What DoD Contractors Need to Know About FAR and DFARS

Understand the relationship and differences between FAR and DFARS

The CMMC builds upon existing regulations, extending them to meet the cybersecurity challenges government contractors face in this day and age. Among them are the Federal Acquisition Regulations (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS), which implements and supplements the FAR.

FAR stands for the Federal Acquisition Regulation. It is a set of rules issued to make a standard set of processes for government acquisitions. Originally, the FAR was intended to consolidate the numerous individual agency regulations into one comprehensive set of standards. This set of standards is contained within Chapter 1 of Title 48 of the Code of Federal Regulations (CFR), divided into Subchapters A-H, which encompass Parts 1-53. Out of these, the largest single part of the FAR is Part 52 because that’s where standard solicitation provisions and contract clauses are contained.

DFARS stands for Defense Federal Acquisition Regulation Supplement. This is essentially the same as the FAR, but is geared towards Department of Defense contracts. It will be used in addition to the FAR if a vendor is going to be working with a defense agency. The DFARS (or the cyber clause DFARS 252.204-7012) is the best-known example of an agency supplement to the FAR, used by the Department of Defense to specify requirements of law, DoD-wide policies, delegations of FAR authorities, deviations from FAR requirements, and policies/ procedures that have a significant effect on the public. It was released in 2016 to address data protection challenges related to CUI.

The CMMC shares the same goals as the DFARS but requires assessments to be conducted by an accredited C3PAO. According to the CMMC Accreditation Body (AB), achieving alignment with the DFARS standard is paramount to the CMMC, but compliance with CMMC doesn’t necessarily guarantee compliance with DFARS.

That’s because there are five different CMMC levels contractors can aim for, and the first level includes only FAR 52.204-21 requirement, which represents the minimum any contractor should have already deployed. To also comply with the DFARS, contractors should achieve CMMC Level 3 compliance because it naturally aligns with the DFARS and its key requirements, which encompass everything from access control to incident response to physical protection to system and information integrity.


As a government contractor, you are expected to be both knowledgeable and prepared to comply with existing FAR standards, as well as understand the CMMC level requirements. 

The FAR provides government-wide standardized policies and procedures for acquisition. FAR regulations also play a role every time you bid on a DoD contract. A solid understanding and compliance with FAR will not only reduce the time it takes to meet proposal and contract requirements, but can also safeguard you from any potential legal penalties or ramifications.

Soon, all contractors will soon need to ensure they meet CMMC levels for DoD opportