAMP Marketplace; the marketplace lists the CSP name, the authorized services, the authorization type (JAB P-ATO or Agency ATO), the authorizing agency (for Agency ATOs), the authorization date, and the impact level (Moderate or High).

"Equivalent to" FedRAMP Moderate — the December 2023 DoD CIO equivalency memo

DFARS 252.204-7012(b)(2)(ii)(D) permits CSPs that meet security requirements "equivalent to" FedRAMP Moderate, not solely those with formal FedRAMP authorization. This language created practitioner confusion: what counts as "equivalent"? On December 21, 2023, the DoD Chief Information Officer issued a memorandum titled "FedRAMP Moderate Equivalency for Cloud Service Providers' Cloud Service Offerings," clarifying the equivalency standard. The memo establishes that a CSP may claim FedRAMP Moderate equivalency for DFARS 252.204-7012 purposes only if the CSP:

1. Completes all activities and produces all artifacts required for a FedRAMP Agency ATO or JAB P-ATO at the Moderate baseline, including a complete System Security Plan (SSP), a Security Assessment Plan (SAP), a Security Assessment Report (SAR) from an accredited FedRAMP Third-Party Assessment Organization (3PAO), a Plan of Action and Milestones (POA&M), and continuous-monitoring evidence; and

1. Submits the complete Body of Evidence (BoE) to the DoD sponsor or requiring activity for validation.

The memo makes clear that equivalency does not mean "we implemented controls similar to FedRAMP" or "we passed an ISO 27001 audit" or "we self-assessed against NIST SP 800-171." Equivalency requires the same rigor as a full FedRAMP authorization — assessment by an accredited 3PAO, production of the complete FedRAMP artifact set, and validation by DoD — but without FedRAMP PMO review or listing on the FedRAMP Marketplace. The memorandum states that the DoD requires contractors with defense data stored, processed, or transmitted by a CSP to use either a FedRAMP Moderate Authorized CSP (listed on the FedRAMP Marketplace) or a FedRAMP Moderate Equivalent CSP (not listed on the Marketplace but with a validated BoE meeting the criteria above). A FedRAMP Moderate Authorized CSP will require considerably less contractor effort to verify compliance than a FedRAMP Moderate Equivalent CSP, because the authorization is publicly listed and the artifacts are available through the FedRAMP repository.

The December 2023 memo does not apply to CSPs that already have a FedRAMP Moderate Authorization under the existing FedRAMP process; those CSPs are fully compliant and meet the DFARS 252.204-7012(b)(2)(ii)(D) requirement by virtue of their Marketplace listing.

DFARS 252.239-7010 — separate cloud-computing-services clause and DoD Cloud Computing SRG

DFARS clause 252.239-7010, "Cloud Computing Services," is prescribed at DFARS 239.7604(b) in solicitations and contracts for information technology services, including contracts using FAR Part 12 procedures for commercial products and commercial services. The clause applies when the Government is procuring cloud computing services — i.e., when DoD is the direct customer of the CSP — or when the contractor will use cloud computing in performance of an IT services contract. DFARS 252.239-7010 is distinct from DFARS 252.204-7012 but often appears in the same contract; both clauses may apply when a contractor performing IT services for DoD uses a CSP to store or process CDI.

Paragraph (b)(2) of DFARS 252.239-7010 requires the contractor to "implement and maintain administrative, technical, and physical safeguards and controls with the security level and services required in accordance with the Cloud Computing Security Requirements Guide (SRG) (version in effect at the time the solicitation is issued or as authorized by the Contracting Officer) found at https://public.cyber.mil/dccs/dccs-documents/ unless notified by the Contracting Officer that this requirement has been waived by the DoD Chief Information Officer."

The DoD Cloud Computing Security Requirements Guide (CC SRG) is published by the Defense Information Systems Agency (DISA) and establishes DoD-specific security requirements for cloud service offerings based on the DoD Impact Level (IL) framework. The CC SRG maps cloud service offerings to Impact Levels 2, 4, 5, and 6, depending on the type of information the CSO will process. Impact Level 4 (IL4) applies to CUI and other controlled unclassified DoD information that requires protection under DoD Instructions and federal law, including information covered by DFARS 252.204-7012. Impact Level 5 (IL5) applies to CUI and national-security systems that require additional controls beyond IL4. A CSP seeking to provide cloud services at IL4 or higher must obtain a DoD Provisional Authorization (PA) issued by a DISA Authorizing Official after assessment by a DISA-led Joint Validation Team (JVT) and validation of the CSP's FedRAMP authorization plus DoD-specific overlay requirements. CSPs with a DoD PA are listed in the DoD Cloud Service Catalog maintained by DISA at disa.mil.

Relationship between FedRAMP Moderate (DFARS 252.204-7012) and DoD IL4/IL5 (DFARS 252.239-7010)

The two regimes overlap but are not identical. DFARS 252.204-7012(b)(2)(ii)(D) requires FedRAMP Moderate (or equivalent) for any external CSP storing, processing, or transmitting CDI, regardless of whether the contract is for IT services or for non-IT services (such as professional services, R&D, or manufacturing). DFARS 252.239-7010 applies only when the contract is for information technology services and requires compliance with the DoD CC SRG, which typically means the CSP must have a DoD PA at the appropriate impact level. When both clauses apply — as in an IT services contract where the contractor uses a CSP to handle CDI — the contractor must ensure the CSP satisfies both the FedRAMP Moderate baseline and the DoD CC SRG requirements for the applicable impact level.

For contractors performing non-IT contracts (e.g., research and development, engineering services, logistics support) who use commercial cloud services to store CDI, DFARS 252.204-7012(b)(2)(ii)(D) applies but DFARS 252.239-7010 typically does not (unless the contract separately includes IT services). These contractors must verify that the CSP is FedRAMP Moderate Authorized (listed on the FedRAMP Marketplace) or FedRAMP Moderate Equivalent (with a validated Body of Evidence under the December 2023 DoD CIO memo).

Contractor responsibility to "require and ensure" — not a pass-through

The language "the Contractor shall require and ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline" in DFARS 252.204-7012(b)(2)(ii)(D) imposes two obligations on the prime contractor. First, the contractor must require the CSP to meet the baseline — this is a flow-down obligation, meaning the contractor's agreement with the CSP must include the FedRAMP Moderate requirement and the DFARS 252.204-7012 paragraphs (c)–(g) obligations (cyber-incident reporting to dibnet.dod.mil, malicious-software handling, media preservation for 90 days, forensic access, and damage assessment). Second, the contractor must ensure the CSP meets the baseline — this is a verification and oversight obligation. The contractor may not accept the CSP's representation of compliance without independent verification.

If the CSP suffers a cyber incident involving the contractor's CDI, the contractor must report the incident to DoD at dibnet.dod.mil within 72 hours under DFARS 252.204-7012(c). The CSP is also required to report the incident directly if the contractor has flowed down paragraphs (c)–(g), but the prime contractor remains responsible for ensuring the report is made and for cooperating with DoD damage assessment. Failure by the CSP to report, or failure by the contractor to ensure the CSP reported, is a breach by the prime contractor under the DoD contract.

DFARS 252.204-7012(b)(2)(ii)(D) cyber-incident and forensic obligations for CSPs

The second half of DFARS 252.204-7012(b)(2)(ii)(D) requires the contractor to ensure that the CSP "complies with requirements in paragraphs (c) through (g) of this clause for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment." This means the CSP must:

• (c) Cyber incident reporting — Rapidly report (within 72 hours) cyber incidents to DoD at dibnet.dod.mil and conduct a review for evidence of compromise of CDI.
• (d) Malicious software — Submit malicious software discovered on covered contractor information systems to DoD for analysis.
• (e) Media preservation and protection — Preserve and protect images of all known affected information systems and all relevant monitoring/packet-capture data for at least 90 days from the date of the cyber-incident report, and provide the media to DoD if requested.
• (f) Access to additional information or equipment — Provide DoD with access to additional information or equipment necessary for forensic analysis upon request.
• (g) Cyber incident damage assessment — Provide all requested information and cooperate with DoD to conduct damage assessment.

These obligations apply to the CSP when the CSP's environment is the locus of the incident. Major FedRAMP-authorized CSPs have their own incident-response and government-notification procedures under the FedRAMP continuous-monitoring requirements. However, DFARS 252.204-7012 imposes a DoD-specific 72-hour reporting obligation to dibnet.dod.mil, and contractors must confirm with the CSP that DoD-specific reporting is addressed in the CSP's incident-response plan or must take responsibility for making the report themselves.

Geographic data-storage requirements — U.S. and outlying areas

Paragraph (b)(3) of DFARS 252.239-7010 requires the contractor to "maintain within the United States or outlying areas all Government data that is not physically located on DoD premises, unless the Contractor receives written notification from the Contracting Officer to use another location, in accordance with DFARS 239.7602-2(a)." This data-residency requirement applies to contracts subject to DFARS 252.239-7010 (IT services contracts with the cloud-computing clause). "Outlying areas" is defined at FAR 2.101 as U.S. territories and possessions (Puerto Rico, U.S. Virgin Islands, Guam, American Samoa, Northern Mariana Islands). CSPs operating FedRAMP-authorized services for DoD contractors typically configure their offerings to store data exclusively in U.S.-based data centers.

The December 2023 DoD CIO FedRAMP Equivalency memo does not waive the data-residency requirement. Contractors using a FedRAMP Moderate Equivalent CSP (one that is not listed on the FedRAMP Marketplace but meets the equivalency criteria) must independently verify that the CSP stores CDI only in the United States or outlying areas. If a contractor needs to use a CSP with data storage outside the United States — for example, to support overseas operations or to comply with host-nation data-sovereignty laws — the contractor must request written authorization from the contracting officer, who will coordinate with the requiring activity and obtain approval from the authorizing official under DFARS PGI 239.7602-2(b).

Standard commercial cloud services do not meet the FedRAMP Moderate baseline

DFARS 252.204-7012(b)(2)(ii)(D) prohibits contractors from using cloud services that do not meet the FedRAMP Moderate baseline to store, process, or transmit CDI. Standard commercial cloud services sold to commercial customers — such as consumer-grade email, file-storage, and collaboration platforms — do not meet the FedRAMP Moderate baseline and are not authorized for CDI under DFARS 252.204-7012. Use of a non-compliant CSP is a breach of the DFARS clause and a suspension-and-debarment risk. Contractors must verify that the specific cloud service they are using is FedRAMP Moderate Authorized (by checking the FedRAMP Marketplace at marketplace.fedramp.gov) or FedRAMP Moderate Equivalent (by obtaining a validated Body of Evidence from the CSP and confirming DoD validation under the December 2023 memo criteria). Contractors uncertain whether a CSP meets the DFARS requirement should request documentation from the CSP — including a copy of the FedRAMP authorization letter or the validated BoE — and should consult the FedRAMP Marketplace and the DoD Cloud Service Catalog before deploying the CSP for CDI storage or processing.

Source: DFARS 252.204-7012 Source: DFARS 252.239-7010 Source: DFARS Subpart 239.76 Source: DoD CIO Memorandum, FedRAMP Moderate Equivalency for Cloud Service Providers' Cloud Service Offerings (Dec. 21, 2023)

DFARS clause 252.246-7007, "Contractor Counterfeit Electronic Part Detection and Avoidance System," implements Section 818 of the National Defense Authorization Act for Fiscal Year 2012 (Pub. L. 112-81) and imposes supply-chain integrity obligations on DoD contractors that supply electronic parts or assemblies containing electronic parts. The clause requires CAS-covered contractors to establish and maintain a formal, risk-based counterfeit electronic part detection and avoidance system with at least twelve specified elements, subject to government review as part of the contractor purchasing system review (CPSR) process under DFARS 252.244-7001. Failure to maintain an acceptable system may result in disapproval of the purchasing system, withholding of payments, and unallowable costs under DFARS 231.205-71 for counterfeit or suspect counterfeit parts and associated rework. The clause is prescribed at DFARS 246.870-3(a) and applies broadly to procurements of electronic parts, systems or assemblies containing electronic parts, and services where the contractor will supply electronic parts or components, except for procurements solely of commercial off-the-shelf (COTS) items.

CAS-coverage trigger and applicability to subcontracts

Paragraphs (a) through (e) of DFARS 252.246-7007—including the system-establishment requirement in paragraph (b), the twelve system criteria in paragraph (c), the CPSR evaluation provision in paragraph (d), and the subcontract flow-down obligation in paragraph (e)—do not apply unless the contractor is subject to the Cost Accounting Standards under 41 U.S.C. chapter 15, as implemented at 48 C.F.R. § 9903.201-1. This means the clause imposes the detection-and-avoidance-system obligation only on prime contractors that are CAS-covered. However, under paragraph (e), CAS-covered prime contractors must flow down the substance of the clause, excluding the introductory text and including only paragraphs (a) through (e), to subcontracts at all tiers, including subcontracts for commercial products, when the subcontract is for electronic parts or assemblies containing electronic parts. This creates a vertical supply-chain compliance obligation: subcontractors at all tiers must implement the system criteria (paragraph (c)), but only CAS-covered primes and CAS-covered subcontractors are subject to the CPSR evaluation in paragraph (d). Non-CAS-covered subcontractors remain obligated to establish and maintain the counterfeit detection and avoidance system with the twelve criteria; the prime contractor is responsible for ensuring subcontractor compliance through purchasing-system controls and flow-down enforcement, and DoD may conduct surveillance of non-CAS subcontractors under FAR Subpart 42.3 and DFARS Subpart 242.3 if warranted.

Statutory definitions — counterfeit, suspect counterfeit, electronic part

DFARS 252.246-7007(a) defines three core terms drawn from Section 818 of the FY 2012 NDAA. "Counterfeit electronic part" means an unlawful or unauthorized reproduction, substitution, or alteration that has been knowingly mismarked, misidentified, or otherwise misrepresented to be an authentic, unmodified electronic part from the original manufacturer, or a source with the express written authority of the original manufacturer or current design activity, including an authorized aftermarket manufacturer. Unlawful or unauthorized substitution includes used electronic parts represented as new, or the false identification of grade, serial number, lot number, date code, or performance characteristics. "Suspect counterfeit electronic part" means an electronic part for which credible evidence (including, but not limited to, visual inspection or testing) provides reasonable doubt that the electronic part is authentic. "Electronic part" means an integrated circuit, a discrete electronic component (including, but not limited to, a transistor, capacitor, resistor, or diode), or a circuit assembly, per Section 818(f)(2) of Pub. L. 112-81. The definition is intentionally broad and captures both discrete components and assemblies; software-only deliverables, optics, and purely mechanical parts are not electronic parts, but any assembly that incorporates transistors, capacitors, resistors, diodes, or integrated circuits is covered.

The twelve system criteria — paragraph (c)

Paragraph (c) of DFARS 252.246-7007 requires a counterfeit electronic part detection and avoidance system to include risk-based policies and procedures that address, at a minimum, twelve areas. The risk-based qualifier is critical: contractors must tailor the rigor of controls to the consequences of part failure and the risk profile of the supply source. The twelve criteria, set forth in subparagraphs (c)(1) through (c)(12), are:

(1) Training of personnel. The system must include training programs for personnel involved in the acquisition, inspection, testing, handling, and use of electronic parts to recognize and avoid counterfeit electronic parts and suspect counterfeit parts. Training must be appropriate to the individual's role; purchasing agents require training on authorized sources and supplier-approval processes, while inspectors and quality personnel require training on inspection techniques, testing methodologies, and visual indicators of counterfeiting (remarking, sanding, repackaging, mismatched date codes).

(2) Inspection and testing of electronic parts. The system must include inspection and testing of electronic parts, including criteria for acceptance and rejection. Tests and inspections must be performed in accordance with accepted Government- and industry-recognized techniques. Industry-recognized techniques include visual inspection under magnification, X-ray fluorescence (XRF) for lead-finish verification, decapsulation and die verification for integrated circuits, electrical testing against datasheets, and destructive physical analysis (DPA) when justified by part criticality. The clause does not mandate specific test methods or frequencies; the contractor's risk-based approach determines the level of inspection and testing commensurate with the part's role in the end item.

(3) Processes to abolish counterfeit parts proliferation. The system must include processes to prevent counterfeit parts from entering or remaining in the supply chain once discovered. This includes immediate quarantine upon detection, notification to the contracting officer and GIDEP (see criterion (6)), and prohibition on returning counterfeit or suspect counterfeit parts to the seller or supply chain until authenticity is confirmed.

(4) Traceability from original manufacturer to government acceptance. The system must include risk-based processes that enable tracking of electronic parts from the original manufacturer to product acceptance by the Government, whether the electronic parts are supplied as discrete parts or contained in assemblies, in accordance with paragraph (c) of DFARS 252.246-7008 (Sources of Electronic Parts). Traceability mechanisms may include manufacturer certificates of conformance (C of C), chain-of-custody documentation, lot traceability through serialization, and pedigree records showing each hand-off from the original component manufacturer (OCM) through distributors to the contractor. When the contractor cannot obtain traceability from the OCM because the part is procured from a non-authorized source, the contractor must increase inspection, testing, and authentication rigor commensurate with the elevated risk (see DFARS 246.870-2(a)(2) and paragraph (b)(3)(ii) of DFARS 252.246-7008).

(5) Use of suppliers in accordance with DFARS 252.246-7008. The system must require use of suppliers consistent with the authorized-source hierarchy and notification requirements in DFARS 252.246-7008, Sources of Electronic Parts. DFARS 252.246-7008 establishes a preference hierarchy for electronic-part procurement: (1) the original manufacturer or current design activity; (2) franchised distributors or authorized suppliers; (3) suppliers identified as contractor-approved suppliers, subject to DoD review and approval; or (4) other sources only when parts are not available from the foregoing sources. When acquiring from a contractor-approved supplier (category 3) or from other sources (category 4), the contractor must notify the contracting officer and perform heightened inspection, testing, and authentication. The system required by DFARS 252.246-7007(c)(5) must codify these supplier-selection rules and integrate them into the contractor's purchasing procedures.

(6) Reporting and quarantining of counterfeit and suspect counterfeit parts. The system must include reporting to the contracting officer and to the Government-Industry Data Exchange Program (GIDEP) when the contractor becomes aware of, or has reason to suspect, that any electronic part or end item, component, part, or assembly containing electronic parts purchased by DoD, or purchased by a contractor for delivery to or on behalf of DoD, contains counterfeit electronic parts or suspect counterfeit parts. GIDEP is an information-sharing cooperative among government and industry participants; GIDEP reports on counterfeit parts are publicly accessible at gidep.org and serve as an early-warning mechanism across the defense industrial base. The clause requires that counterfeit and suspect counterfeit parts must not be returned to the seller or otherwise returned to the supply chain until such time that the parts are determined to be authentic. Quarantine procedures typically involve physical segregation, tagging, and chain-of-custody logs to prevent inadvertent release.

(7) Methodologies to identify suspect counterfeit parts and rapidly determine authenticity. The system must include methodologies to identify suspect counterfeit electronic parts and to rapidly determine if a suspect counterfeit part is, in fact, counterfeit. Rapid-determination methodologies include non-destructive testing (XRF, X-ray imaging, acetone testing for remarking), electrical parametric testing, and access to authentication laboratories for destructive analysis when necessary. The clause emphasizes speed to minimize production delays and to enable timely GIDEP reporting.

(8) Design, operation, and maintenance of detection and avoidance systems. The system must address the design, operation, and maintenance of systems to detect and avoid counterfeit electronic parts and suspect counterfeit parts. This criterion is a catch-all that requires the contractor to document the overall architecture of the counterfeit-prevention program, assign organizational responsibilities, establish metrics and continuous-improvement processes, and maintain the system through periodic reviews, updates to procedures, and refresher training.

(9) Flowdown to subcontractors. The system must include procedures for flowing down the counterfeit-detection and avoidance requirements to subcontracts for electronic parts or assemblies containing electronic parts, including subcontracts for commercial products. This mirrors the mandatory flow-down in paragraph (e) of the clause and ensures the contractor monitors and enforces subcontractor compliance throughout the supply chain.

(10) Process for keeping informed of current counterfeiting trends. The system must include a process for keeping continually informed of current counterfeiting information and trends. Sources of counterfeiting intelligence include GIDEP alerts, industry association bulletins (such as those from the SAE G-19 Counterfeit Electronic Parts Committee), DoD and DLA counterfeit-part advisories, customs seizure reports, and open-source threat reporting. The contractor must designate personnel or a function responsible for monitoring these sources and disseminating actionable intelligence to purchasing, engineering, and quality personnel.

(11) Screening GIDEP reports and other credible sources. The system must include a process for screening the GIDEP reports and other credible sources of counterfeiting information to avoid the purchase or use of counterfeit electronic parts. This is the actionable complement to criterion (10): once counterfeiting intelligence is received, the contractor must cross-check pending procurements, existing inventory, and in-process assemblies against GIDEP alerts and other threat data to identify and quarantine affected parts before they enter production or are delivered to the Government.

(12) Control of obsolete electronic parts. The system must include control of obsolete electronic parts in order to maximize the availability and use of authentic, originally designed, and qualified electronic parts throughout the product's life cycle. "Obsolete electronic part" is defined at DFARS 252.246-7007(a) as an electronic part that is no longer available from the original manufacturer or an authorized aftermarket manufacturer. Obsolescence is a primary driver of counterfeit-part risk; when an OCM discontinues a part, contractors and subcontractors may turn to the gray market (brokers and independent distributors) to obtain the part, and the gray market is the highest-risk source for counterfeits. The system must address obsolescence-management strategies including proactive last-time-buy planning, qualification of alternate parts, design refresh to eliminate obsolete components, and—when gray-market procurement is unavoidable—heightened inspection and testing protocols under DFARS 252.246-7008(b)(3)(ii).

Government review under CPSR and consequences of system disapproval

Paragraph (d) of DFARS 252.246-7007 states that government review and evaluation of the contractor's counterfeit-detection and avoidance system will be accomplished as part of the evaluation of the contractor's purchasing system in accordance with DFARS 252.244-7001, Contractor Purchasing System Administration—Basic, or Contractor Purchasing System Administration—Alternate I. The Defense Contract Management Agency (DCMA) conducts contractor purchasing system reviews (CPSRs) under FAR Subpart 44.3 and DFARS Subpart 244.3 to determine whether a contractor's purchasing system is adequate to ensure compliant, efficient, and economical procurement of supplies and services. The CPSR checklist includes evaluation of the counterfeit electronic part detection and avoidance system as a discrete area of review; DCMA has published a Counterfeit Detection and Avoidance System (CDAS) guidebook with assessment criteria aligned to the twelve elements in DFARS 252.246-7007(c).

If DCMA determines that the contractor's counterfeit-detection and avoidance system is inadequate—due to missing elements, inadequate procedures, failure to implement documented procedures, or recurrent introduction of counterfeit parts into DoD deliverables—DCMA may issue a system-disapproval determination. Under paragraph (b) of DFARS 252.246-7007, failure to maintain an acceptable counterfeit electronic part detection and avoidance system may result in disapproval of the purchasing system by the contracting officer and/or withholding of payments. Disapproval of the purchasing system triggers the withholding mechanism in DFARS 252.242-7005, Contractor Business Systems, if that clause is in the contract (it is prescribed for contracts over the simplified acquisition threshold when the contractor has significant DoD sales). The contracting officer may withhold up to 10 percent of progress payments, performance-based payments, or interim cost vouchers under cost-reimbursement contracts until the contractor corrects the deficiency and DCMA issues a determination that the system is acceptable.

Cost allowability under DFARS 231.205-71

Paragraph (b) of DFARS 252.246-7007 cross-references DFARS 231.205-71, which addresses the allowability of costs related to counterfeit electronic parts. DFARS 231.205-71(a) provides that costs incurred for counterfeit electronic parts or suspect counterfeit electronic parts, and the cost of rework or corrective action that may be required to remedy the use or inclusion of such parts, are unallowable, unless the contractor has an operational system to detect and avoid counterfeit parts and suspect counterfeit parts that were purchased from a contractor-approved source (as defined in DFARS 252.246-7008) and the contractor performs inspection, testing, and authentication in accordance with DFARS 252.246-7008(b)(3)(ii). In practical terms, if a CAS-covered contractor with an approved counterfeit-detection system procures a part from an OCM or franchised distributor (the top two categories in DFARS 252.246-7008) and the part is later discovered to be counterfeit, the contractor is not automatically liable for the cost; the Government typically bears the cost if the contractor followed its approved system. However, if the contractor procured from a gray-market source without performing the heightened inspection and testing required by DFARS 252.246-7008(b)(3)(ii), or if the contractor had no operational detection system at all, the costs are unallowable under DFARS 231.205-71 and the contractor must absorb the rework expense. This creates a strong incentive for CAS-covered contractors to establish and maintain a robust system and to follow the DFARS 252.246-7008 source hierarchy.

Relationship to DFARS 252.246-7008 — sources of electronic parts

DFARS 252.246-7007 and DFARS 252.246-7008 are companion clauses finalized together in the August 2, 2016 Federal Register final rule (81 Fed. Reg. 50635) under DFARS Case 2014-D005. DFARS 252.246-7007 establishes the contractor's obligation to maintain a counterfeit-detection and avoidance system, while DFARS 252.246-7008 establishes substantive procurement requirements for sources of electronic parts. The two clauses cross-reference each other extensively: DFARS 252.246-7007(c)(4) requires traceability "in accordance with paragraph (c) of the clause at 252.246-7008"; DFARS 252.246-7007(c)(5) requires use of suppliers "in accordance with the clause at 252.246-7008"; and DFARS 252.246-7007(c)(4) directs contractors to the authorized-source hierarchy in DFARS 252.246-7008(a) and the notification-and-testing requirements in DFARS 252.246-7008(b)(3)(ii). Contractors subject to DFARS 252.246-7007 will nearly always also be subject to DFARS 252.246-7008 in the same contract; both clauses are prescribed at DFARS 246.870-3(a) for solicitations and contracts procuring electronic parts, systems or assemblies containing electronic parts, or services where the contractor will supply electronic parts, except for procurements solely of COTS items. The two-clause structure reflects the statutory division in Section 818 of the FY 2012 NDAA between system requirements (Section 818(c)) and procurement restrictions (Section 818(b)).

Exclusion for COTS-only procurements and the commercial-products flow-down obligation

DFARS 246.870-3(a)(2) provides that the contracting officer shall not use DFARS 252.246-7007 in solicitations and contracts solely for the acquisition of COTS items. "Commercially available off-the-shelf item" is defined at FAR 2.101 as any item of supply that is a commercial product sold in substantial quantities in the commercial marketplace and offered to the Government without modification in the same form in which it is sold in the commercial marketplace. The COTS exclusion recognizes that COTS suppliers selling unmodified catalog products to government and commercial customers alike are unlikely to accept (and unlikely to need) government-unique counterfeit-detection system requirements. However, the exclusion is narrow. If a contract includes both COTS items and non-COTS commercial items or services, DFARS 252.246-7007 applies to the non-COTS portion. If a contract procures a commercial system that incorporates COTS electronic parts but the system itself is not a COTS item (because the integrator modifies or customizes the system for the Government), DFARS 252.246-7007 applies.

Critically, paragraph (e) of DFARS 252.246-7007 requires the contractor to flow down the substance of the clause "in subcontracts, including subcontracts for commercial products, for electronic parts or assemblies containing electronic parts." The phrase "including subcontracts for commercial products" means that the COTS exclusion does not apply at the subcontract tier in the same manner it applies at the prime-contract tier. If a prime contractor subject to DFARS 252.246-7007 subcontracts for a commercial (but not COTS) electronic part or assembly, the prime must flow the clause down. The only subcontract exclusion is for COTS items; non-COTS commercial products and commercial services remain subject to flow-down. This structure reflects the August 2, 2016 Federal Register preamble statement that "DoD contractors and subcontractors at all tiers are responsible for detecting and avoiding counterfeit electronic parts" under Section 818.

Current clause date and relationship to Section 818 of the FY 2012 NDAA

The current version of DFARS 252.246-7007 is dated January 2023. The January 2023 revision updated paragraph (c)(4) to cross-reference the current version of DFARS 252.246-7008 and made conforming edits to align with FAR changes to the definition of "commercial product" (formerly "commercial item") effective December 9, 2022. The substantive twelve-criteria structure in paragraph (c) has remained stable since the May 6, 2014 Federal Register interim rule (79 Fed. Reg. 26094) under DFARS Case 2012-D055, which initially implemented Section 818(c)(2) of the National Defense Authorization Act for Fiscal Year 2012, Pub. L. 112-81, 125 Stat. 1298, enacted December 31, 2011. Section 818 was codified at 10 U.S.C. § 2319 (redesignated as 10 U.S.C. § 3701 effective January 1, 2022, under the reorganization of Title 10 by the William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021, Pub. L. 116-283). The statute at 10 U.S.C. § 3701(c)(1) mandates that DoD regulations require contractors and subcontractors at all tiers to establish policies and procedures to detect and avoid counterfeit electronic parts and suspect counterfeit parts. The statute at 10 U.S.C. § 3701(c)(2) specifies nine system criteria; the DFARS regulation adds three additional criteria (criteria (10), (11), and (12) in paragraph (c) of DFARS 252.246-7007) to supplement the statutory baseline. Contractors reviewing the statute should note that the DFARS clause requirements are broader than the statute: compliance with the statute alone is insufficient; contractors must comply with all twelve DFARS criteria.

Source: DFARS 252.246-7007 Source: DFARS Subpart 246.870 Source: 81 Fed. Reg. 50635 (Aug. 2, 2016) Source: 79 Fed. Reg. 26094 (May 6, 2014)

DFARS provision 252.204-7019, "Notice of NIST SP 800-171 DoD Assessment Requirements," and DFARS clause 252.204-7020, "NIST SP 800-171 DoD Assessment Requirements," establish the DoD's verification framework for contractor implementation of NIST SP 800-171 Revision 2 and create the SPRS scoring-and-reporting obligation that feeds into CMMC. Published as part of the November 30, 2020 interim rule under DFARS Case 2019-D041 (85 Fed. Reg. 61505, Sept. 29, 2020), the two provisions impose a hard gate at contract award: contracting officers must verify that a current NIST SP 800-171 DoD Assessment (not older than three years unless a lesser time is specified in the solicitation) is posted in the Supplier Performance Risk System (SPRS) for each covered contractor information system relevant to the offer, and offerors must conduct and submit a Basic Assessment if no current assessment is posted. Unlike the pre-2020 self-certification regime under DFARS 252.204-7012, which relied on contractor representations without independent verification, the 7019/7020 framework mandates scoring using the DoD Assessment Methodology, submission of summary-level scores to SPRS, and government-conducted Medium or High assessments when DoD determines validation is necessary. The provisions remain in effect alongside CMMC; contractors subject to CMMC Level 2 (Self) or Level 2 (C3PAO) under DFARS 252.204-7021 are simultaneously subject to DFARS 252.204-7020's validation authority and SPRS-posting requirements, and DoD may conduct a Medium or High assessment at any time to validate a contractor's SPRS score or CMMC assessment.

DFARS 252.204-7019 — the solicitation provision and award gate

DFARS 252.204-7019 is prescribed at DFARS 204.7304(d) in all solicitations, including solicitations using FAR Part 12 procedures for the acquisition of commercial products and commercial services, except for solicitations solely for the acquisition of commercially available off-the-shelf (COTS) items. The provision advises offerors that, in order to be considered for award, if the offeror is required to implement NIST SP 800-171, the offeror shall have a current assessment (not more than three years old unless a lesser time is specified in the solicitation) for each covered contractor information system that is relevant to the offer, contract, task order, or delivery order. Paragraph (c)(1) of the provision requires the offeror to verify that summary-level scores of a current NIST SP 800-171 DoD Assessment are posted in SPRS for all covered contractor information systems relevant to the offer. Paragraph (c)(2) provides that if the offeror does not have summary-level scores of a current assessment posted in SPRS, the offeror may conduct and submit a Basic Assessment to webptsmh@navy.mil for posting to SPRS in the format identified in paragraph (d) of the provision. The Basic, Medium, and High NIST SP 800-171 DoD Assessments are described in the NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1 (June 24, 2020), available at acq.osd.mil/asda/dpc/cp/cyber/docs/safeguarding/. The provision's language is mandatory ("shall have a current assessment"), not discretionary; contracting officers are directed at DFARS 204.7303(a)(4) to verify the SPRS score before making award, and lack of a current posted assessment renders the offeror ineligible for award.

DFARS 252.204-7020 — the contract clause, government-assessment authority, and subcontract flow-down

DFARS 252.204-7020 is prescribed at DFARS 204.7304(e) in all solicitations and contracts, task orders, or delivery orders, including those using FAR Part 12 procedures for the acquisition of commercial products and commercial services, except for those that are solely for the acquisition of COTS items. The clause applies to covered contractor information systems that are required to comply with NIST SP 800-171 in accordance with DFARS 252.204-7012. Paragraph (c) of the clause requires the contractor to provide access to its facilities, systems, and personnel necessary for the Government to conduct a Medium or High NIST SP 800-171 DoD Assessment, as described in the NIST SP 800-171 DoD Assessment Methodology, if necessary. This access obligation is unconditional; the clause does not require advance notice, and the contractor may not refuse access based on proprietary concerns, operational disruption, or cost. DoD determines whether a Medium or High assessment is "necessary" based on contract criticality, data sensitivity, prior assessment results, cyber-incident history, and risk-based factors identified by the requiring activity or DCMA.

Paragraph (g) of the clause imposes vertical flow-down obligations at all tiers. Subparagraph (g)(1) requires the contractor to insert the substance of the clause, including the flow-down paragraph, in all subcontracts and other contractual instruments, including subcontracts for the acquisition of commercial products or commercial services (excluding commercially available off-the-shelf items). Subparagraph (g)(2) imposes a hard subcontract-award gate: the contractor shall not award a subcontract or other contractual instrument that is subject to the implementation of NIST SP 800-171 security requirements in accordance with DFARS 252.204-7012 unless the subcontractor has completed, within the last three years, at least a Basic NIST SP 800-171 DoD Assessment for all covered contractor information systems relevant to its offer that are not part of an information technology service or system operated on behalf of the Government. This means the prime contractor must verify the subcontractor's SPRS score before awarding the subcontract; failure to do so is a breach of paragraph (g)(2) and may support withholding, termination, or suspension-and-debarment proceedings.

The three assessment types — Basic (self), Medium (document review), and High (on-site validation)

DFARS 252.204-7020(a) defines three types of NIST SP 800-171 DoD Assessments, corresponding to different levels of government confidence in the resulting score. A Basic Assessment is a contractor's self-assessment of the contractor's implementation of NIST SP 800-171 that (1) is based on the contractor's review of their system security plan(s) associated with covered contractor information system(s), (2) is conducted in accordance with the NIST SP 800-171 DoD Assessment Methodology, and (3) results in a confidence level of "Low" in the resulting score, because it is a self-generated score. The Basic Assessment is the entry-level obligation; every contractor subject to DFARS 252.204-7012 must conduct a Basic Assessment using the DoD Assessment Methodology and post the results to SPRS before contract award if no current assessment is on file. The methodology is documented in the NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1 (June 24, 2020), which establishes a weighted scoring system: each of the 110 requirements in NIST SP 800-171 Revision 2 is assigned a point value of 1, 3, or 5 based on the requirement's criticality and impact on system security. The maximum score is 110 (all requirements met). The minimum score is -203 (all requirements not met and weighted negative values applied). A contractor that meets 88 of the 110 requirements typically scores in the range of 80–90, depending on which requirements are met; missing a 5-point requirement (such as SC.L2-3.13.8, transmission confidentiality and integrity, or AC.L2-3.1.5, separation of duties) has five times the scoring impact of missing a 1-point requirement.

A Medium Assessment is an assessment that is conducted by Government personnel using NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information, that includes, at a minimum: (i) an interview with the contractor; (ii) review of the contractor's system security plan; (iii) review of the contractor's Plan of Action and Milestones; and (iv) discussions with the contractor to obtain additional information or clarification as needed. The Medium Assessment is typically conducted by the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) and results in a confidence level of "Medium." DIBCAC may select a contractor for a Medium Assessment based on risk factors including high SPRS scores (scores near 110 that appear inconsistent with contractor size or maturity), low SPRS scores (indicating systemic noncompliance), contracts involving high-value or sensitive CUI, prior cyber-incident reporting under DFARS 252.204-7012, or random sampling for validation. The Medium Assessment is a remote or on-site document review; DIBCAC personnel interview the contractor's system owner, information-security personnel, and relevant technical staff; review the System Security Plan (SSP), the POA&M, and supporting documentation (policies, procedures, configuration artifacts, logs); and cross-check the contractor's self-assessed score against the documented evidence. If the Medium Assessment reveals discrepancies—requirements self-assessed as "Met" that DIBCAC determines are "Not Met," or missing documentation—DIBCAC will adjust the SPRS score downward and provide the contractor with a 14-business-day rebuttal period under paragraph (d) of the clause to submit additional evidence demonstrating that the requirements are met.

A High Assessment is an assessment that is conducted by Government personnel using NIST SP 800-171A that includes, at a minimum: (i) an interview with the contractor; (ii) review of the contractor's system security plan; (iii) verification, examination, and demonstration of the contractor's system security plan to validate that NIST SP 800-171 security requirements have been implemented as described in the contractor's system security plan; and (iv) discussions with the contractor to obtain additional information or clarification as needed. The High Assessment results in a confidence level of "High" and is the most rigorous validation. DIBCAC conducts High Assessments on-site at the contractor's facility (or via remote hands-on access when on-site is impractical) and includes technical testing, configuration validation, and live demonstration of controls. For example, DIBCAC may request the contractor to demonstrate the authentication mechanism (NIST SP 800-171 requirement 3.5.3, multifactor authentication for network access to privileged accounts), show audit logs (3.3.1–3.3.9), demonstrate the media-sanitization process (3.8.3), or walk through the incident-response plan (3.6.1–3.6.3). A High Assessment can span multiple days and requires the contractor to provide access to system administrators, physical facilities (to validate physical-access controls under 3.10.1–3.10.6), and live system access. High Assessments are typically reserved for contracts involving high-value CUI, cleared-contractor systems handling both CUI and classified information, or situations where a Medium Assessment revealed significant deficiencies requiring hands-on validation before remediation is accepted.

The DoD Assessment Methodology — weighted scoring, negative baseline, and POA&M date requirement

The NIST SP 800-171 DoD Assessment Methodology, Version 1.2.1 (June 24, 2020), establishes the scoring algorithm contractors must use when conducting a Basic Assessment and DIBCAC uses when conducting Medium or High Assessments. The methodology assigns each of the 110 requirements in NIST SP 800-171 Revision 2 a point value: 72 requirements are worth 1 point; 23 requirements are worth 3 points; and 15 requirements are worth 5 points. The total possible positive score is 110. The methodology uses a negative starting baseline: the initial score is -203 (the sum of all weighted negative values if every requirement is not met). As each requirement is assessed as "Met," the contractor adds the requirement's point value to the score. A contractor that meets all 110 requirements achieves a score of 110. A contractor that meets 88 of the 110 requirements (a common threshold for Conditional CMMC Level 2 status) typically scores between 80 and 95, depending on which 22 requirements are not met; if the 22 not-met requirements are all 1-point requirements, the score is 88 (110 - 22 = 88), but if any of the not-met requirements are 3- or 5-point requirements, the score drops proportionally. A contractor that meets fewer than 50 requirements may have a negative SPRS score; this is not a data-entry error but reflects the methodology's design to penalize widespread noncompliance heavily.

Contractors submit their Basic Assessment score to SPRS via email to webptsmh@navy.mil (as specified in DFARS 252.204-7019(d)(1)(i)) or by direct entry into the SPRS portal at sprs.csd.disa.mil if the contractor has established an SPRS account through the DoD Procurement Integrated Enterprise Environment (PIEE). The submission must include the following data elements under paragraph (d)(1)(i) of DFARS 252.204-7019: (A) the cybersecurity standard assessed (e.g., NIST SP 800-171 Rev 2); (B) the organization conducting the assessment (e.g., Contractor self-assessment); (C) for each system security plan supporting the performance of a DoD contract, all industry Commercial and Government Entity (CAGE) codes associated with the information system(s) addressed by the system security plan and a brief description of the system security plan architecture if more than one plan exists; (D) the level of the assessment (i.e., Basic, Medium, or High); (E) the summary-level score (e.g., 105 out of 110, not the individual value assigned for each requirement); and (F) the date that all requirements are expected to be implemented (i.e., a score of 110 is expected to be achieved) based on information gathered from associated plan(s) of action developed in accordance with NIST SP 800-171. The POA&M completion date (element F) is mandatory even if the contractor's score is 110; if the score is 110, the contractor enters the current assessment date as the "expected implementation" date. If the score is below 110, the contractor must provide a realistic remediation date for achieving a score of 110; DIBCAC and contracting officers use this date to gauge the contractor's compliance trajectory and may conduct follow-up assessments after the stated date to verify that the score has improved to 110.

SPRS submission timeline and the 30-day posting window

Paragraph (d) of DFARS 252.204-7020 provides that summary-level scores for all assessments will be posted in SPRS to provide DoD Components visibility into the summary-level scores of strategic assessments. For Basic Assessments submitted by contractors via email to webptsmh@navy.mil, DoD will post the scores to SPRS within 30 days post-submission. Contractors who submit via the SPRS portal directly (using the "Add New DoD Assessment" function in SPRS) can see their posted score immediately once the submission is processed by DISA, typically within 3–5 business days. For Medium and High Assessments conducted by DIBCAC, DoD posts the summary-level scores to SPRS within 30 days of the assessment completion date, after allowing the contractor the 14-business-day rebuttal period specified in the methodology. The 30-day posting window means contractors should initiate their Basic Assessment at least 45 days before the solicitation response deadline (15 days for the contractor to complete the assessment, 30 days for DoD to post) to ensure a current score is visible to the contracting officer when evaluating the offer. Contractors who wait until the week before the proposal deadline and submit a Basic Assessment via email may find that the score is not posted in SPRS by the time the contracting officer checks, rendering the offer ineligible for award under DFARS 252.204-7019(c)(1).

Three-year currency requirement and assessment expiration

Both DFARS 252.204-7019 and 252.204-7020 define "current" as not more than three years old unless a lesser time is specified in the solicitation. An assessment conducted on January 1, 2023, expires on January 1, 2026; after that date, the contractor must conduct a new assessment and submit updated scores to SPRS to remain eligible for new contract awards requiring NIST SP 800-171 compliance. The three-year window aligns with the triennial assessment cycle in CMMC Level 2 (Self), Level 2 (C3PAO), and Level 3 (DIBCAC) under 32 C.F.R. Part 170, but the two regimes are not identical: a contractor with a CMMC Level 2 (Self) status that is two years old has a "current" CMMC status (valid for three years from the assessment date) and simultaneously has a "current" NIST SP 800-171 DoD Assessment under DFARS 252.204-7020 (the same assessment, reported via SPRS, is valid for three years). However, if a solicitation specifies "a current NIST SP 800-171 DoD Assessment not more than one year old," the contractor must conduct a new assessment within the prior 12 months, even if a two-year-old assessment would otherwise satisfy the default three-year rule. This shorter currency requirement is typically specified in high-value or high-sensitivity procurements where the requiring activity wants recent validation of the contractor's cybersecurity posture.

Contracting officers are permitted, but not required, to specify a shorter currency window in the solicitation. The November 30, 2020 interim rule preamble notes that DoD does not intend to apply the three-year currency requirement retroactively; contractors who conducted a self-assessment under the pre-November 2020 DFARS 252.204-7012 self-certification framework were permitted to re-score that assessment using the DoD Assessment Methodology and submit it to SPRS as a Basic Assessment, provided the underlying SSP and implementation evidence were not more than three years old. As of the current date, contractors who conducted their last Basic Assessment in 2021 or 2022 should initiate a new triennial assessment to avoid expiration and ineligibility for new awards.

Government validation authority and the precedence rule

Paragraph (c) of DFARS 252.204-7020 gives DoD unconditional authority to conduct a Medium or High assessment of any contractor subject to NIST SP 800-171 compliance under DFARS 252.204-7012. The clause states the contractor "shall provide access to its facilities, systems, and personnel necessary for the Government to conduct a Medium or High NIST SP 800-171 DoD Assessment … if necessary." The "if necessary" qualifier does not limit the contractor's obligation to provide access; it clarifies that DoD will conduct Medium or High assessments when DoD determines they are necessary based on risk, criticality, or validation objectives. The contractor may not refuse access or defer the assessment to a later time; refusal to provide access is a material breach of the clause and may support termination for default under FAR Part 49 or suspension under FAR Subpart 9.4.

When DoD conducts a Medium or High assessment, the results of the government assessment take precedence over any contractor self-assessment or C3PAO assessment for purposes of the SPRS score. If a contractor submitted a Basic Assessment with a score of 105 and DIBCAC conducts a Medium Assessment that results in a score of 88, DIBCAC posts the score of 88 to SPRS, and the contractor's prior score of 105 is replaced. The contractor has 14 business days from the date of notification to submit additional evidence or a written rebuttal demonstrating that the requirements DIBCAC marked "Not Met" are in fact met; if the rebuttal is accepted, DIBCAC adjusts the score upward. If the rebuttal is rejected or the contractor does not submit a rebuttal, the government score of 88 becomes the official SPRS score, and the contractor must either accept the lower score or remediate the deficiencies and request a reassessment. This precedence rule extends to CMMC: under 32 C.F.R. § 170.17(a)(1)(iv), DoD reserves the right to conduct a DIBCAC assessment of any Organization Seeking Certification (OSC) with a Level 2 (C3PAO) status to validate the C3PAO's assessment results, and if the investigative results show that adherence to 32 C.F.R. Part 170 has not been achieved or maintained, the DIBCAC results take precedence over the pre-existing C3PAO CMMC Status. This dual-validation mechanism—DFARS 252.204-7020 Medium/High assessments for SPRS scores and 32 C.F.R. § 170.17(a)(1)(iv) DIBCAC validation for CMMC status—gives DoD comprehensive oversight of contractor and C3PAO compliance.

Relationship to CMMC — parallel, not superseded

The publication of the CMMC final rule at 32 C.F.R. Part 170 (effective December 16, 2024) and the DFARS CMMC acquisition rule at DFARS Subpart 204.75 and clause 252.204-7021 (effective November 10, 2025) did not rescind or replace DFARS 252.204-7019 and 252.204-7020. The two regimes operate in parallel. Contractors subject to CMMC Level 2 (Self) must conduct a triennial self-assessment against NIST SP 800-171 Revision 2, document the results in SPRS, and submit a CMMC UID to SPRS; that same assessment satisfies the Basic Assessment requirement under DFARS 252.204-7020 and the CMMC Level 2 (Self) assessment requirement under DFARS 252.204-7021. The CMMC Level 2 (Self) assessment is the DFARS 252.204-7020 Basic Assessment, reported via SPRS using the CMMC instantiation of eMASS or direct contractor entry. Contractors are not required to conduct two separate assessments—one for DFARS 252.204-7020 and one for CMMC—if the CMMC assessment is current and posted in SPRS.

However, DFARS 252.204-7020's government-validation authority remains fully in force. Even if a contractor holds a Final CMMC Level 2 (C3PAO) status issued by a C3PAO, DoD may conduct a Medium or High assessment under DFARS 252.204-7020 to validate the contractor's NIST SP 800-171 implementation, and the government assessment results will take precedence for purposes of the SPRS score. The CMMC status and the SPRS score are distinct (though related) compliance artifacts: the CMMC status determines eligibility for contract award or option exercise under DFARS 204.7503(b) and (c); the SPRS score provides DoD Components visibility into the contractor's assessed cybersecurity posture and informs source-selection decisions, risk assessments, and DIBCAC validation priorities. A contractor may have a Final CMMC Level 2 (C3PAO) status with a CMMC UID posted in SPRS and a separate SPRS score entry from a government-conducted High Assessment that reflects a lower score than the C3PAO assessment; both entries coexist in SPRS, and the government assessment score is the controlling score for DoD risk-management purposes even though the CMMC status remains valid until the CMMC assessment expires or the contractor's compliance changes.

Accessibility and use of SPRS scores by contracting officers and DoD personnel

Paragraph (d)(3) of DFARS 252.204-7019 addresses the accessibility of assessment summary-level scores posted in SPRS. Subparagraph (d)(3)(i) provides that assessment summary-level scores posted in SPRS are available to DoD personnel and are protected in accordance with the standards set forth in DoD Instruction 5000.79, Defense-wide Sharing and Use of Supplier and Product Performance Information (PI). SPRS scores are marked as Controlled Unclassified Information (CUI) and are not publicly disclosed; FOIA Exemption 4 (covering trade secrets and commercial or financial information obtained from a contractor that is privileged or confidential) applies. Contractors may not obtain competitors' SPRS scores, and SPRS scores are not disclosed in source-selection documentation released to unsuccessful offerors under FAR 15.503(b) or in bid-protest proceedings unless the protester demonstrates that the score is directly relevant to a ground of protest (such as a challenge to the agency's responsibility determination or a claim that the awardee misrepresented its cybersecurity posture). Subparagraph (d)(3)(ii) provides that authorized representatives of the offeror for which the assessment was conducted may access SPRS to view their own summary-level scores in accordance with the SPRS Software User's Guide for Awardees/Contractors available at sprs.csd.disa.mil. Contractors access SPRS through PIEE using a DoD-issued certificate (CAC or ECA certificate); the contractor's CAGE code administrator or primary point of contact must request the "SPRS Cyber Vendor Role" in PIEE to enable SPRS access.

High Assessment documentation and CUI protection

Paragraph (d)(3)(iii) of DFARS 252.204-7019 notes that a High NIST SP 800-171 DoD Assessment may result in documentation in addition to the summary-level scores posted in SPRS. DoD will retain and protect any such documentation as CUI and intended for internal DoD use only. The information will be protected against unauthorized use and release, including through the exercise of applicable exemptions under the Freedom of Information Act (e.g., Exemption 4). High Assessments generate detailed findings reports, system architecture diagrams, technical test results, screenshots of configurations, interview notes, and analysis of contractor SSPs and POA&Ms. This documentation is typically classified at the CUI level because it reveals the contractor's cybersecurity posture, vulnerabilities, and remediation plans; public disclosure would provide adversaries with a roadmap to exploit contractor systems. Contractors conducting High Assessments should clarify with DIBCAC at the outset which documentation DIBCAC will retain and the retention period; contractors concerned about the sensitivity of proprietary system architectures or trade-secret configurations should request that DIBCAC limit the documentation retained to the minimum necessary to support the assessment score, though DIBCAC retains discretion to determine what documentation is "necessary" for validation.

Current clause dates and November 2023 revision

The current version of DFARS 252.204-7019 is dated November 2023 (NOV 2023), and the current version of DFARS 252.204-7020 is dated November 2023 (NOV 2023). The November 2023 revisions updated the clause text to reference the CMMC program and to clarify the relationship between the DFARS 252.204-7020 Basic Assessment and the CMMC Level 2 (Self) assessment. The substantive assessment-and-SPRS-posting obligations established in the November 30, 2020 interim rule remain unchanged. The original November 2020 versions of the clauses were designated (NOV 2020) and became effective November 30, 2020, which was 60 days after publication of the interim rule at 85 Fed. Reg. 61505 (Sept. 29, 2020). Contractors reviewing solicitations should check the clause date in the RFP; solicitations issued before November 2023 may incorporate the NOV 2020 versions of the clauses, which have identical substantive obligations but use slightly different cross-references to the CMMC framework.

Integration with DFARS 252.204-7012 and the self-certification-to-validation transition

DFARS 252.204-7019 and 252.204-7020 do not replace DFARS 252.204-7012; they supplement it by adding a verification layer. DFARS 252.204-7012 imposes the underlying obligation to implement NIST SP 800-171 on covered contractor information systems and to report cyber incidents to DoD at dibnet.dod.mil within 72 hours. DFARS 252.204-7019 and 252.204-7020 require the contractor to assess its implementation of NIST SP 800-171 using the DoD Assessment Methodology, to post the resulting score to SPRS, and to grant DoD access for Medium or High assessments. All three clauses appear together in DoD solicitations and contracts (except COTS-only procurements); compliance with 7019/7020 does not relieve the contractor of compliance with 7012, and vice versa. The November 30, 2020 interim rule preamble describes the 7019/7020 framework as implementing "assessment of contractor implementation of cybersecurity requirements" to address the DoD's finding that contractor self-certification under the pre-2020 DFARS 252.204-7012 regime was unreliable and that "aggregate loss of sensitive controlled unclassified information and intellectual property from the DIB sector could undermine U.S. technological advantages and increase risk to DoD missions." The shift from self-certification to validated assessment—Basic Assessments scored via the DoD methodology, Medium and High assessments conducted by DIBCAC, and CMMC third-party certification for Level 2 (C3PAO) and Level 3 (DIBCAC)—is the defining characteristic of the post-November 2020 compliance regime.

Source: DFARS 252.204-7019 Source: DFARS 252.204-7020 Source: DFARS 204.7304 Source: 85 Fed. Reg. 61505 (Sept. 29, 2020)

DFARS clause 252.246-7008, "Sources of Electronic Parts," establishes the authorized-source hierarchy contractors must follow when procuring electronic parts, systems or assemblies containing electronic parts, or services that involve supplying electronic parts. The clause implements Section 818(c)(3) of the National Defense Authorization Act for Fiscal Year 2012 (Pub. L. 112-81), as amended by Section 817 of the FY 2015 NDAA (Pub. L. 113-291) and Section 885 of the FY 2016 NDAA (Pub. L. 114-92). Finalized in the August 2, 2016 Federal Register final rule and revised January 2023, the clause requires contractors to procure electronic parts from the original component manufacturer, authorized suppliers, or—when parts are unavailable from those sources—from contractor-approved suppliers subject to DoD review and approval. When procuring from contractor-approved suppliers or when the contractor cannot confirm traceability, the contractor must notify the contracting officer and perform heightened inspection, testing, and authentication commensurate with the elevated counterfeit risk. DFARS 252.246-7008 is the substantive procurement-restriction companion to DFARS 252.246-7007, which establishes the counterfeit electronic part detection and avoidance system obligation for CAS-covered contractors; the two clauses cross-reference each other extensively and apply together in most DoD contracts for electronic parts or assemblies.

Prescription and applicability — broader than 252.246-7007

DFARS 252.246-7008 is prescribed at DFARS 246.870-3(b) in solicitations and contracts, including those using FAR Part 12 procedures for the acquisition of commercial products and commercial services, when procuring (i) electronic parts; (ii) end items, components, parts, or assemblies containing electronic parts; or (iii) services, if the contractor will supply electronic parts or components, parts, or assemblies containing electronic parts as part of the service. Unlike DFARS 252.246-7007, which applies only to CAS-covered contractors, DFARS 252.246-7008 applies to all contractors regardless of CAS coverage, contract size, or contractor type. There is no small-business exclusion, no simplified-acquisition-threshold exclusion, and no COTS exclusion; the clause applies to contracts for COTS items as long as the COTS item is an electronic part or contains electronic parts. The August 2, 2016 Federal Register preamble states that "DoD contractors and subcontractors at all tiers are responsible for detecting and avoiding counterfeit electronic parts" and that the sources-of-electronic-parts restrictions apply across the defense industrial base to prevent counterfeit parts from entering the supply chain regardless of the contractor's business size or the contract's dollar value. The clause's broad applicability reflects the statutory mandate at 10 U.S.C. § 3701(b) that DoD regulations address the procurement of electronic parts as a supply-chain integrity imperative, not merely a quality-assurance concern for major systems.

The four-tier source hierarchy — paragraphs (b)(1) and (b)(2)

Paragraph (b)(1) of DFARS 252.246-7008, titled "Selecting suppliers," establishes the baseline rule: the contractor shall obtain electronic parts that are in production by the original manufacturer or an authorized aftermarket manufacturer, or currently available in stock, from (i) the original manufacturers of the parts; (ii) their authorized suppliers; or (iii) suppliers that obtain such parts exclusively from the original manufacturers of the parts or their authorized suppliers. These three categories—collectively the Category 1 sources as referenced in the August 2, 2016 preamble and the May 4, 2018 final rule amending the clause—represent the preferred supply chain with the lowest counterfeit risk. Parts procured from Category 1 sources have direct traceability to the original component manufacturer (OCM) or the current design activity and are presumptively authentic.

When electronic parts are not in production by the original manufacturer or an authorized aftermarket manufacturer and are not currently available in stock from a Category 1 source, paragraph (b)(2) permits the contractor to obtain electronic parts from suppliers identified by the contractor as contractor-approved suppliers. This is the Category 2 source—the gray-market or independent-distributor category—and it is available only when both conditions are met (not in production and not available in stock from Category 1). The August 2, 2016 Federal Register preamble and the May 4, 2018 final rule emphasize that the statutory language was revised from "or" to "and" because use of "or" would overlap with Category 1 and fail to reflect the statutory requirement that Category 2 sources may be used only in circumstances not covered by Category 1. A contractor must make a good-faith effort to determine whether an electronic part is available from Category 1 sources before resorting to a contractor-approved supplier; procurement from a contractor-approved supplier when the part is available from the OCM or an authorized distributor is a violation of the clause and may support disapproval of the contractor's purchasing system under DFARS 252.244-7001.

Contractor-approved supplier — definition and approval process

DFARS 252.246-7008(a) defines "contractor-approved supplier" as a supplier that does not have a contractual agreement with the original component manufacturer for a transaction, but has been identified as trustworthy by a contractor or subcontractor. The August 2, 2016 preamble explains that DoD introduced the term "contractor-approved supplier" to replace the proposed-rule term "trusted supplier," which drew industry comment that the term was vague and overlapped with other standards. "Contractor-approved supplier" clarifies that the supplier is not authorized by the original manufacturer but has been vetted and approved by the contractor using counterfeit-prevention industry standards.

Paragraph (b)(2) of DFARS 252.246-7008 imposes three conditions on the use of contractor-approved suppliers. First, for identifying and approving such suppliers, the contractor must use established counterfeit prevention industry standards and processes, including inspection, testing, and authentication, such as the DoD-adopted standards available at assist.dla.mil. The DoD-adopted standards include SAE AS6496, "Fraudulent/Counterfeit Electronic Parts: Avoidance, Detection, Mitigation, and Disposition—Distributors," and SAE AS6171, "Test Methods Standard; General Requirements, Suspect/Counterfeit, Electrical, Electronic, and Electromechanical Parts." Contractors may not use ad hoc or internally developed approval criteria that lack industry validation; the contractor must document the use of SAE AS6496, AS6171, or equivalent industry standards recognized by DoD when qualifying a contractor-approved supplier.

Second, the contractor must assume responsibility for the authenticity of parts provided by contractor-approved suppliers. This assumption of responsibility is codified at DFARS 231.205-71 and has direct cost-allowability consequences: if a part procured from a contractor-approved supplier is later discovered to be counterfeit or suspect counterfeit, the contractor bears the cost of rework and corrective action unless the contractor performed the inspection, testing, and authentication required by paragraph (b)(3)(ii) of DFARS 252.246-7008 and the contractor has an operational counterfeit electronic part detection and avoidance system under DFARS 252.246-7007. The assumption-of-responsibility language mirrors Section 818(c)(3)(C) of the FY 2012 NDAA, which imposes contractor liability for counterfeit parts obtained from non-authorized sources.

Third, under paragraph (b)(2)(iii), the selection of contractor-approved suppliers is subject to review, audit, and approval by the Government, generally in conjunction with a contractor purchasing system review (CPSR) or other surveillance of purchasing practices by the contract administration office, or if the Government obtains credible evidence that a contractor-approved supplier has provided counterfeit parts. The May 4, 2018 final rule at 83 Fed. Reg. 19910 clarified that review, audit, and approval is not mandatory for every contractor-approved supplier before the contractor proceeds with procurement; rather, DoD reviews contractor-approved suppliers as part of the periodic CPSR conducted by DCMA under FAR Subpart 44.3 and DFARS Subpart 244.3, or when DoD has reason to believe a particular supplier has introduced counterfeits into the supply chain. Paragraph (b)(2)(iii) states explicitly that "the contractor may proceed with the acquisition of electronic parts from a contractor-approved supplier unless otherwise notified by DoD." This means contractors do not need advance CO approval before purchasing from a contractor-approved supplier, but the CO retains authority to disapprove a supplier at any time based on CPSR findings or credible counterfeit evidence, and such disapproval obligates the contractor to cease procurement from that supplier and to re-source the parts.

Category 3 — notification, inspection, testing, and authentication when sourcing outside Categories 1 and 2

Paragraph (b)(3) of DFARS 252.246-7008 addresses procurements from sources other than the Category 1 and Category 2 sources, or situations where the contractor cannot confirm part traceability. Subparagraph (b)(3)(i) requires the contractor to comply with the notification, inspection, testing, and authentication requirements of paragraph (b)(3)(ii) if the contractor obtains an electronic part from (A) a source other than any of the sources identified in paragraphs (b)(1) and (b)(2) due to nonavailability from such sources, or (B) a subcontractor (other than the original manufacturer) that refuses to accept flowdown of DFARS 252.246-7008. Subparagraph (b)(3)(i) also triggers the heightened obligations when the contractor cannot confirm that an electronic part is new or not previously used and that it has not been comingled in supplier new production or stock with used, refurbished, reclaimed, or returned parts. This is the Category 3 source — parts obtained from brokers, surplus dealers, or other non-approved independent sources, or parts of uncertain provenance where the contractor cannot establish whether the part is new.

Paragraph (b)(3)(ii) imposes three obligations when Category 3 sourcing is unavoidable. First, the contractor must promptly notify the contracting officer in writing of the procurement. The notification must identify the part number, the source, the reason the part is unavailable from Category 1 or Category 2 sources (or the reason traceability cannot be confirmed), and the inspection, testing, and authentication plan. The notification is mandatory and must occur before or contemporaneously with the procurement; post-procurement notification or failure to notify is a breach of the clause and a mandatory-disclosure event under FAR 52.203-13 if the contractor has knowledge that the procurement violated the clause. Second, the contractor must be responsible for inspection, testing, and authentication of the part. Inspection, testing, and authentication must be conducted in accordance with accepted Government- and industry-recognized techniques, which include visual inspection, electrical parametric testing, X-ray fluorescence (XRF) for lead-finish verification, decapsulation and die verification for integrated circuits, and destructive physical analysis (DPA) when justified by part criticality. The contractor may perform the inspection and testing in-house if the contractor has qualified personnel and calibrated equipment, or may engage an accredited third-party laboratory (such as a laboratory accredited under ISO/IEC 17025 for electronic component testing). Third, the contractor must make documentation of inspection, testing, and authentication available to the Government upon request. The documentation must include the test plan, the test results, the accept/reject criteria, photographic evidence (for visual inspection), raw test data, and the name and qualifications of the personnel or laboratory that conducted the testing. The Government may request this documentation during performance, as part of a CPSR, or in connection with a Medium or High NIST SP 800-171 DoD Assessment under DFARS 252.204-7020 when the assessment scope includes the contractor's electronic-parts supply chain.

Category 4 — Government inventory/stock and Government responsibility for authenticity

Paragraph (d) of DFARS 252.246-7008 addresses a distinct sourcing category: requisitioning electronic parts from Government inventory or stock under the authority of DFARS 252.251-7000, "Ordering from Government Supply Sources." When the contractor requisitions electronic parts from Defense Logistics Agency (DLA) stock or another Government inventory system, subparagraph (d)(3)(i) permits the contractor to charge the cost of any required inspection, testing, and authentication of such parts as a direct cost. However, under subparagraph (d)(3)(ii), the Government is responsible for the authenticity of the requisitioned parts. If any such part is subsequently found to be counterfeit or suspect counterfeit, the Government will (A) promptly replace such part at no charge, and (B) consider an adjustment in the contract schedule to the extent that replacement of the counterfeit or suspect counterfeit electronic parts caused a delay in performance. This is the only sourcing category where the contractor is relieved of authenticity responsibility; when parts are obtained from DLA or Government stock, the Government warrants the parts and bears the cost and schedule risk of counterfeits. The contractor remains obligated to comply with the requirements of paragraphs (b) and (c) of DFARS 252.246-7008 (source selection and traceability), but the authenticity warranty shifts to the Government. Contractors should document Government-furnished parts procured under DFARS 252.251-7000 separately in the System Security Plan and in CPSR documentation to avoid confusion about sourcing and authenticity responsibility.

Traceability requirement — paragraph (c)

Paragraph (c) of DFARS 252.246-7008 requires contractors to maintain traceability (defined at 252.246-7008(a) as the ability to verify the history, location, or application of an item by means of documented recorded identification) of electronic parts from the original manufacturer to product acceptance by the Government. For electronic parts supplied as discrete parts or contained in assemblies, the contractor shall retain documented evidence (which may include certificates of conformance from the original manufacturer or current design activity, labeling, and authentic lot or serial numbers on parts or their containers) to support traceability. The documented evidence must permit the contractor and the Government to trace each part back to the OCM, the OCM's authorized aftermarket manufacturer, or the OCM's authorized supplier. When the part is procured from a contractor-approved supplier (Category 2) or from a Category 3 source, traceability documentation is typically incomplete or absent, because the independent distributor or broker cannot provide OCM certificates of conformance or direct pedigree. In those cases, the contractor must document why traceability cannot be confirmed (e.g., "Part is obsolete; OCM discontinued production in 2018; franchised distributors have zero stock; obtained from contractor-approved surplus dealer XYZ Corp per SAE AS6496 qualification; no OCM C of C available"), and must rely on the heightened inspection, testing, and authentication under paragraph (b)(3)(ii) to compensate for the lack of documentary traceability. The traceability requirement integrates with DFARS 252.246-7007(c)(4), which mandates that the counterfeit detection and avoidance system include risk-based processes that enable tracking of electronic parts from the original manufacturer to product acceptance by the Government in accordance with paragraph (c) of DFARS 252.246-7008.

Definitions — original manufacturer, authorized supplier, contract manufacturer, and obsolete parts

Paragraph (a) of DFARS 252.246-7008 defines six key terms that control interpretation of the source hierarchy. "Original component manufacturer" means an organization that designs and/or engineers a part and is entitled to any intellectual property rights to that part. "Original equipment manufacturer" means a company that manufactures products that it has designed from purchased components and sells those products under the company's brand name. "Original manufacturer" means the original component manufacturer, the original equipment manufacturer, or the contract manufacturer—this composite definition recognizes that the "original manufacturer" for purposes of the preferred-source hierarchy can be the OCM (the designer), the OEM (the integrator), or a contract manufacturer producing parts under license or written authority from the OCM or OEM. "Contract manufacturer" means a company that produces goods under contract for another company under the label or brand name of that company; contract manufacturers are treated as original manufacturers when they fabricate parts with the express written authority of the OCM.

"Authorized aftermarket manufacturer" means an organization that fabricates a part under a contract with, or with the express written authority of, the original component manufacturer based on the original component manufacturer's designs, formulas, and/or specifications. Authorized aftermarket manufacturers are Category 1 sources; they have OCM authorization and produce parts to OCM specifications, distinguishing them from unauthorized aftermarket manufacturers who reverse-engineer or clone parts without OCM permission. "Authorized supplier" means a supplier, distributor, or an aftermarket manufacturer with a contractual arrangement with, or the express written authority of, the original manufacturer or current design activity to buy, stock, repackage, sell, or distribute the part. Authorized suppliers include franchised distributors (such as Arrow, Avnet, Digi-Key, and Mouser for commercial semiconductor and passive-component markets) that have written franchise or authorized-distribution agreements with OCMs. The key distinguishing factor between an authorized supplier (Category 1) and a contractor-approved supplier (Category 2) is the presence or absence of a contractual arrangement with the OCM; if the distributor has a current written agreement with the OCM authorizing distribution of the part, the distributor is an authorized supplier and the contractor may procure from that distributor under paragraph (b)(1) without CO notification or heightened testing. If the distributor has no such agreement—even if the distributor is reputable, ISO-certified, or previously qualified—the distributor is at best a contractor-approved supplier (Category 2) and requires contractor qualification under industry standards, or is a Category 3 source requiring CO notification and heightened testing.

"Obsolete electronic part" is defined at DFARS 252.246-7008(a) (by cross-reference to the definition in DFARS 252.246-7007(a)) as an electronic part that is no longer available from the original manufacturer or an authorized aftermarket manufacturer. Obsolescence is the primary driver for Category 2 and Category 3 sourcing; when a part goes obsolete, contractors must either redesign the end item to use a currently manufactured part, qualify an alternate part, conduct a last-time buy from the OCM or franchised distributor before the part is discontinued, or resort to independent distributors and surplus dealers for remaining stock. The clause at paragraph (b)(2) explicitly permits contractor-approved-supplier sourcing when the part is "not in production by the original manufacturer or an authorized aftermarket manufacturer," which is the functional definition of obsolescence. DFARS 252.246-7007(c)(12) requires the counterfeit detection and avoidance system to include control of obsolete electronic parts in order to maximize the availability and use of authentic, originally designed, and qualified electronic parts throughout the product's life cycle; obsolescence-management processes (proactive last-time buys, alternate-part qualification, design refresh) reduce reliance on the gray market and the attendant counterfeit risk.

Subcontract flow-down and the original-manufacturer exception

Paragraph (e) of DFARS 252.246-7008 requires the contractor to include the substance of the clause, including the flow-down requirement in paragraph (e), in subcontracts, including subcontracts for commercial products, that are for electronic parts or assemblies containing electronic parts, unless the subcontractor is the original manufacturer. The original-manufacturer exception recognizes that when the subcontractor is the OCM (Intel, Texas Instruments, Analog Devices, Microchip, etc.) or a contract manufacturer producing under written authority from the OCM, the subcontractor is by definition a Category 1 source and the source-selection and traceability requirements are automatically satisfied. The subcontractor-OCM does not need to trace its own parts back to itself. For all other subcontractors—including electronic-assembly houses, system integrators, distributors, and service providers—the prime contractor must flow down DFARS 252.246-7008 in full. The clause applies to subcontracts for commercial products; there is no COTS exclusion at the subcontract tier (unlike DFARS 252.246-7007, which permits an exclusion for subcontracts solely for COTS items in certain configurations). The August 2, 2016 Federal Register preamble states that "DoD contractors and subcontractors at all tiers" must comply with the sources-of-electronic-parts requirements, and the clause's flow-down language implements that mandate vertically through the supply chain. Prime contractors conducting CPSRs under DFARS 252.244-7001 or purchasing-system surveillance under FAR Subpart 44.3 must verify that subcontractors have flowed DFARS 252.246-7008 to their lower-tier subcontractors and that the subcontractors' source-selection processes comply with the four-tier hierarchy and the notification/testing requirements.

Relationship to DFARS 252.246-7007 and cost allowability under DFARS 231.205-71

DFARS 252.246-7008 and DFARS 252.246-7007 were finalized together in the August 2, 2016 Federal Register final rule under DFARS Case 2014-D005, and the two clauses interlock mechanically and substantively. DFARS 252.246-7008 establishes what sources contractors may use to procure electronic parts (the four-tier hierarchy) and what the contractor must do when procuring from Category 2 or Category 3 sources (notification, inspection, testing, authentication). DFARS 252.246-7007 establishes the system the contractor must maintain to implement those sourcing requirements and to detect and avoid counterfeits that evade the source controls. Criterion (c)(5) of DFARS 252.246-7007 requires the counterfeit detection and avoidance system to include use of suppliers in accordance with DFARS 252.246-7008; criterion (c)(4) requires traceability from the original manufacturer to Government acceptance in accordance with paragraph (c) of DFARS 252.246-7008. A contractor that procures a part from a Category 3 broker without CO notification, without conducting the inspection and testing required by DFARS 252.246-7008(b)(3)(ii), and without documenting the procurement and test results, has violated both DFARS 252.246-7008 (the substantive sourcing restriction) and DFARS 252.246-7007 (the system obligation to use suppliers in accordance with 252.246-7008). DCMA conducting a CPSR will evaluate both clauses together and may issue a system-disapproval determination citing deficiencies in both the counterfeit detection and avoidance system and the contractor's source-selection procedures.

DFARS 231.205-71 implements the cost-allowability consequences. Costs incurred for counterfeit electronic parts or suspect counterfeit electronic parts, and the cost of rework or corrective action that may be required to remedy the use or inclusion of such parts, are unallowable, unless (1) the contractor has an operational system to detect and avoid counterfeit parts and suspect counterfeit parts that was approved by the contracting officer; (2) the counterfeit parts or suspect counterfeit parts were purchased from a contractor-approved source (as defined in DFARS 252.246-7008); and (3) the contractor performed the inspection, testing, and authentication required by DFARS 252.246-7008(b)(3)(ii). If all three conditions are met, the costs are allowable and the Government typically bears the risk; if any condition is missing—no approved detection system, part was not purchased from a contractor-approved supplier (i.e., it came from an unapproved Category 3 source), or the contractor did not perform the required testing—the costs are unallowable and the contractor absorbs the rework expense. This cost structure incentivizes contractors to procure from Category 1 sources whenever possible (lowest cost and risk), to rigorously qualify contractor-approved suppliers under SAE AS6496 or equivalent standards when Category 2 sourcing is necessary, and to perform comprehensive testing when Category 3 sourcing is unavoidable.

Current clause date and statutory authority

The current version of DFARS 252.246-7008 is dated January 2023 (JAN 2023). The January 2023 revision updated the clause to conform to FAR terminology changes replacing "commercial item" with "commercial product" and "commercial service," effective December 9, 2022 under FAR Case 2018-005. Substantive provisions—the four-tier source hierarchy, the contractor-approved-supplier conditions, the notification and testing requirements, and the traceability obligation—have remained stable since the August 2, 2016 final rule, with the sole substantive amendment in the May 4, 2018 final rule clarifying at paragraph (b)(2)(iii) that Government review, audit, and approval of contractor-approved suppliers is generally conducted in conjunction with a CPSR or when DoD obtains credible evidence of counterfeit parts, and that the contractor may proceed with procurement from a contractor-approved supplier unless otherwise notified by DoD.

The clause implements 10 U.S.C. § 3701 (formerly 10 U.S.C. § 2319, redesignated January 1, 2022 under the reorganization of Title 10 by the FY 2021 NDAA). Section 3701(b) establishes the "Contractor responsibilities" framework: covered contractors that supply electronic parts or products that include electronic parts are responsible for detecting and avoiding the use or inclusion of counterfeit electronic parts or suspect counterfeit electronic parts in such products and for any rework or corrective action that may be required to remedy the use or inclusion of such parts. Section 3701(c)(3) directs the Secretary of Defense to issue regulations establishing requirements for contractors to purchase electronic parts from (A) the original manufacturers of the parts or their authorized suppliers, or (B) suppliers that obtain such parts exclusively from the original manufacturers of the parts or their authorized suppliers, or (C) in cases where electronic parts are not available from sources described in (A) or (B), from suppliers identified by contractors or subcontractors as contractor-approved suppliers, provided that (i) the contractor or subcontractor uses established counterfeit prevention industry standards and processes, (ii) the contractor or subcontractor assumes responsibility for the authenticity of parts provided by such suppliers, and (iii) the selection of such suppliers is subject to review, audit, and approval by DoD. DFARS 252.246-7008 paragraphs (b)(1), (b)(2), and (b)(3) implement Section 3701(c)(3)(A), (B), and (C) verbatim, mapping the statutory three-category structure (OCM/authorized, contractor-approved, other) onto the clause's four-category operational structure (Category 1 = statute (A)+(B); Category 2 = statute (C); Category 3 = statute catchall for non-compliance situations requiring notification and testing; Category 4 = Government stock, added by DoD to address Government-furnished material).

Source: DFARS 252.246-7008 Source: DFARS Subpart 246.870 Source: DFARS 246.870-2 Source: 81 Fed. Reg. 50635 (Aug. 2, 2016) Source: 83 Fed. Reg. 19910 (May 4, 2018)

DFARS Subpart 239.73, "Requirements for Information Relating to Supply Chain Risk," implements 10 U.S.C. § 3252 and establishes a national-security-driven framework that empowers senior DoD officials to exclude sources, limit disclosure of information, remove installed systems or services, and avoid covered sources—all without bid-protest review—when procuring information technology for covered systems and the risk cannot be mitigated through less intrusive measures. Originally enacted as Section 806 of the National Defense Authorization Act for Fiscal Year 2011 (Pub. L. 111-383) and made permanent by subsequent NDAAs, the authority reaches information-technology acquisitions for national security systems as defined at 44 U.S.C. § 3552(b): systems used by an agency (or a contractor on behalf of the agency) in support of intelligence activities, cryptologic activities, command and control of military forces, weapons and weapons systems, or critical infrastructure, where compromise would have a debilitating impact on the mission or the security of the United States. The framework is narrower than Section 889 (which applies government-wide to all procurements) but provides far more discretion and enforcement mechanisms when the procurement implicates national-security systems.

Covered system — the triggering scope

DFARS 239.7301 defines "covered system" as a national security system as that term is defined at 44 U.S.C. § 3552(b). Under the federal statute, a national security system is any information system (including any telecommunications system) used or operated by an agency or by a contractor of an agency, or other organization on behalf of an agency, the function, operation, or use of which involves intelligence activities; involves cryptologic activities related to national security; involves command and control of military forces; involves equipment that is an integral part of a weapon or weapons system; or is critical to the direct fulfillment of military or intelligence missions, where the loss, compromise, or unauthorized disclosure of information would have a debilitating impact on the mission of the agency. DFARS 239.7301 also defines "covered item of supply" as an item of information technology that is purchased for inclusion in a covered system, and the loss of integrity of which could result in a supply chain risk for a covered system. The covered-system definition excludes routine administrative IT systems used for non-national-security functions (such as personnel systems, financial management systems, and ordinary email for non-sensitive communications); Subpart 239.73 applies only when the acquisition is for a covered system, is a part of a covered system, or is in support of a covered system.

Supply chain risk — the threat model

DFARS 252.239-7017 and 252.239-7018 define "supply chain risk" as the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a covered system so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system (10 U.S.C. § 3252). The definition captures threats across the IT supply chain — from chip fabrication and firmware development to distribution, installation, and ongoing maintenance — and is not limited to the five entities named in Section 889 or to telecommunications equipment. Supply chain risk under DFARS 239.73 may arise from hardware backdoors, compromised software libraries, malicious firmware updates, subverted cryptographic modules, insider threats during manufacturing, or covert surveillance capabilities introduced at any point in the product lifecycle. The authority is invoked when DoD intelligence or counterintelligence assessments identify a specific risk to a covered system that cannot be addressed through contractual requirements, inspection, or other less intrusive measures.

Applicability — when Subpart 239.73 is triggered

DFARS 239.7302 specifies that, notwithstanding FAR 39.001, Subpart 239.73 shall be applied to acquisition of information technology for covered systems for procurements involving: (a) a source selection for a covered system or a covered item of supply involving either a performance specification (see 10 U.S.C. § 3206(a)(3)(B)) or an evaluation factor (see 10 U.S.C. § 3206(b)(1)) relating to supply chain risk; (b) the consideration of proposals for and issuance of a task or delivery order for a covered system or a covered item of supply where the task or delivery order contract concerned includes a requirement relating to supply chain risk (see 10 U.S.C. § 3406(d)(3) and FAR 16.505(b)(1)(iv)(D)); or (c) any contract action involving a contract for a covered system or a covered item of supply where such contract includes a requirement relating to supply chain risk. The applicability language ties the authority to specific acquisition events — source selection, task-order issuance, or contract action — where supply chain risk is a material consideration. DoD policy at DFARS 212.301(c), 208.7402(2), 213.106-2(b)(2)(i), 214.201-2(a)(2), and 215.101-2-70(c) directs contracting officers to include an evaluation factor regarding supply chain risk (see Subpart 239.73) when acquiring information technology, whether as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system, as defined in DFARS 239.7301. This means supply chain risk evaluation is mandatory in competitive IT acquisitions for covered systems; contracting officers may not omit the evaluation factor even if the procurement uses FAR Part 12 procedures for commercial products and commercial services.

Authorized officials — Under Secretary and Service Acquisition Executive level

DFARS 239.7303 identifies the specific senior officials authorized to exercise the supply chain risk authorities. Paragraph (a) lists: the Under Secretary of Defense for Acquisition and Sustainment, the Under Secretary of Defense for Intelligence, the DoD Chief Information Officer, and any other official designated in writing by the Secretary of Defense, or each of the Secretaries of the military departments acting within the scope of responsibility and authority of the official. Paragraph (b) prohibits delegation: the individuals authorized at paragraph (a) may not delegate the authority to take the actions at DFARS 239.7305 or the responsibility for making the determination required by DFARS 239.7304 to an official below the level of (1) for the Department of Defense, the Under Secretary of Defense for Acquisition and Sustainment; and (2) for the military departments, the service acquisition executive for the department concerned. This senior-official limitation reflects the gravity of the actions authorized under Subpart 239.73 — source exclusion without conventional bid-protest recourse — and the need for coordination across acquisition, intelligence, and CIO communities before invoking the authority.

Five authorized actions — exclusion, removal, withholding approval, avoiding, and limiting disclosure

DFARS 239.7305 enumerates five actions that the authorized individuals may take, subject to the prerequisites at DFARS 239.7304, in the course of procuring information technology for a covered system:

(a) Source exclusion based on qualification standards. Exclude a source that fails to meet qualification standards established in accordance with the requirements of 10 U.S.C. § 3243, relating to the security of information technology for a covered system. This provision permits DoD to establish qualification standards — minimum security requirements an offeror must meet to be eligible for award — that go beyond the baseline cybersecurity requirements in DFARS 252.204-7012 or CMMC and are tailored to the specific threats facing a covered system. Offerors that do not meet the qualification standard are excluded from the competition ab initio; there is no waiver process analogous to FAR 52.204-24 or DFARS 252.204-7017.

(b) Source exclusion based on supply chain risk. Exclude a source on the basis of supply chain risk. This is the broadest exclusion authority and permits DoD to exclude an offeror — whether the original equipment manufacturer, a systems integrator, a reseller, or any other contractor — based on DoD's assessment that the source's product, service, or supply chain presents an unacceptable risk to the covered system. The determination may rely on classified intelligence, counterintelligence assessments, foreign-ownership analysis, or any other information bearing on supply chain risk. Unlike the qualification-standard exclusion in paragraph (a), which is based on the offeror's failure to meet an objective standard, the paragraph (b) exclusion is a DoD determination that the source itself presents risk.

(c) System or service removal. Require that any source that meets qualification standards established in accordance with the requirements of 10 U.S.C. § 3243 for the security of information technology for a covered system be included in the National Security Agency list published pursuant to 10 U.S.C. § 3252. This authority ties the covered-system procurement to NSA's Trusted Products List or similar agency-compiled lists of evaluated and approved products. The provision effectively limits the competitive range to sources that have undergone NSA evaluation, narrowing the field to products with formal security certifications.

(d) Withholding approval for subcontracts and consent to subcontract. Withhold consent for the contractor to subcontract with a particular source, or to direct the contractor to exclude a particular source from consideration for a subcontract under the contract. This authority applies post-award when the prime contractor proposes a subcontractor that DoD determines presents supply chain risk. The contracting officer may withhold consent under FAR 44.204 and DFARS 244.201-1 or may affirmatively direct the prime to exclude the subcontractor, even if the prime's purchasing system is otherwise approved.

(e) Avoiding a covered source or covered item. Avoid a source or covered item of supply where DoD determines there is a supply chain risk from the source or item. "Avoid" is intentionally broader than "exclude"; it permits DoD to decline to purchase from a source even outside a formal source selection, such as when exercising an option, placing a task order under an existing IDIQ, or making a non-competitive award. The authority applies both prospectively (during source selection) and retrospectively (removing or replacing already-fielded systems or services).

(f) Limiting disclosure. Limit, notwithstanding any other provision of law, in whole or in part, the disclosure of information relating to the basis for carrying out any of the actions authorized by paragraphs (a) through (e). This is the most procedurally disruptive authority: DoD may withhold from the offeror — and from the GAO or a court reviewing a bid protest — the factual basis for the exclusion or removal determination. Subparagraph (f)(1) imposes a strict no-review provision: no action undertaken by the individual authorized under such authority shall be subject to review in a bid protest before the Government Accountability Office or in any Federal court. Subparagraph (f)(2) requires DoD to notify appropriate parties of action taken under paragraphs (a) through (e) and the basis for such action only to the extent necessary to effectuate the action, to notify other DoD components or other federal agencies responsible for procurements that may be subject to the same or similar supply chain risk (in a manner and to the extent consistent with the requirements of national security), and to ensure the confidentiality of any such notifications. The no-review provision insulates DoD's supply chain risk determinations from the GAO's bid-protest jurisdiction under 31 U.S.C. § 3552 and from the Court of Federal Claims' bid-protest jurisdiction under 28 U.S.C. § 1491(b), creating a narrow exception to the otherwise comprehensive protest-review framework.

Procedural prerequisites — risk assessment, written determination, and congressional notification

DFARS 239.7304 establishes mandatory procedural steps the authorized individuals must complete before exercising any authority under DFARS 239.7305. The individual may exercise the authority only after:

(a) Risk assessment and joint recommendation. Obtaining a joint recommendation by the Under Secretary of Defense for Acquisition and Sustainment and the Chief Information Officer of the Department of Defense, on the basis of a risk assessment by the Under Secretary of Defense for Intelligence, that there is a significant supply chain risk to a covered system. This requirement ensures that the exclusion or removal is grounded in a formal intelligence or counterintelligence assessment, not merely procurement preferences or cost considerations. The joint recommendation must come from the USD(A&S) and the DoD CIO together, reflecting both acquisition and IT-security perspectives, and the underlying risk assessment must originate from USD(I), the senior intelligence official.

(b) Written determination with USD(A&S) concurrence. Making a determination in writing, in unclassified or classified form, with the concurrence of the Under Secretary of Defense for Acquisition and Sustainment, that: (1) use of the authority in DFARS 239.7305(a), (b), or (c) is necessary to protect national security by reducing supply chain risk; (2) less intrusive measures are not reasonably available to reduce such supply chain risk; and (3) in a case where the individual authorized in DFARS 239.7303 plans to limit disclosure of information under DFARS 239.7305(d), the risk to national security due to the disclosure of such information outweighs the risk due to not disclosing such information. The "less intrusive measures" requirement in subparagraph (b)(2) is a proportionality test: DoD must consider whether the supply chain risk can be mitigated through contractual security requirements (such as enhanced NIST SP 800-171 controls, supply chain traceability under DFARS 252.246-7008, or contractor-implemented counterfeit-detection measures under DFARS 252.246-7007) before invoking the more disruptive exclusion or removal authorities. The written determination may be classified if the underlying risk assessment or the identity of the excluded source would reveal intelligence sources or methods.

(c) Congressional notification. Providing a classified or unclassified notice of the determination made under paragraph (b) to the appropriate congressional committees. Subparagraph (c)(1)(i) requires notification to the Select Committee on Intelligence of the Senate, the Permanent Select Committee on Intelligence of the House of Representatives, and the congressional defense committees (the Senate and House Armed Services Committees and the Senate and House Defense Appropriations Subcommittees) in the case of a covered system included in the National Intelligence Program or the Military Intelligence Program. For covered systems outside those programs, notification goes to the congressional defense committees. Subparagraph (c)(2) specifies the contents of the notice: the notice must include a summary of the determination, the joint recommendation by USD(A&S) and the DoD CIO specified in paragraph (a), a summary of the risk assessment by USD(I) that serves as the basis for the joint recommendation, and a summary of the basis for the determination, including a discussion of less intrusive measures that were considered and why they were not reasonably available to reduce supply chain risk. The congressional-notification requirement provides legislative-branch oversight of an authority that otherwise operates outside the conventional bid-protest oversight regime.

Solicitation provision and contract clause — DFARS 252.239-7017 and 252.239-7018

DFARS 239.7306 prescribes two clauses for covered-system procurements. Paragraph (a) requires contracting officers to insert provision DFARS 252.239-7017, "Notice of Supply Chain Risk," in all solicitations, including solicitations using FAR Part 12 procedures for the acquisition of commercial products and commercial services, for information technology, whether acquired as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system, as defined at DFARS 239.7301. Paragraph (b) requires insertion of clause DFARS 252.239-7018, "Supply Chain Risk," in all solicitations and contracts (including contracts using FAR Part 12 procedures for commercial acquisitions) meeting the same applicability criteria.

DFARS 252.239-7017 — Notice of Supply Chain Risk is a short solicitation provision that notifies offerors that DoD may use the authorities at 10 U.S.C. § 3252 to manage supply chain risk, may consider information (public and non-public, including all-source intelligence) relating to an offeror and its supply chain, and that if DoD exercises the authority to limit disclosure of information, no action undertaken by the Government under such authority shall be subject to review in a bid protest before the GAO or in any federal court. The provision is informational; it does not require the offeror to submit a representation or disclosure. The purpose is to put offerors on notice that conventional bid-protest remedies may not be available if DoD invokes Subpart 239.73 authorities.

DFARS 252.239-7018 — Supply Chain Risk is the contract clause that incorporates the supply chain risk authorities into the contract. The clause defines "information technology" by cross-reference to 40 U.S.C. § 11101(6), with a substitution that replaces the FAR 2.101 definition to capture equipment used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the agency. The clause defines "supply chain risk" as set forth in the provision. The clause text itself is brief; its operative function is to alert the contractor that the Government has reserved the authorities under 10 U.S.C. § 3252 and may exercise them during performance, including by directing the exclusion of subcontractors under DFARS 239.7305(d) or by removing systems or services under DFARS 239.7305(c).

Mandatory evaluation factor for covered-system IT acquisitions

DFARS policy at multiple Part 2 locations — 212.301(c), 208.7402(2), 213.106-2(b)(2)(i), 214.201-2(a)(2), and 215.101-2-70(c) — directs contracting officers to "include an evaluation factor regarding supply chain risk (see Subpart 239.73) when acquiring information technology, whether as a service or as a supply, that is a covered system, is a part of a covered system, or is in support of a covered system, as defined in 239.7301." This is a mandatory, not discretionary, instruction: the contracting officer shall include the evaluation factor. The evaluation factor permits the source-selection authority to consider supply chain risk when evaluating offers, even if DoD does not invoke the exclusion or removal authorities under DFARS 239.7305. Offerors may be asked to describe their supply chain security practices, the country of origin of components, the location of software development and assembly, the use of trusted foundries or NSA-evaluated products, and other factors bearing on supply chain risk. The evaluation factor provides a less drastic mechanism to prefer lower-risk sources through competitive evaluation rather than outright exclusion.

Consent to subcontract for covered systems

DFARS 244.201-1 provides that, in solicitations and contracts for information technology, whether acquired as a service or as a supply, that is a covered system or covered item of supply as those terms are defined at DFARS 239.7301, contracting officers should consider the need for a consent-to-subcontract requirement regarding supply chain risk (see Subpart 239.73). This discretionary instruction permits the contracting officer to impose advance-consent requirements under FAR 44.204 on subcontracts for IT components or services that will be incorporated into or support the covered system, enabling DoD to invoke the withholding or exclusion authority at DFARS 239.7305(d) before the prime executes the subcontract. DFARS PGI 244.201-1 provides additional guidance on when consent-to-subcontract is appropriate for supply chain risk management.

Relationship to Section 889, DFARS 252.204-7017/7018, and other telecommunications prohibitions

DFARS Subpart 239.73 is distinct from, and complementary to, the government-wide Section 889 prohibition (FAR Subpart 4.21 and FAR 52.204-25), the DoD-specific covered-defense-telecommunications prohibition (DFARS 252.204-7016, -7017, and -7018), and the DFARS cloud-computing and CMMC requirements. Section 889 prohibits all executive agencies from procuring or using covered telecommunications equipment or services (Huawei, ZTE, Hytera, Hikvision, Dahua, and entities reasonably believed to be owned or controlled by the PRC government) as a substantial or essential component of any system, or as critical technology; the prohibition is categorical and applies government-wide, with limited waiver authority. DFARS 252.204-7017 and 252.204-7018 implement Section 1656 of the FY 2018 NDAA and prohibit DoD procurement of covered defense telecommunications equipment or services for use in carrying out covered missions (public safety, security of Government facilities, physical security surveillance of critical infrastructure, and other national security purposes); the scope overlaps with Section 889 but is limited to DoD and to covered missions.

DFARS Subpart 239.73, by contrast, is not a categorical prohibition tied to specific named entities or equipment categories; it is a risk-based authority that permits DoD to exclude any source — U.S. or foreign, named entity or not — if the Under Secretary of Defense for Intelligence conducts a risk assessment and USD(A&S) and the DoD CIO jointly recommend exclusion because there is a significant supply chain risk to a covered system (national security system) that cannot be mitigated through less intrusive measures. The authority is narrower in scope (covered systems only, not all DoD IT) but broader in reach (any source presenting risk, not merely the five named Section 889 entities). A contractor may be fully compliant with Section 889 and DFARS 252.204-7017/7018 — using no Huawei, ZTE, or other listed equipment — but still be excluded from a covered-system procurement under DFARS 239.73 if DoD determines that the contractor's supply chain presents risk due to foreign ownership, reliance on untrusted software libraries, manufacturing in a high-risk jurisdiction, or other factors identified in the USD(I) risk assessment.

The two frameworks operate in parallel. Contractors bidding on covered-system IT procurements must comply with both the categorical prohibitions (Section 889, DFARS 252.204-7017/7018) and the supply chain risk evaluation factor and notification requirements (DFARS 252.239-7017, 252.239-7018). DoD may invoke Subpart 239.73 exclusion authority even when the offeror is compliant with all other cybersecurity and supply chain requirements, because the Subpart 239.73 determination is grounded in classified intelligence and national-security risk assessments that are not reducible to a checklist of prohibited entities or technologies.

No bid-protest review — the § 3252(e) carve-out

The most procedurally significant feature of DFARS Subpart 239.73 is the no-review provision at 10 U.S.C. § 3252(e) and DFARS 239.7305(f)(1). When DoD exercises the authority to exclude a source under DFARS 239.7305(a) or (b), to withhold consent for a subcontract under DFARS 239.7305(d), or to limit disclosure of information under DFARS 239.7305(f), no action undertaken by the individual authorized under such authority shall be subject to review in a bid protest before the Government Accountability Office or in any Federal court. This statutory language removes the GAO's jurisdiction under 31 U.S.C. § 3552 and the Court of Federal Claims' bid-protest jurisdiction under 28 U.S.C. § 1491(b)(1) for challenges to the exclusion determination itself. An excluded offeror cannot file a GAO protest arguing that the supply chain risk determination was arbitrary, unsupported by the record, or pretextual, and cannot seek pre-award or post-award injunctive relief in the Court of Federal Claims. The excluded offeror may challenge the exclusion only through a claim that the exclusion violated a statute other than the procurement statutes (such as a Fifth Amendment due-process claim or an allegation that the exclusion was based on impermissible discrimination), which would proceed as a bid protest alternative under the Tucker Act or the Administrative Procedure Act, but such claims face high substantive and procedural barriers.

The no-review provision is not absolute. If DoD invokes Subpart 239.73 but fails to comply with the procedural prerequisites in DFARS 239.7304 — for example, if the agency excludes a source without obtaining the required USD(I) risk assessment, without making the written determination that less intrusive measures are not reasonably available, or without providing the required congressional notification — a protest challenging the procedural compliance (as distinct from the merits of the risk assessment) may survive dismissal. Additionally, if an offeror is excluded from a procurement and DoD does not cite 10 U.S.C. § 3252 as the basis for exclusion, the exclusion remains subject to ordinary GAO and COFC bid-protest review, because the no-review protection applies only when the agency affirmatively invokes the Subpart 239.73 authority and satisfies the statutory prerequisites.

Effective dates, expiration, and permanent authority

Section 806 of the FY 2011 NDAA originally established the supply chain risk authority as a temporary measure with a sunset provision. Section 806 of the FY 2013 NDAA (Pub. L. 112-239) extended the authority and pushed the expiration date to September 30, 2018. The authority was made permanent by Section 1656 of the FY 2018 NDAA (Pub. L. 115-91), which amended 10 U.S.C. § 2339a (now codified at 10 U.S.C. § 3252 following the Title 10 recodification effective January 1, 2022 under the FY 2021 NDAA). The current codification at 10 U.S.C. § 3252, "Requirements for information relating to supply chain risk," carries no expiration date and is a permanent acquisition authority. Early DFARS versions (such as the November 18, 2013 interim rule at 78 FR 69271) included text stating that "the authority provided in this subpart expires on September 30, 2018," but that expiration language was removed in the October 30, 2015 final rule (80 FR 67251) and subsequent DFARS updates. The current DFARS Subpart 239.73, as revised effective December 16, 2022 under DFARS Change Notice dated December 16, 2022, implements the permanent authority at 10 U.S.C. § 3252 and applies to all covered-system procurements indefinitely.

Class Deviation 2018-O0020 — permanent authority and definition updates

On September 27, 2018, DoD issued Class Deviation 2018-O0020, titled "Permanent Supply Chain Risk Authority," which updated DFARS 252.239-7017 and 252.239-7018 to reflect that the authority under 10 U.S.C. § 2339a (now § 3252) had been made permanent by Section 1656 of the FY 2018 NDAA. The deviation revised the definition of "covered system" in DFARS 239.7301 to align with the updated statutory reference to national security systems at 44 U.S.C. § 3542(b) (the Clinger-Cohen Act definition, which was redesignated from 44 U.S.C. § 3542(b) to 44 U.S.C. § 3552(b) by the Federal Information Security Modernization Act of 2014). The deviation remained in effect until the changes were incorporated into the base DFARS through the December 2022 DFARS update. Contracting officers reviewing solicitations issued between September 2018 and December 2022 may encounter the deviation-modified clause text referencing 44 U.S.C. § 3542(b); the current DFARS text at 239.7301 and 252.239-7017/7018 (effective December 2022) references 44 U.S.C. § 3552(b) and 10 U.S.C. § 3252 consistently.

Source: DFARS Subpart 239.73 Source: DFARS 252.239-7017 Source: DFARS 252.239-7018 Source: 10 U.S.C. § 3252 (via ecfr.gov cross-reference) Source: 80 Fed. Reg. 67251 (Oct. 30, 2015)

Paragraphs (c) through (g) of DFARS clause 252.204-7012, "Safeguarding Covered Defense Information and Cyber Incident Reporting," impose a real-time incident-response compliance obligation that operates independently of the NIST SP 800-171 system-security requirements in paragraph (b). When a contractor discovers a cyber incident affecting covered defense information (CDI) or the contractor's ability to provide operationally critical support, the contractor must rapidly report the incident to DoD at dibnet.dod.mil within 72 hours of discovery, conduct a review for evidence of compromise, preserve forensic images and packet-capture data for at least 90 days, submit malicious software to the DoD Cyber Crime Center (DC3), provide DoD with access to additional information or equipment necessary for forensic analysis upon request, and cooperate with DoD damage-assessment activities. Unlike the preventive controls required by NIST SP 800-171, which contractors implement on an ongoing basis, the incident-reporting obligations are triggered by the occurrence of a cyber incident and impose hard deadlines measured in hours and days. Contractors unprepared for the 72-hour reporting window—those without a DoD-approved medium assurance certificate, without documented incident-response procedures, or without personnel trained to recognize reportable events—face contractual breach, mandatory-disclosure obligations under FAR 52.203-13, and potential False Claims Act liability if the contractor certified DFARS compliance without implementing the reporting capability.

Cyber incident — the triggering definition

Paragraph (a) of DFARS 252.204-7012 defines "cyber incident" as actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein. The clause defines "compromise" as disclosure of information to unauthorized persons, or a violation of the security policy of a system, in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object, or the copying of information to unauthorized media may have occurred. The dual-prong definition—compromise or adverse effect—captures both confidentiality breaches (unauthorized access to or exfiltration of CDI, even when the contractor cannot confirm that data was actually copied) and integrity or availability incidents (malware infection, ransomware, denial-of-service attacks, system sabotage, or unauthorized modification of data or system configurations). A cyber incident does not require confirmation that CDI was exfiltrated or that harm has occurred; the definition encompasses potentially adverse effects, which means events such as detection of advanced persistent threat (APT) indicators, discovery of unauthorized remote access, identification of malicious software on a covered contractor information system, or detection of lateral movement within the network following a phishing compromise all trigger the reporting obligation even while the contractor is still investigating scope and impact.

The clause does not enumerate specific incident types, but the dibnet.dod.mil portal guidance (referenced at paragraph (c)(2)) and DoD practice treat the following as reportable cyber incidents when they affect a covered contractor information system or CDI: unauthorized access (successful phishing, credential theft, brute-force login, exploitation of unpatched vulnerabilities, insider threat); malware infection (viruses, worms, Trojans, ransomware, spyware, rootkits, or advanced persistent threat malware); data exfiltration or suspected exfiltration (large outbound data transfers to unknown external IPs, detection of command-and-control traffic, discovery that credentials for systems holding CDI were compromised); denial-of-service or degradation of operationally critical systems (DDoS attacks, sabotage of manufacturing or logistics systems designated as operationally critical support); unauthorized modification of data, firmware, or configurations (tampering with technical data, alteration of system logs, installation of unauthorized software or backdoors); and discovery during forensic analysis or third-party notification that a contractor system was compromised (notification by the FBI, CISA, or a threat-intelligence vendor that the contractor's IP addresses appear in breach data or are communicating with known malicious infrastructure). Contractors uncertain whether an event constitutes a cyber incident should err on the side of reporting; the clause imposes no penalty for good-faith reporting of a non-incident, but failure to report a cyber incident within 72 hours is a breach of the clause.

The 72-hour clock — "rapidly report" means within 72 hours of discovery

Paragraph (a) of DFARS 252.204-7012 defines "rapidly report" to mean within 72 hours of discovery of any cyber incident. The 72-hour period runs from the moment the contractor discovers the incident, not from the moment the contractor completes its investigation, confirms the scope, or determines the root cause. "Discovery" occurs when the contractor (through its security operations center, IT staff, system administrator, or any employee) becomes aware of facts indicating that a cyber incident has occurred or may have occurred. Discovery can occur through automated security alerts (intrusion-detection system alerts, endpoint-detection-and-response notifications, SIEM correlation alerts), user reports (an employee reporting a suspicious email, unusual system behavior, or a ransomware screen), third-party notification (notification by a managed-security-services provider, notification by law enforcement, or notification by another contractor in the supply chain), or detection during routine system administration or vulnerability scanning.

The 72-hour deadline is calendar time, not business hours. If a contractor discovers a cyber incident at 5:00 PM on Friday, the DIBNet report must be submitted by 5:00 PM on Monday (72 hours later), regardless of weekends or federal holidays. The clause provides no grace period for investigations, legal review, or management approval. Contractors who delay submission to "gather more facts" or to "confirm exfiltration before alarming DoD" are in breach of the clause if the delay causes the report to be filed after the 72-hour window. The DIBNet portal permits contractors to submit an initial report with limited information and to update the report as the investigation progresses; DoD expects contractors to file the initial report within 72 hours even when the contractor has not yet completed root-cause analysis or damage assessment. Paragraph (c)(1)(i) requires the contractor to conduct a review for evidence of compromise, but that review is conducted in parallel with the 72-hour reporting obligation, not as a prerequisite.

Failure to report within 72 hours is a material breach of DFARS 252.204-7012 and may trigger mandatory disclosure under FAR 52.203-13, which requires the contractor to disclose to the contracting officer and the agency Office of Inspector General credible evidence of a violation of federal criminal law or the civil False Claims Act in connection with the award or performance of a government contract. If a contractor certified compliance with DFARS 252.204-7012 (through a representation in the proposal, through submission of a CMMC assessment, or through acceptance of a contract modification incorporating the clause) and later fails to report a cyber incident within 72 hours, the contractor's prior certification may be deemed a false statement under 18 U.S.C. § 1001 or a false claim under 31 U.S.C. § 3729 if the certification was made with knowledge, deliberate ignorance, or reckless disregard of the contractor's inability to comply with the reporting obligation. The Department of Justice Civil Cyber-Fraud Initiative, announced October 6, 2021, has pursued False Claims Act settlements against defense contractors for failure to report cyber incidents and for misrepresenting NIST SP 800-171 compliance; settlements exceeding $26 million have been reported publicly.

Review for evidence of compromise — paragraph (c)(1)(i)

Paragraph (c)(1) of DFARS 252.204-7012 imposes a two-part obligation upon discovery of a cyber incident. Subparagraph (c)(1)(i) requires the contractor to conduct a review for evidence of compromise of covered defense information, including, but not limited to, identifying compromised computers, servers, specific data, and user accounts. This review must also include analyzing covered contractor information system(s) that were part of the cyber incident, as well as other information systems on the contractor's network(s) that may have been accessed as a result of the incident, in order to identify compromised covered defense information or systems that affect the contractor's ability to provide operationally critical support. Subparagraph (c)(1)(ii) requires the contractor to rapidly report cyber incidents to DoD at dibnet.dod.mil.

The review for evidence of compromise is the contractor's internal forensic investigation. The review must identify what CDI was accessed or potentially accessed, what systems were affected, what user credentials were compromised, and whether the incident affected operationally critical support (logistics, maintenance, technical support, or other contractor services designated by the requiring activity as critical to the direct fulfillment of DoD's mission). The contractor is not required to complete the review before filing the DIBNet report; the review is conducted contemporaneously with the 72-hour reporting obligation. But the contractor must initiate the review immediately upon discovery and must update the DIBNet report as findings emerge. The review must go beyond the initially affected system; if a phishing email compromised a user workstation, the contractor must analyze whether the attacker used the compromised workstation to access file servers, email systems, or other systems on the contractor's network that store or process CDI. Lateral-movement analysis is mandatory; the clause explicitly requires the contractor to analyze "other information systems on the Contractor's network(s), that may have been accessed as a result of the incident."

Contractors without security-monitoring infrastructure—those without endpoint detection and response (EDR) tools, network traffic analysis, centralized logging, or security information and event management (SIEM) capabilities—will struggle to conduct a meaningful review for evidence of compromise within a timeframe that supports the 72-hour reporting obligation. The clause does not require specific technologies, but NIST SP 800-171 requirements 3.3.1 through 3.3.9 (Audit and Accountability family) and 3.6.1 through 3.6.3 (Incident Response family) establish baseline monitoring and incident-response capabilities that contractors subject to DFARS 252.204-7012 must implement. A contractor that discovers a cyber incident and cannot identify what systems were accessed, what data was compromised, or what accounts were affected because the contractor has no audit logs or monitoring data has failed to implement NIST SP 800-171 requirements in paragraph (b) of DFARS 252.204-7012 and cannot satisfy the evidence-of-compromise review requirement in paragraph (c)(1)(i).

DIBNet reporting portal and medium assurance certificate requirement — paragraphs (c)(1)(ii), (c)(2), and (c)(3)

Paragraph (c)(1)(ii) directs contractors to rapidly report cyber incidents to DoD at https://dibnet.dod.mil. DIBNet (Defense Industrial Base Collaborative Information Sharing Environment Network) is the DoD's centralized portal for receiving cyber incident reports from defense contractors. The portal is accessible only to users with a valid DoD-approved medium assurance certificate. Paragraph (c)(3) imposes a hard technical prerequisite: in order to report cyber incidents in accordance with this clause, the contractor or subcontractor shall have or acquire a DoD-approved medium assurance certificate to report cyber incidents. The clause cross-references https://public.cyber.mil/eca/ for information on obtaining a DoD-approved medium assurance certificate.

A medium assurance certificate is a Public Key Infrastructure (PKI) digital certificate issued by an External Certification Authority (ECA) approved by DoD under the DoD PKI program. ECAs authorized to issue medium assurance certificates include IdenTrust, DigiCert (formerly Symantec), and other vendors listed on the DoD Cyber Exchange ECA page. The certificate issuance process requires the applicant (typically the contractor's facility security officer, chief information security officer, or contracts administrator) to complete identity proofing (submission of government-issued photo ID, completion of knowledge-based authentication, or in-person identity verification depending on the ECA's procedures), payment of the certificate fee (typically $100–$300 per certificate per year), and installation of the certificate on the user's workstation or in the user's browser certificate store. Certificate issuance can take 3–10 business days depending on the ECA's identity-proofing backlog; contractors who wait until a cyber incident occurs to begin the certificate-acquisition process will miss the 72-hour reporting deadline.

Paragraph (c)(3) uses the mandatory "shall have or acquire" language, which means contractors subject to DFARS 252.204-7012 must obtain the medium assurance certificate before a cyber incident occurs, not in response to an incident. The certificate is a condition-precedent to performing a contract that includes DFARS 252.204-7012; contractors who accept such a contract without obtaining the certificate are in breach of the clause from the moment of contract award. DoD does not provide a waiver process or an alternative reporting mechanism for contractors who lack the certificate; contractors without a medium assurance certificate cannot file a DIBNet report, cannot satisfy the 72-hour reporting obligation, and are in material breach if a cyber incident occurs.

Paragraph (c)(2) specifies the content of the cyber incident report. The cyber incident report shall be treated as information created by or for DoD (meaning the report and its contents are government property and are subject to use and disclosure by DoD without restriction, though DoD treats contractor-submitted incident reports as Controlled Unclassified Information and protects them under FOIA Exemption 4) and shall include, at a minimum, the required elements at dibnet.dod.mil. The DIBNet portal prompts the contractor to enter the following minimum data elements: the contractor's Commercial and Government Entity (CAGE) code; the contract number(s), task order number(s), or delivery order number(s) affected by the incident; the contractor's point of contact (name, email, phone); the date and time the incident was discovered; a description of the affected system(s), including whether the system is a covered contractor information system processing CDI; a narrative description of the incident (what happened, how it was detected, what indicators were observed); identification of the type of incident (unauthorized access, malware, data exfiltration, denial of service, etc.); a preliminary assessment of whether CDI was compromised or potentially compromised; a preliminary assessment of whether the incident affects the contractor's ability to provide operationally critical support; and any other information the contractor believes is relevant to DoD's understanding of the incident. The contractor may update the report after submission as the investigation progresses; the DIBNet portal assigns a unique incident report number upon initial submission, and the contractor uses that number to submit supplemental information.

Malicious software submission to DC3 — paragraph (d)

Paragraph (d) of DFARS 252.204-7012 requires contractors to submit malicious software discovered in connection with a reported cyber incident to the DoD Cyber Crime Center (DC3). When the contractor or subcontractors discover and isolate malicious software in connection with a reported cyber incident, the contractor must submit the malicious software to DC3 in accordance with instructions provided by DC3 or the contracting officer. The clause uses the conditional "when the Contractor … discover[s] and isolate[s] malicious software," which means the submission obligation is triggered only if the contractor successfully isolates a malware sample during the incident response; if the contractor detects indicators of malware (behavioral anomalies, command-and-control traffic, file-integrity alerts) but cannot isolate the malware binary, the contractor is not in breach of paragraph (d) for failing to submit a sample it does not possess.

DC3 is the DoD's operational cyberforensics laboratory and malware analysis center, located at the Defense Cyber Crime Center in Linthicum, Maryland. DC3 provides malware reverse-engineering, forensic analysis, and threat-intelligence support to DoD components and the defense industrial base. Contractors submit malware samples to DC3 via the DIBNet portal (using the "Submit Malware" function tied to the incident report number) or via email to dc3.dc3cfrt@mail.mil if the sample size or format does not permit portal upload. Contractors must submit the malware in a password-protected archive (ZIP or 7z format with password "infected" or as otherwise specified by DC3) to prevent inadvertent execution during transmission. Contractors should submit the malware sample as soon as it is isolated, typically within 24–48 hours of the initial DIBNet report, and should reference the DIBNet incident report number in the submission so DC3 can correlate the sample with the incident.

DC3 analyzes the malware to identify its functionality, command-and-control infrastructure, indicators of compromise, and attribution markers, and shares the analysis results with DoD threat-intelligence organizations (including the Defense Counterintelligence and Security Agency and the National Security Agency) and, when appropriate, with other defense contractors through the Defense Industrial Base Cybersecurity program. Contractors benefit from submitting malware samples because DC3 may identify additional indicators of compromise that the contractor missed during its initial investigation, or may notify the contractor that the same malware family has been observed in attacks against other defense contractors, enabling the contractor to search for related indicators. Contractors who fail to submit isolated malware to DC3 when required by paragraph (d) are in breach of the clause, but the breach is typically less severe than failure to file the initial DIBNet report within 72 hours because the malware-submission deadline is not time-bound in the clause text (the clause requires submission "in accordance with instructions provided by DC3 or the Contracting Officer," which typically means within a reasonable time after isolation).

Media preservation and protection — paragraph (e) and the 90-day retention obligation

Paragraph (e) of DFARS 252.204-7012 imposes a forensic-evidence-preservation obligation that runs for at least 90 days from the submission of the cyber incident report. When a contractor discovers a cyber incident has occurred, the contractor shall preserve and protect images of all known affected information systems identified in paragraph (c)(1)(i) and all relevant monitoring/packet capture data for at least 90 days from the submission of the cyber incident report to allow DoD to request the media or decline interest. The 90-day clock starts on the date the contractor submits the DIBNet report, not the date the incident was discovered or the date the contractor completed remediation; a contractor that submits a DIBNet report on January 15 must preserve forensic images and packet-capture data until at least April 15, even if the contractor completed remediation and returned systems to production in late January.

"Images of all known affected information systems" means forensic disk images or virtual-machine snapshots of servers, workstations, network devices, and other IT infrastructure components that were compromised or potentially compromised during the cyber incident. Forensic imaging is a bit-for-bit copy of storage media (hard drives, solid-state drives, RAM) that captures the entire state of the system, including deleted files, unallocated disk space, memory contents, and system artifacts that are not accessible through normal operating-system interfaces. Contractors must capture forensic images before beginning remediation activities such as malware removal, system reimaging, or patching; forensic images captured after remediation are of limited investigative value because the remediation process overwrites evidence. The contractor's incident-response procedures should specify that the first action upon containment of an affected system is forensic imaging, followed by isolation and then remediation.

"All relevant monitoring/packet capture data" means security logs, network traffic captures (PCAP files), intrusion-detection/prevention system alerts, endpoint-detection-and-response telemetry, firewall logs, authentication logs, and any other log or monitoring data that records the activities of the attacker or the propagation of malware through the contractor's network. Contractors subject to NIST SP 800-171 requirements 3.3.1 through 3.3.9 are already required to create, protect, and retain audit records to enable monitoring, analysis, investigation, and reporting of unlawful or unauthorized information-system activity; paragraph (e) of DFARS 252.204-7012 imposes a minimum 90-day retention for monitoring data related to a cyber incident, which may exceed the contractor's ordinary log-retention policy. Contractors whose log-retention policy auto-deletes logs after 30 or 60 days must suspend auto-deletion for logs related to a reported cyber incident and must preserve those logs for at least 90 days from the DIBNet report submission date.

The purpose of the 90-day preservation window is to provide DoD time to determine whether DoD will conduct a damage assessment under paragraph (g) or request forensic access under paragraph (f). If DoD requests the media or forensic access within the 90-day window, the contractor must provide it and must continue to preserve the media until DoD releases the media or completes its analysis. If DoD does not request the media or access within 90 days, the contractor may dispose of the forensic images and monitoring data in accordance with the contractor's media-sanitization procedures under NIST SP 800-171 requirement 3.8.3 (sanitize or destroy information-system media containing CUI before disposal or release for reuse). The contractor should document the preservation period and DoD's decision (request or decline) in the incident record for audit and compliance purposes.

Contractors who remediate an affected system by reimaging or replacing hardware before capturing a forensic image, or who delete or overwrite monitoring data during the 90-day preservation period, are in breach of paragraph (e). The breach may be excused if the contractor acted under exigent operational circumstances (a ransomware attack rendering operationally critical systems unavailable, requiring immediate restoration from backup to meet a contract delivery deadline) and the contractor notified the contracting officer and DC3 of the exigent circumstances before overwriting evidence, but DoD retains discretion to treat the failure to preserve evidence as a material breach, particularly if the contractor's remediation destroyed evidence that would have revealed the extent of CDI compromise.

Access to additional information or equipment necessary for forensic analysis — paragraph (f)

Paragraph (f) of DFARS 252.204-7012 gives DoD broad authority to request access to contractor information, systems, and facilities beyond the forensic images and monitoring data preserved under paragraph (e). Upon request by DoD, the contractor shall provide DoD with access to additional information or equipment that is necessary to conduct a forensic analysis. The "shall provide … access" language is unconditional; the contractor may not refuse the request based on proprietary concerns, operational disruption, cost, or security policies. DoD determines what is "necessary to conduct a forensic analysis," not the contractor. Requests under paragraph (f) are typically made by DC3, the Defense Counterintelligence and Security Agency (DCSA), or the contracting officer acting on behalf of the requiring activity, and may include requests for access to live systems for memory forensics or network-traffic monitoring, access to backup tapes or archives to identify the initial point of compromise, access to physical facilities for on-site forensic data collection, interviews with IT personnel or users who detected the incident, copies of system-security plans or network diagrams, credentials for forensic login to affected systems, or access to cloud-service-provider logs or infrastructure when the contractor uses an external CSP under paragraph (b)(2)(ii)(D).

Contractors performing on classified contracts or operating under the National Industrial Security Program (NISPOM) must coordinate DoD forensic-access requests with their facility security officer (FSO) and with DCSA to ensure that any DoD personnel granted access to contractor facilities or systems hold appropriate security clearances and have a need-to-know for any classified information that may reside on dual-use systems. Contractors performing on unclassified contracts have no basis to refuse access under paragraph (f) unless the requested access would compromise information unrelated to the contract (such as proprietary commercial data or another customer's confidential information on a shared infrastructure), in which case the contractor should propose alternative access methods (redaction, isolated forensic environments, third-party escrow) to the contracting officer and seek to negotiate a scope limitation. Outright refusal to provide access requested under paragraph (f) is a material breach of DFARS 252.204-7012 and may support termination for default under FAR Part 49.

Cyber incident damage assessment activities — paragraph (g)

Paragraph (g) of DFARS 252.204-7012 authorizes DoD to conduct a damage assessment following a reported cyber incident and obligates the contractor to provide all damage-assessment information gathered under paragraph (e). If DoD elects to conduct a damage assessment, the contracting officer will request that the contractor provide all of the damage assessment information gathered in accordance with paragraph (e) of this clause. "Damage assessment" is not defined in the clause, but DoD practice treats damage assessment as a structured investigation to determine the scope and impact of a cyber incident on DoD operations, missions, or information. Damage assessments are typically conducted by the requiring activity (the program office, the requiring command, or the mission owner) with support from DC3, DCSA, and intelligence agencies when the incident involves potential espionage or advanced persistent threats.

Damage-assessment activities may include analysis of what CDI was accessed or exfiltrated, assessment of whether the compromised CDI included technical data subject to export-control restrictions (International Traffic in Arms Regulations or Export Administration Regulations), evaluation of whether the incident affects the security or integrity of a weapon system or platform under development or sustainment, determination of whether the incident was an isolated opportunistic attack or part of a broader campaign against the defense industrial base, and recommendation of additional security measures or contract modifications (such as enhanced monitoring, isolation of CDI processing to a government-furnished system, or transition to a FedRAMP-authorized cloud service provider).

The contractor is required to cooperate with the damage assessment by providing the information gathered under paragraph (e) (forensic images, monitoring data, incident-response reports, malware-analysis results) and by responding to follow-on requests for information or access under paragraph (f). The contractor is not required to conduct the damage assessment; that is DoD's responsibility. However, contractors are well-advised to conduct their own parallel damage assessment for purposes of mandatory disclosure under FAR 52.203-13, insurance claims, securities-disclosure obligations (for publicly traded contractors), and assessment of whether the incident triggers notification obligations under state data-breach-notification laws or other federal or state regulations. Contractors should coordinate their internal damage assessment with DoD's damage assessment to avoid conflicting conclusions or gaps in the investigation.

DoD may, but is not required to, share the results of its damage assessment with the contractor. Damage-assessment results are typically classified or marked as Controlled Unclassified Information and may reveal intelligence sources or methods if the assessment draws on signals intelligence, counterintelligence investigations, or information from other compromised contractors. Contractors should not assume that DoD's decision not to conduct a damage assessment, or DoD's decision not to share damage-assessment results, means the incident was inconsequential; DoD may have determined the incident was low-impact based on the DIBNet report and forensic images without conducting a full assessment, or may have conducted a classified assessment without providing a readout to the contractor.

Subcontractor reporting obligations and prime-contractor pass-through — paragraph (m)

Paragraph (m) of DFARS 252.204-7012 requires the contractor to include the substance of the clause, including paragraph (m), in subcontracts and other contractual instruments (including purchase orders for other than commercially available off-the-shelf items) in which the subcontractor may have Federal contract information residing in or transiting through its information system. This flow-down obligation applies to all paragraphs of the clause, including the cyber-incident-reporting obligations in paragraphs (c) through (g). Subcontractors who discover a cyber incident must comply with the same 72-hour DIBNet reporting requirement, must preserve forensic images for 90 days, and must submit malicious software to DC3. But paragraph (c) adds a dual-reporting obligation for subcontractors: subparagraph (c)(1)(ii) requires the contractor (and by flow-down, the subcontractor) to rapidly report cyber incidents to DoD at dibnet.dod.mil, and subparagraph (c)(1) specifies that subcontractors must also report cyber incidents to the prime contractor (or the next higher-tier subcontractor).

When a subcontractor files a DIBNet report, the DIBNet portal assigns an incident report number. The subcontractor must promptly (typically within 24 hours) notify the prime contractor of the incident and provide the DIBNet incident report number. The prime contractor must then assess whether the subcontractor's cyber incident affects covered defense information provided by the prime to the subcontractor, whether the incident affects the subcontractor's ability to deliver goods or services critical to the prime's contract performance, and whether the prime contractor should file its own DIBNet report (if the prime determines that CDI the prime provided to the subcontractor was compromised). The prime contractor must also notify the contracting officer if the subcontractor's incident threatens contract performance or delivery schedules.

Prime contractors are responsible for ensuring that subcontracts include the DFARS 252.204-7012 flow-down and that subcontractors have obtained medium assurance certificates and have implemented incident-response capabilities before a cyber incident occurs. Prime contractors conducting supplier cybersecurity assessments or CMMC readiness reviews should verify that each subcontractor subject to DFARS 252.204-7012 has a documented incident-response plan, has identified personnel authorized to file DIBNet reports, has obtained medium assurance certificates for those personnel, and has tested the DIBNet reporting process through a tabletop exercise or simulated incident. Prime contractors who discover that a subcontractor failed to report a cyber incident within 72 hours, or who discover that a subcontractor does not have the capability to report incidents, must assess whether the subcontractor's noncompliance triggers the prime contractor's mandatory-disclosure obligation under FAR 52.203-13 (credible evidence of a violation of federal law in connection with the award or performance of a subcontract under a government contract).

Relationship to CMMC and NIST SP 800-171 Incident Response requirements

The cyber-incident-reporting obligations in DFARS 252.204-7012 paragraphs (c) through (g) are independent of and in addition to the NIST SP 800-171 incident-response requirements in the 3.6 control family (Incident Response) that contractors must implement under paragraph (b) of the clause. NIST SP 800-171 Revision 2 requirements 3.6.1, 3.6.2, and 3.6.3 require contractors to establish an operational incident-handling capability that includes preparation, detection, analysis, containment, recovery, and user-response activities; track, document, and report incidents to designated officials and authorities; and test the incident-response capability. These requirements oblige contractors to have an incident-response program, to document incidents in an incident log or tracking system, and to test the program periodically. DFARS 252.204-7012 paragraphs (c) through (g) specify where to report (dibnet.dod.mil), when to report (within 72 hours of discovery), what to report (the elements specified on the DIBNet portal), what to preserve (forensic images and monitoring data for 90 days), and what to submit (malicious software to DC3).

CMMC Level 1 (Self), Level 2 (Self), Level 2 (C3PAO), and Level 3 (DIBCAC) assessments evaluate whether the contractor has implemented NIST SP 800-171 requirement 3.6.2 (track, document, and report incidents). The CMMC assessment will verify that the contractor has an incident-response plan, that the plan includes procedures for reporting incidents to DoD, and that the contractor has documented and tested the DIBNet reporting process. A contractor with a Final CMMC Level 2 (C3PAO) status that has never filed a DIBNet report (because no cyber incident has occurred) will be assessed as MET for requirement 3.6.2 if the contractor's incident-response plan documents the DIBNet reporting procedure and the contractor has tested the procedure through a tabletop exercise. But a contractor that experiences a cyber incident and fails to report within 72 hours is in breach of DFARS 252.204-7012 paragraph (c) regardless of the contractor's CMMC status, because the clause obligation is a real-time operational requirement triggered by the occurrence of an incident, not a system-design requirement assessed during a triennial CMMC assessment.

Contractors preparing for CMMC assessments should ensure their incident-response plan explicitly references DFARS 252.204-7012 and documents the 72-hour DIBNet reporting requirement, the medium-assurance-certificate acquisition and maintenance process, the 90-day forensic-preservation requirement, the DC3 malware-submission process, and the procedures for cooperating with DoD damage assessments. C3PAO assessors evaluating requirement 3.6.2 will ask to see the incident-response plan, will verify that the plan addresses the DFARS 252.204-7012 obligations, and will request evidence that the contractor has tested the DIBNet reporting process (such as a tabletop-exercise after-action report, a screenshot of a test DIBNet login, or documentation of incident-response training for personnel with medium assurance certificates).

Source: DFARS 252.204-7012

Executive Order 13556, "Controlled Unclassified Information," signed November 4, 2010, and the implementing regulation at 32 C.F.R. Part 2002 (effective November 14, 2016) establish a government-wide program to standardize the handling of unclassified information that requires safeguarding or dissemination controls across more than 100 federal departments and agencies. The CUI framework is the foundation on which DoD-specific cybersecurity requirements — DFARS 252.204-7012, the CMMC program at 32 C.F.R. Part 170, and NIST SP 800-171 compliance obligations — are built. Contractors performing on federal contracts must understand the CUI framework to properly identify what information qualifies as CUI, to scope their covered contractor information systems under DFARS 252.204-7012, and to comply with agency-specific CUI safeguarding clauses across civilian agencies and DoD. The National Archives and Records Administration (NARA), acting through the Information Security Oversight Office (ISOO), serves as the CUI Executive Agent and maintains the CUI Registry at archives.gov/cui/registry/category-list — the authoritative online repository of all approved CUI categories and subcategories, associated markings, and the statutory or regulatory basis for each category.

Executive Order 13556 — purpose and scope

Executive Order 13556 states that executive departments and agencies have historically employed "ad hoc, agency-specific policies, procedures, and markings to safeguard and control" unclassified information involving privacy, security, proprietary business interests, and law enforcement investigations, and that this "inefficient, confusing patchwork has resulted in inconsistent marking and safeguarding of documents, led to unclear or unnecessarily restrictive dissemination policies, and created impediments to authorized information sharing." The Order establishes "an open and uniform program for managing information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, excluding information that is classified under Executive Order 13526 of December 29, 2009, or the Atomic Energy Act, as amended." The CUI framework does not create new categories of protected information; it consolidates and standardizes existing categories that federal law, regulation, or government-wide policy already required agencies to protect. The Order designates NARA as the CUI Executive Agent to implement the Order and oversee agency actions to ensure compliance, and directs the Executive Agent to approve CUI categories and subcategories and to issue implementing directives. The CUI categories and subcategories "shall serve as exclusive designations for identifying unclassified information throughout the executive branch that requires safeguarding or dissemination controls, pursuant to and consistent with applicable law, regulations, and Government-wide policies." The exclusive-designation language means agencies may not create ad hoc categories or apply legacy markings (such as "For Official Use Only," "Sensitive But Unclassified," or "Law Enforcement Sensitive") to information created or received after their agency's CUI implementation date; all such information must be designated and marked using the CUI Registry categories and the marking standards at 32 C.F.R. Part 2002 Subpart B.

32 C.F.R. Part 2002 — the implementing regulation

NARA published 32 C.F.R. Part 2002, "Controlled Unclassified Information," as a final rule on September 14, 2016, effective November 14, 2016. The regulation establishes policy for agencies on designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI. Part 2002 defines "Controlled Unclassified Information" as information the Government creates or possesses, or an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls, pursuant to and consistent with applicable law, regulations, and Government-wide policies. CUI is explicitly defined to exclude classified information under Executive Order 13526 and Restricted Data under the Atomic Energy Act. The definition's "requires or permits" language establishes two types of CUI: CUI Specified, where the authorizing law, regulation, or government-wide policy specifically requires or permits controls; and CUI Basic, the default handling standard for all CUI that does not fall within a CUI Specified subcategory. The regulation at 32 C.F.R. § 2002.4 defines "authorized holder" as an individual, agency, organization, or group of users that is permitted to designate or handle CUI in accordance with the regulation; authorized holders include federal agencies, contractors and grantees when they create or receive CUI on behalf of the Government, and state, local, tribal, and territorial government entities when they receive CUI from federal agencies.

CUI Registry — the authoritative category list

The CUI Registry, maintained by ISOO at archives.gov/cui/registry/category-list, is the government-wide online repository for all information, guidance, policy, and requirements on handling CUI. Under 32 C.F.R. § 2002.8, the CUI Registry includes all authorized CUI categories and subcategories, associated markings, applicable safeguarding and decontrolling procedures, citations to the laws, regulations, or government-wide policies that form the basis for each category, and other policy information issued by the CUI Executive Agent. No information qualifies as CUI unless it falls within a category or subcategory listed in the CUI Registry and the category entry identifies the authorizing law, regulation, or government-wide policy. As of the current date, the CUI Registry lists 24 categories organized alphabetically from Agricultural to Tax, with more than 100 subcategories. Each Registry entry specifies the category name, the subcategory (if applicable), the marking shorthand (e.g., "CUI//SP-CTI" for Controlled Technical Information under the category ITAR—Export Control), the safeguarding and dissemination authority (the statute, regulation, or policy that requires or permits controls), and whether the category is CUI Basic or CUI Specified. The Registry entries also specify Limited Dissemination Controls when applicable — authorized markings such as "NOFORN" (no foreign dissemination), "FEDONLY" (federal employees and government support contractors only), or "NOCON" (no dissemination to contractors without agency authorization).

Key CUI categories relevant to federal contractors

Contractors performing on federal contracts encounter CUI in multiple categories depending on the agency and the type of work. The most frequently encountered categories in the context of DoD cybersecurity compliance and federal acquisition include:

Critical Infrastructure — Information not customarily in the public domain about critical infrastructure (as defined by the Critical Infrastructures Protection Act of 2001, 42 U.S.C. § 5195c(e)) that relates to the protection of such infrastructure, including risk assessments, vulnerability assessments, and security plans. This category includes information about critical infrastructure security provided by private-sector owners and operators to federal agencies under voluntary information-sharing arrangements.

Defense — This category includes multiple subcategories tied to DoD information-protection statutes and regulations. The Controlled Technical Information (CTI) subcategory covers technical information with military or space application that is subject to controls on access, use, reproduction, modification, performance, display, release, disclosure, or dissemination and would meet the criteria for DoD distribution statements B through F under DoD Instruction 5230.24 if disseminated; this is the subcategory that underpins "controlled technical information" as defined at DFARS 204.7301 and used throughout DFARS Subpart 204.73 and DFARS 252.204-7012. The Critical Infrastructure subcategory under Defense covers defense critical infrastructure vulnerability assessments, security plans, and related protection information. The Unclassified Controlled Nuclear Information (UCNI) subcategory under Defense applies to unclassified information concerning security measures (including security plans, procedures, and equipment) for the physical protection of special nuclear material, production or utilization facilities, or classified matter at DoD facilities.

Export Control — Information subject to export-control restrictions under the International Traffic in Arms Regulations (ITAR, 22 C.F.R. Parts 120–130) or the Export Administration Regulations (EAR, 15 C.F.R. Parts 730–774). The ITAR subcategory applies to technical data and defense articles on the United States Munitions List (22 C.F.R. § 121.1) that are controlled under the Arms Export Control Act, 22 U.S.C. § 2778. The Export Administration Regulations subcategory applies to dual-use items and technology listed on the Commerce Control List (15 C.F.R. Part 774, Supplement No. 1) that are controlled under the Export Control Reform Act of 2018, 50 U.S.C. § 4811 et seq. Contractors performing on DoD development contracts or supplying items with military or dual-use applications frequently handle CUI in the Export Control category, and DFARS 252.204-7012 specifically cross-references export-controlled technical data as a type of covered defense information.

Privacy — Information concerning an individual that is maintained by an agency and protected under the Privacy Act of 1974, 5 U.S.C. § 552a. This category includes personally identifiable information (PII) in Privacy Act systems of records and information covered by other privacy statutes such as the Health Insurance Portability and Accountability Act (HIPAA) when held by federal agencies or contractors operating federal information systems on behalf of agencies. The CUI Registry notes that the fact that information is subject to the Privacy Act does not automatically require the information to be marked as CUI; agencies must consult the Registry to determine which privacy information must be marked as CUI and which is governed solely by Privacy Act safeguarding and disclosure requirements without CUI designation.

Procurement and Acquisition — Information relating to the award or performance of a government contract that requires protection to prevent unfair competitive advantage or to protect proprietary business information. Subcategories include Source Selection Information (48 C.F.R. § 2.101, the FAR definition of source selection information that may not be disclosed outside the Government except as authorized by statute), Contractor Proprietary Information (trade secrets and confidential commercial or financial information obtained from contractors under FAR Part 15 or other acquisition regulations), and Bid or Proposal Information (information contained in bids or proposals that would be protected under FOIA Exemption 4 if disclosed, 5 U.S.C. § 552(b)(4)). The Procurement and Acquisition category is the statutory basis for FAR clauses such as FAR 52.215-1, which governs use and disclosure of proposal information and data.

Proprietary Business Information — Information provided to the Government by a business or individual that contains trade secrets or confidential commercial or financial information exempt from disclosure under FOIA Exemption 4 (5 U.S.C. § 552(b)(4)) or protected by the Trade Secrets Act (18 U.S.C. § 1905). This category applies when a contractor or grantee submits proprietary cost or pricing data, proprietary technical data, or other business-confidential information to the Government in the course of contract performance, proposal submission, or regulatory compliance, and the Government has an obligation to protect the information from unauthorized disclosure. Contractors should mark proprietary information submitted to the Government with the appropriate CUI marking (typically "CUI" or "CUI//SP-PROPIN" when the Proprietary Business Information Specified subcategory applies) to alert the Government to the need for protection.

Law Enforcement — Information compiled for law enforcement purposes, including criminal investigative records, informant identity, and sensitive investigative techniques, that is exempt from public disclosure under FOIA Exemption 7 (5 U.S.C. § 552(b)(7)). This category is relevant to contractors performing law-enforcement support services for agencies such as the Department of Justice, the Department of Homeland Security, or the DoD Defense Criminal Investigative Service, and to contractors handling information about investigations into contractor misconduct or fraud.

Provisional CUI categories and agency-specific categories

The CUI Registry includes a Provisional section listing categories or subcategories that NARA is reviewing for inclusion in the permanent Registry. Provisional categories may be used by agencies on an interim basis pending formal approval, but contractors should verify with the contracting agency whether a provisional category has been approved for the specific contract. Agencies may not unilaterally create CUI categories outside the Registry approval process; any agency-proposed category must be submitted to the CUI Executive Agent for review, and the category becomes effective only when published in the CUI Registry. The Registry also includes Legacy Material guidance at 32 C.F.R. § 2002.36, which addresses how agencies and contractors must handle documents created before the agency's CUI implementation date that carry legacy markings such as "For Official Use Only" (FOUO) or "Sensitive But Unclassified" (SBU). Legacy material that contains information qualifying as CUI under the Registry must be re-marked in accordance with CUI standards when the information is re-used or incorporated into new documents, or the agency may apply an alternate marking method (such as a header or footer stating "This document contains CUI, handle in accordance with agency CUI policy") if individual re-marking is excessively burdensome.

Relationship to DFARS 252.204-7012 and "covered defense information"

DFARS 252.204-7012(a) defines "covered defense information" as unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry at archives.gov/cui/registry/category-list, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, and is (1) marked or otherwise identified in the contract as CUI, or (2) collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract. The cross-reference to the CUI Registry means that contractors subject to DFARS 252.204-7012 must consult the Registry to determine what information qualifies as CUI and therefore qualifies as covered defense information if it is marked or identified in the contract or is created in performance of the contract. The most common CUI categories on DoD contracts are Controlled Technical Information (Defense category, CTI subcategory), Export Control (ITAR and EAR subcategories), Critical Infrastructure (when the contract involves vulnerability assessments or security plans for defense critical infrastructure), and Procurement and Acquisition (source selection information, contractor proprietary information, and bid or proposal information when the contractor is supporting a DoD source selection or acquisition function). Contractors who fail to identify information that qualifies as CUI under the Registry, or who fail to apply the required NIST SP 800-171 controls to covered contractor information systems processing that information, are in breach of DFARS 252.204-7012 regardless of whether the information was explicitly marked as CUI by the Government, because the definition of covered defense information includes information "collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract" that meets a CUI Registry category.

Marking requirements under 32 C.F.R. Part 2002 Subpart B

Part 2002 establishes mandatory marking standards for CUI to replace the inconsistent legacy markings that agencies previously used. Under 32 C.F.R. § 2002.20, the basic CUI marking consists of the acronym "CUI" at the top and bottom of each page (or a single marking at the top if the document is one page or if marking the bottom is impracticable). When CUI falls within a CUI Specified subcategory, the marking must include the category marking shorthand from the CUI Registry after the "CUI" acronym, separated by a double forward slash; for example, "CUI//SP-CTI" for Controlled Technical Information Specified, or "CUI//SP-EXPT" for Export Controlled Information Specified. If multiple CUI categories are present in a single document, the marking lists all applicable category markers separated by single forward slashes: "CUI//SP-CTI/SP-EXPT." The marking must also include any applicable Limited Dissemination Controls, such as "CUI//NOFORN" or "CUI//SP-CTI//FEDONLY," and must include a CUI designation indicator block if the document is being disseminated outside the originating agency. When a document contains a mixture of CUI and uncontrolled unclassified information, portion markings are required to identify which portions contain CUI; the portion marking "(CUI)" is placed at the beginning of each paragraph, bullet point, subject line, or title that contains CUI. Documents containing only CUI Basic with no Limited Dissemination Controls may be marked simply "CUI" at the top and bottom. Contractors creating or receiving CUI must apply the Registry markings when generating documents in performance of a contract, and must maintain the markings when storing, transmitting, or disseminating CUI. Contractors who receive unmarked information from the Government that falls within a CUI Registry category should request clarification from the contracting officer or requiring activity about whether the information qualifies as CUI and should be marked; if the contractor generates a derivative document (a report, analysis, or deliverable) that incorporates unmarked government-provided information qualifying as CUI, the contractor must apply CUI markings to the derivative document.

Contractor obligations when handling CUI — safeguarding and dissemination

32 C.F.R. § 2002.14 establishes safeguarding requirements for CUI. For CUI Basic, which comprises the majority of CUI categories, the safeguarding standard is "at least the moderate confidentiality impact level" as defined in Federal Information Processing Standards (FIPS) Publication 199, Standards for Security Categorization of Federal Information and Information Systems. This means contractors handling CUI Basic must implement security controls commensurate with a FIPS 199 moderate confidentiality categorization, which for nonfederal systems is codified in NIST SP 800-171 Revision 2 (110 security requirements) and is the basis for the DFARS 252.204-7012 and CMMC Level 2 compliance obligations. CUI Specified subcategories may impose additional safeguarding requirements specified in the authorizing law or regulation; for example, CUI designated under ITAR (Export Control category, ITAR subcategory) must be safeguarded in accordance with ITAR 22 C.F.R. § 120.17 and § 120.18 (technical data and defense article controls), which may exceed the NIST SP 800-171 baseline for certain high-sensitivity items on the U.S. Munitions List. Contractors must also comply with dissemination controls specified in 32 C.F.R. § 2002.16, which restrict sharing CUI with non-executive-branch entities (including contractors, state and local governments, and foreign entities) unless authorized by the designating agency or permitted under the authorizing law or regulation. When disseminating CUI to other contractors or subcontractors, the prime contractor must ensure the recipient is an authorized holder under an agreement (contract, subcontract, or other arrangement) that imposes CUI protection obligations, and must flow down the applicable CUI safeguarding requirements (such as DFARS 252.204-7012 or FAR 52.204-21) to the recipient. Unauthorized disclosure of CUI — disclosure without a lawful Government purpose, in violation of safeguarding or dissemination controls, or contrary to Limited Dissemination Controls — is a breach of 32 C.F.R. Part 2002 and may trigger agency sanctions, contractor mandatory disclosure obligations under FAR 52.203-13, suspension or debarment proceedings under FAR Subpart 9.4, or criminal liability under 18 U.S.C. § 1905 (Trade Secrets Act, applicable when CUI includes confidential business information) or other federal statutes depending on the CUI category involved.

Decontrolling CUI — when protection obligations end

32 C.F.R. § 2002.18 specifies when CUI may be decontrolled (declassified, in classification parlance). Authorized holders may decontrol CUI when the information no longer requires safeguarding or dissemination controls pursuant to the authorizing law, regulation, or government-wide policy, or when the designating agency determines that the basis for CUI designation no longer applies. For many CUI categories, decontrol occurs when the information is officially released to the public by the designating agency through the agency's official public-release processes (such as posting on the agency's public website or inclusion in a Federal Register notice), when the authorizing statute or regulation is repealed or amended to remove the protection requirement, or when a specified time period for protection expires (e.g., procurement-sensitive information may be decontrolled after contract award and debriefing, or proprietary business information may be decontrolled when the submitter consents to release or when a court orders disclosure). Contractors may not unilaterally decontrol CUI received from the Government; only the designating agency (the agency that originally designated the information as CUI or that received the information from another agency and re-designated it) has authority to decontrol CUI under 32 C.F.R. § 2002.18, except in limited circumstances where the authorizing law, regulation, or government-wide policy specifies explicit decontrol procedures that an authorized holder (including a contractor) may execute. Contractors must continue to safeguard CUI until the Government notifies the contractor that the information has been decontrolled or until the contractor confirms that the information has been officially released to the public by the Government. When disposing of CUI that has been decontrolled or that is no longer needed, contractors must use destruction methods specified in 32 C.F.R. § 2002.14(e): either the methods in NIST SP 800-88, Guidelines for Media Sanitization (for electronic CUI), or the methods approved for Classified National Security Information at 32 CFR § 2001.47 (for paper and other physical media CUI). Simple deletion or shredding without following the NIST or classified-destruction standards is insufficient; contractors must render the CUI unreadable, indecipherable, and irrecoverable.

Agency implementation schedules and transition from legacy markings

The CUI program was implemented on a phased schedule across federal agencies. Under 32 C.F.R. § 2002.36, agencies were required to establish CUI implementation schedules approved by the CUI Executive Agent, and contractors must comply with the CUI marking and safeguarding requirements for each agency in accordance with that agency's implementation timeline. The Department of Defense announced full CUI implementation across DoD components in phases between 2016 and 2020, with the January 2020 publication of DoD Instruction 5200.48, Controlled Unclassified Information (CUI), establishing the DoD CUI program. Civilian agencies implemented CUI on varying schedules, with most agencies achieving full implementation by 2020. During the transition period, agencies were permitted to continue using legacy markings such as "For Official Use Only" (FOUO) on documents created before the agency's CUI implementation date, but agencies must discontinue all use of legacy markings on new documents and must apply CUI markings to any legacy material that is re-used or incorporated into new documents. Contractors working on contracts awarded before an agency's CUI implementation date may encounter legacy-marked information; contractors must treat legacy-marked information as CUI if the information falls within a CUI Registry category, regardless of whether the legacy marking remains on the document. When generating new deliverables or reports that incorporate legacy-marked information, contractors must apply the appropriate CUI markings from the Registry rather than perpetuating the legacy markings.

Where to find authoritative CUI guidance

The CUI Registry at archives.gov/cui/registry/category-list is the authoritative source for the list of approved CUI categories, subcategories, markings, and the statutory or regulatory basis for each category. NARA's CUI website at archives.gov/cui provides links to the CUI Registry, 32 C.F.R. Part 2002, Executive Order 13556, CUI training resources, CUI marking guidance, and CUI policy notices issued by the CUI Executive Agent. Contractors should also consult their contracting agency's CUI implementation policy; most agencies publish CUI guidance on their public websites, and DoD's CUI policy is codified in DoD Instruction 5200.48 (available at esd.whs.mil/DD/). For questions about whether specific information qualifies as CUI on a particular contract, contractors should contact the contracting officer or the requiring activity's CUI program manager. If a contractor is uncertain whether information it has generated in performance of a contract qualifies as CUI, the contractor should err on the side of treating the information as CUI and applying the safeguarding and marking requirements pending clarification from the Government, because failure to protect CUI is a more serious compliance breach than over-protection of information that ultimately does not qualify as CUI.

Source: Executive Order 13556 (Nov. 4, 2010) Source: 32 C.F.R. Part 2002 Source: CUI Registry Source: 81 Fed. Reg. 63336 (Sept. 14, 2016)

DFARS provisions 252.204-7016 and 252.204-7017 and clause 252.204-7018 implement Section 1656 of the National Defense Authorization Act for Fiscal Year 2018 (Pub. L. 115-91), establishing a DoD-specific prohibition on procurement and use of covered defense telecommunications equipment or services to carry out covered missions. Published as an interim rule on December 31, 2019 (84 Fed. Reg. 71739), these provisions operate in parallel with — not in place of — Section 889 (FAR Subpart 4.21 and FAR 52.204-24, 52.204-25, 52.204-26), which applies government-wide to all executive agencies. Contractors performing on DoD contracts must comply with both the FAR Section 889 framework and the DFARS covered-defense-telecommunications framework; the two regimes overlap in the named entities (Huawei, ZTE) but diverge significantly in scope, definitions, and applicability.

Section 1656 statutory authority and the covered-missions limitation

Section 1656 of the FY 2018 NDAA, codified at 10 U.S.C. § 4871 (formerly 10 U.S.C. § 2279 before the Title 10 recodification effective January 1, 2022), prohibits the Department of Defense from procuring or obtaining, or extending or renewing a contract to procure or obtain, any equipment, system, or service to carry out covered missions that uses covered defense telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system. The "covered missions" limitation is the critical distinction from Section 889: the DFARS prohibition applies only when the procurement is for use in carrying out DoD covered missions, whereas Section 889 applies to all government procurements regardless of mission or use. If a DoD procurement is not for a covered mission — such as acquisition of routine administrative IT for a non-operational support function — the procurement is subject to Section 889 (FAR 52.204-25) but not to the additional DFARS covered-defense-telecommunications prohibition at DFARS 252.204-7018.

Covered defense telecommunications equipment or services — the three-category definition

DFARS 252.204-7018(a) defines "covered defense telecommunications equipment or services" in three categories. The first category is telecommunications equipment produced by Huawei Technologies Company or ZTE Corporation, or any subsidiary or affiliate of such entities. The second category is telecommunications services provided by such entities or using such equipment. The third category is telecommunications equipment or services produced or provided by an entity that the Secretary of Defense reasonably believes to be an entity owned or controlled by, or otherwise connected to, the government of a covered foreign country. "Covered foreign country" is defined by cross-reference to 10 U.S.C. § 4872(d) (formerly 10 U.S.C. § 2279(d)) as the People's Republic of China.

The DFARS definition is narrower than the FAR Section 889 definition in two respects. First, the DFARS definition does not include Hytera, Hikvision, or Dahua for all procurements; those three entities are covered by Section 889 (FAR definition) but are not part of the DFARS covered-defense-telecommunications definition unless the Secretary of Defense makes a specific reasonable-belief determination that the entity is owned or controlled by the PRC government. The December 31, 2019 interim rule preamble at 84 Fed. Reg. 71740 clarifies that the DFARS definition is limited to Huawei and ZTE by name, plus telecommunications equipment or services from other PRC-connected entities identified by the Secretary, and that the video-surveillance subset (Hytera, Hikvision, Dahua) applicable under Section 889 for specified national-security purposes is not automatically covered under the DFARS definition. Second, the DFARS definition applies only to telecommunications equipment or services, not to video surveillance equipment, unless the video surveillance equipment also qualifies as telecommunications equipment. Contractors must apply both definitions and comply with the more restrictive standard: if an item is covered under either FAR Section 889 or DFARS Section 1656, the prohibition applies.

Covered mission — nuclear deterrence, homeland defense, combat support, and national security information

DFARS 252.204-7018(a) defines "covered mission" by cross-reference to 10 U.S.C. § 4871(a)(2), which enumerates four categories. The first category is the nuclear deterrence mission of DoD, including with respect to nuclear command, control, and communications, integrated tactical warning and attack assessment, and continuity of Government. The second category is the homeland defense mission of DoD, including with respect to ballistic missile defense. The third category is DoD support to civil authorities in an emergency or disaster, as directed by the President or the Secretary of Defense, or in circumstances where the Secretary determines that such support is necessary. The fourth category is the national security information (NSI) mission of DoD, including with respect to intelligence and intelligence-related activities, as well as the protection of such information and systems.

The covered-mission definition is mission-focused, not contract-type-focused. A contract for telecommunications services supporting a ballistic-missile-defense system falls within covered missions (homeland defense); a contract for IT services supporting routine base operations or contracting-officer training does not. The requiring activity or program office determines whether a procurement is for a covered mission and must communicate that determination to the contracting officer during acquisition planning. DFARS 204.2103(2) directs contracting officers to consult with the requiring activity and legal counsel when an offeror represents that it will provide covered defense telecommunications equipment or services for a covered mission; the requiring activity makes the operational determination of whether the prohibition applies, and the contracting officer implements the determination through source exclusion or waiver processing.

Substantial or essential component and critical technology — the use threshold

The prohibition applies when the covered defense telecommunications equipment or services are used as a substantial or essential component of any system, or as critical technology as part of any system. DFARS 252.204-7018(a) defines "substantial or essential component" as any component necessary for the proper function or performance of a piece of equipment, system, or service. The definition is identical to the FAR Section 889 definition and is intentionally broad: firmware, embedded software, routers, switches, telecommunications modules, and SIM cards can all qualify as substantial or essential components if the system cannot function properly without them. "Critical technology" is defined by cross-reference to the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA), codified at 50 U.S.C. § 4565(a)(6)(A), and includes defense articles on the U.S. Munitions List, items on the Commerce Control List (CCL), nuclear equipment and material, select agents and toxins, and emerging and foundational technologies controlled under the Export Control Reform Act. The critical-technology prong captures telecommunications equipment that, while not strictly necessary for system operation (and thus not a substantial or essential component), embodies or controls sensitive technology subject to export controls.

Two-tier representation structure — annual SAM certification and offer-by-offer disclosure

The December 31, 2019 interim rule at 84 Fed. Reg. 71741 explains that DFARS implements a two-tier representation structure mirroring the FAR Section 889 framework to reduce reporting burden. DFARS 252.204-7016, prescribed in all solicitations (including FAR Part 12 commercial acquisitions and task-order and delivery-order solicitations) under DFARS 204.2105(a), requires offerors to represent at least annually in the System for Award Management (SAM) whether they provide covered defense telecommunications equipment or services as part of their offered products or services to the Government in the performance of any contract, subcontract, or other contractual instrument. Offerors who select "does not" in the annual SAM representation under DFARS 252.204-7016 are not required to complete the offer-by-offer representation in DFARS 252.204-7017; only offerors who represent "does" in the annual SAM representation must complete the additional representation in DFARS 252.204-7017 for each covered-mission solicitation.

DFARS 252.204-7017, prescribed in all solicitations under DFARS 204.2105(b), is titled "Prohibition on the Acquisition of Covered Defense Telecommunications Equipment or Services—Representation" and applies only to offerors who have represented in SAM under DFARS 252.204-7016 that they "does" provide covered defense telecommunications equipment or services. Paragraph (d) of DFARS 252.204-7017 requires the offeror to represent whether it "will" or "will not" provide covered defense telecommunications equipment or services as part of its offered products or services to DoD in the performance of any award resulting from the solicitation. If the offeror represents "will," paragraph (e) requires detailed disclosure including: a description of all covered defense telecommunications equipment and services offered (brand or manufacturer, product identifiers such as model number or OEM number, and item description); an explanation of the proposed use and any factors relevant to determining permissibility under the prohibition (such as applicability of an exception or waiver); for services, the entity providing the covered defense telecommunications services (entity name, unique entity identifier, CAGE code); and for equipment, the entity that produced or provided the equipment (entity name, UEI, CAGE code, and whether the entity was the OEM or a distributor).

The two-tier structure is independent of the FAR Section 889 two-tier structure. Contractors must complete both the FAR annual representation under FAR 52.204-26 (for Section 889 covered telecommunications equipment or services) and the DFARS annual representation under DFARS 252.204-7016 (for covered defense telecommunications equipment or services). The representations are not coextensive because the definitions differ: a contractor that uses Hikvision cameras for office security may represent "does" under FAR 52.204-26 (Hikvision is covered by Section 889 for video surveillance for covered purposes) but may represent "does not" under DFARS 252.204-7016 if the contractor does not provide Huawei or ZTE telecommunications equipment or services or other PRC-government-connected telecommunications to DoD.

Contract clause and DIBNet reporting — one-business-day discovery notification

DFARS 252.204-7018, prescribed in all solicitations and resultant awards under DFARS 204.2105(c), is the contract clause that incorporates the prohibition and reporting obligations. Paragraph (b) of the clause states the prohibition: the contractor shall not provide to the Government any equipment, system, or service to carry out covered missions that uses covered defense telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system, unless the covered defense telecommunications equipment or services are covered by a waiver described in DFARS 204.2104. The prohibition is categorical and applies from contract award through final performance; contractors may not provide covered defense telecommunications equipment or services for covered missions even if the equipment was already installed or in use before the prohibition's effective date (December 31, 2019) unless a waiver is granted.

Paragraph (d) of DFARS 252.204-7018 imposes a rapid-reporting obligation when a contractor discovers covered defense telecommunications equipment or services during performance. Subparagraph (d)(1) requires the contractor to report at https://dibnet.dod.mil if the contractor identifies covered defense telecommunications equipment or services used as a substantial or essential component of any system, or as critical technology as part of any system, during contract performance. The DIBNet reporting portal is the same portal used for cyber-incident reporting under DFARS 252.204-7012. The contractor must provide the information specified in paragraph (d)(2)(i) of the clause within one business day of identification or notification: contract number, order number (if applicable), supplier name, supplier unique entity identifier and CAGE code (if known), brand, model number, item description, and any readily available information about mitigation actions undertaken or recommended. Within 30 business days of submitting the initial report, the contractor must provide any further available information about mitigation actions and describe the efforts undertaken to prevent use or submission of covered defense telecommunications equipment or services and any additional measures that will be incorporated to prevent future use or submission.

The one-business-day reporting deadline for DFARS 252.204-7018 is shorter than the one-business-day deadline for FAR 52.204-25 (Section 889), which also requires reporting within one business day but applies to a broader set of covered telecommunications equipment or services (including Hikvision/Dahua video surveillance). The two reporting obligations are separate and contractors must file separate DIBNet reports when the same equipment triggers both prohibitions — one report under FAR 52.204-25 and one report under DFARS 252.204-7018. The Defense Cyber Crime Center (DC3), which operates the DIBNet portal, will notify the contracting officer upon receipt of either report, and the contracting officer must consult with the requiring activity on how to proceed with the contract under DFARS 204.2103(b).

Waiver authority — Secretary of Defense case-by-case determination for one-year periods

DFARS 204.2104 implements the waiver authority codified at 10 U.S.C. § 4871(c). The Secretary of Defense may waive the prohibition in DFARS 204.2102(a) on a case-by-case basis for a single, one-year period if the Secretary determines such waiver to be in the national security interests of the United States, and certifies to the congressional defense committees that there are sufficient mitigations in place to guarantee the ability of the Secretary to carry out the covered missions, and the Secretary is removing the use of covered defense telecommunications equipment or services in carrying out such missions. The waiver is not renewable beyond the one-year period; the statute at 10 U.S.C. § 4871(c)(1) limits the waiver to "a single, one-year period." If DoD requires continued use of covered defense telecommunications equipment or services beyond the one-year waiver period, DoD must submit a new waiver request demonstrating continuing progress on removal and updated congressional certification.

Waiver requests must be submitted through the contracting officer to the requiring activity and forwarded to the Secretary of Defense. The requiring activity bears the burden of demonstrating that the waiver is in the national security interests of the United States, that mitigations are sufficient, and that DoD is actively removing the covered equipment or services. As of the date of this section, DoD has not publicly disclosed the number or nature of waivers granted under DFARS 204.2104; waivers are expected to be rare and limited to mission-critical systems where immediate removal would disrupt operational capabilities and no substitute is available. The waiver authority under DFARS 204.2104 is separate from the waiver authority under FAR 4.2104 for Section 889; a contractor seeking to provide covered defense telecommunications equipment or services to DoD for a covered mission must obtain both a Section 889 waiver (if applicable) and a Section 1656 waiver under DFARS 204.2104.

Relationship to FAR Section 889 — overlapping but non-coextensive prohibitions

Contractors performing on DoD contracts encounter two parallel telecommunications-prohibition regimes: Section 889 implemented through FAR Subpart 4.21 (FAR 52.204-24, 52.204-25, 52.204-26), and Section 1656 implemented through DFARS Subpart 204.21 (DFARS 252.204-7016, 7017, 7018). Both prohibitions apply to DoD contracts, and contractors must comply with both unless an exception or waiver applies. The regimes overlap in prohibiting Huawei and ZTE telecommunications equipment and services, but they diverge in three respects. First, scope of covered equipment: Section 889 prohibits Huawei, ZTE, Hytera, Hikvision, and Dahua (for specified national-security purposes) plus any entity the Secretary of Defense reasonably believes is connected to a covered foreign country; DFARS Section 1656 prohibits Huawei, ZTE, and entities the Secretary of Defense reasonably believes are connected to the PRC government, but does not automatically cover Hytera, Hikvision, or Dahua. Second, applicability trigger: Section 889 applies to all government procurements (DoD, civilian agencies, NASA) for any purpose; DFARS Section 1656 applies only to DoD procurements to carry out covered missions. Third, enforcement mechanisms: both regimes impose DIBNet reporting within one business day, but the DFARS waiver is limited to one year and requires congressional certification, whereas the FAR waiver under FAR 4.2104 may be granted for longer periods.

The December 31, 2019 DFARS interim rule preamble at 84 Fed. Reg. 71740 states that "this DFARS rule is not intended to replace the FAR implementation of section 889(a)(1)(A), but is intended to provide a DoD-specific implementation to address the section 1656 prohibition." Contractors must analyze each telecommunications procurement under both standards. If a procurement involves Huawei telecommunications equipment for a DoD administrative IT system (not a covered mission), Section 889 prohibits the procurement (FAR 52.204-25), but DFARS Section 1656 does not apply because the system does not carry out a covered mission; the contractor violates Section 889 but not Section 1656. If a procurement involves Hikvision video surveillance for a ballistic-missile-defense facility (a covered mission under DFARS), Section 889 prohibits the procurement (FAR 52.204-25) if the surveillance is for security of Government facilities or physical security surveillance of critical infrastructure, but DFARS Section 1656 does not prohibit the procurement unless the Secretary of Defense has determined that Hikvision is an entity connected to the PRC government for purposes of the DFARS definition; the contractor violates Section 889 but may not violate Section 1656 absent the Secretary's determination.

Subcontract flow-down and vertical compliance

Paragraph (e) of DFARS 252.204-7018 requires the contractor to insert the substance of the clause, including the flow-down requirement, in all subcontracts and other contractual instruments, including subcontracts for the acquisition of commercial products or commercial services. The flow-down is mandatory; there is no COTS exclusion at the subcontract tier, and the clause applies to subcontracts at all tiers when the subcontract supports performance of a DoD prime contract subject to the covered-defense-telecommunications prohibition. Prime contractors must ensure that subcontractors performing on or providing equipment for covered missions comply with the prohibition and have completed the required SAM representation under DFARS 252.204-7016. When a subcontractor discovers covered defense telecommunications equipment or services, the subcontractor must report to DIBNet under paragraph (d) of the flowed-down clause and must notify the prime contractor; the prime contractor must notify the contracting officer, and the contracting officer must consult with the requiring activity under DFARS 204.2103(b).

Effective date and applicability to existing contracts

The DFARS provisions and clause became effective December 31, 2019. Under the applicability instructions in the December 31, 2019 interim rule at 84 Fed. Reg. 71739, contracting officers must include DFARS 252.204-7016 and 252.204-7017 in solicitations issued on or after December 31, 2019, and in solicitations issued before December 31, 2019 if the resulting award occurs on or after December 31, 2019. Contracting officers must include DFARS 252.204-7018 in all awards made on or after December 31, 2019. For indefinite-delivery contracts, blanket purchase agreements (BPAs), and basic ordering agreements (BOAs) awarded before December 31, 2019, contracting officers must modify the contract under FAR 1.108(d) to include DFARS 252.204-7018 prior to placing any future order or call on or after December 31, 2019. The prohibition applies prospectively to contract awards, option exercises, and contract modifications extending or renewing the contract on or after the effective date; existing contracts awarded before December 31, 2019 are not automatically subject to the prohibition unless modified to extend or renew after the effective date, but contracting officers exercising options on or after December 31, 2019 must ensure the contractor is compliant before exercising the option.

Current clause dates and January 2023 revisions

The current version of DFARS 252.204-7016 is dated December 2019 (DEC 2019). The current version of DFARS 252.204-7017 is dated May 2021 (MAY 2021); the May 2021 revision updated the disclosure requirements in paragraph (e) to add unique entity identifier (UEI) and to clarify the description of equipment and services required. The current version of DFARS 252.204-7018 is dated January 2023 (JAN 2023); the January 2023 revision updated the clause to conform to FAR terminology changes replacing "commercial item" with "commercial product" and "commercial service" effective December 9, 2022 under FAR Case 2018-005. The substantive prohibition in paragraph (b) and the reporting obligations in paragraph (d) have remained unchanged since the December 31, 2019 interim rule. Contractors reviewing solicitations should check the clause date; solicitations issued before May 2021 may incorporate the DEC 2019 version of DFARS 252.204-7017, which has slightly different disclosure requirements in paragraph (e) but imposes the same substantive prohibition.

Source: DFARS 252.204-7016 Source: DFARS 252.204-7017 Source: DFARS 252.204-7018 Source: DFARS Subpart 204.21 Source: 84 Fed. Reg. 71739 (Dec. 31, 2019)

DFARS clause 252.204-7012, "Safeguarding Covered Defense Information and Cyber Incident Reporting," establishes two independent reporting triggers for cyber incidents: contractors must report within 72 hours when they discover a cyber incident that affects (1) a covered contractor information system or the covered defense information (CDI) residing therein, or (2) the contractor's ability to perform the requirements of the contract that are designated as operationally critical support and identified in the contract. The second trigger—operationally critical support (OCS)—operates independently of CDI; a cyber incident affecting OCS must be reported even when the incident does not involve CDI compromise or a covered contractor information system. Contractors performing logistics, transportation, or sustainment services supporting DoD contingency operations must verify whether their contract includes an OCS designation and must implement incident-response procedures that account for both CDI and OCS reporting obligations.

Statutory definition — airlift, sealift, intermodal transportation, and logistical support for contingency operations

Paragraph (a) of DFARS 252.204-7012 defines "operationally critical support" as supplies or services designated by the Government as critical for airlift, sealift, intermodal transportation services, or logistical support that is essential to the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation. The definition has four mandatory elements. First, Government designation: the requiring activity or program office must affirmatively designate the supplies or services as operationally critical; contractors may not self-designate, and the designation does not apply by default to all logistics or transportation contracts. Second, critical for one of four categories: airlift, sealift, intermodal transportation services, or logistical support. Third, essential to mobilization, deployment, or sustainment: the support must be mission-critical to force movement or operational sustainment, not merely convenient. Fourth, in a contingency operation: the support must relate to a contingency operation as defined at 10 U.S.C. § 101(a)(13), covering military operations designated by the Secretary of Defense as operations involving or potentially involving hostilities against an enemy or opposing force, or operations resulting in mobilization of reserve components under specified authorities.

The October 21, 2016 Federal Register final rule at 81 Fed. Reg. 72999 clarifies that the OCS definition applies to supplies or services, not to contractors themselves; Section 1632 of the FY 2015 NDAA (Pub. L. 113-291) used the phrase "operationally critical contractor," but the DFARS implementation shifted to "operationally critical support" to reflect that the designation attaches to specific contract requirements, not to the contractor's entire enterprise. A single contractor may perform on multiple contracts, only some of which involve OCS.

Identification in the contract — mandatory documentation under DFARS PGI 204.7303

The OCS designation must be identified in the contract to trigger the reporting and flow-down obligations. Paragraph (c)(1) of DFARS 252.204-7012 requires contractors to report cyber incidents "that affect the contractor's ability to perform the requirements of the contract that are designated as operationally critical support and identified in the contract" (emphasis added). If the contract does not affirmatively identify the OCS designation, contractors have no OCS reporting obligation under paragraph (c)(1) even if the supplies or services meet the statutory definition.

DFARS PGI 204.7303(a)(1) directs contracting officers to ensure that the requiring activity provides a work statement or specification that includes the identification of covered defense information or operationally critical support. PGI 204.7303(b)(1) directs contracting officers to ensure that the solicitation and resultant contract, task order, or delivery order includes the requirement, as provided by the requiring activity, for the contractor to apply markings when appropriate on covered defense information. The PGI does not prescribe a specific contractual location or format for the OCS identification. Contractors uncertain whether their contract includes an OCS designation should review the statement of work, performance work statement, contract data requirements list, and special contract requirements for explicit OCS language, and should contact the contracting officer if the contract performance appears to involve airlift, sealift, intermodal transportation, or logistical support for a contingency operation but the contract documents do not include an OCS designation.

Independent reporting trigger — OCS incidents reportable even when no CDI is involved

Paragraph (c)(1) of DFARS 252.204-7012 establishes the dual reporting trigger: contractors must report when they discover a cyber incident that affects a covered contractor information system or the CDI residing therein, or that affects the contractor's ability to perform OCS requirements. The "or" disjunctive means the triggers are independent. A cyber incident affecting the contractor's ability to perform OCS must be reported within 72 hours to https://dibnet.dod.mil under paragraph (c)(1)(ii) even if the incident does not involve a covered contractor information system or CDI compromise. The OCS reporting trigger focuses on operational impact—whether the cyber incident degrades, disrupts, denies, or delays delivery of the supplies or services designated as OCS—not on whether information was compromised.

DFARS 252.204-7012 defines "cyber incident" as actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein. The "potentially adverse effect" language captures incidents that may disrupt OCS delivery even when the contractor has not yet confirmed the full scope of the impact. Examples of cyber incidents triggering OCS reporting include ransomware infection of logistics-tracking or enterprise-resource-planning systems supporting airlift or sealift scheduling, unauthorized access to transportation-management systems, malware infection of operational-technology systems controlling warehouse automation or material-handling equipment at a contingency-support logistics hub, or denial-of-service attacks against systems used to coordinate OCS deliveries.

Paragraph (c)(1)(i) requires the contractor to conduct a review for evidence of compromise of CDI and to analyze covered contractor information systems that were part of the cyber incident and other information systems on the contractor's network that may have been accessed as a result of the incident in order to identify compromised CDI or that affect the Contractor's ability to provide operationally critical support. Contractors performing OCS must have visibility into both their CDI-processing systems (for the first reporting trigger) and their operational/mission systems that enable OCS delivery (for the second reporting trigger), even when those operational systems do not handle CDI.

Subcontract flow-down for OCS — paragraph (m)(1)

Paragraph (m)(1) of DFARS 252.204-7012 requires the contractor to include the clause, including paragraph (m), in subcontracts or similar contractual instruments for operationally critical support, or for which subcontract performance will involve covered defense information, including subcontracts for commercial products or commercial services, without alteration, except to identify the parties. The flow-down obligation applies to subcontracts supporting OCS performance even if the subcontractor does not handle CDI. When a subcontractor experiences a cyber incident that affects the subcontractor's ability to deliver supplies or services supporting the prime's OCS performance, the subcontractor must file a DIBNet report and must notify the prime contractor under the subcontractor-notification obligations in paragraph (m)(2). The prime contractor must then notify the contracting officer and must assess whether the subcontractor's incident affects the prime's ability to meet its OCS obligations.

Relationship to NIST SP 800-171 and CMMC scope

The OCS designation does not trigger NIST SP 800-171 implementation obligations on systems that do not process, store, or transmit CDI. Paragraph (b) of DFARS 252.204-7012 requires contractors to implement NIST SP 800-171 on covered contractor information systems—systems that process, store, or transmit covered defense information. A contractor's warehouse-management system, ERP system, or transportation-management system supporting OCS is not automatically a covered contractor information system requiring NIST SP 800-171 implementation unless that system also processes, stores, or transmits CDI. However, the OCS designation does impose cyber-incident-reporting obligations on OCS-enabling systems under paragraph (c)(1), and DoD may conduct damage assessments under paragraph (g) following OCS-affecting incidents even when no CDI was involved. Similarly, the OCS designation does not change the contractor's CMMC level or CMMC assessment scope under DFARS 252.204-7021; CMMC levels are determined by whether the contractor processes Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), not by whether the contract is designated OCS.

Source: DFARS 252.204-7012 Source: DFARS PGI 204.7303 Source: 81 Fed. Reg. 72999 (Oct. 21, 2016)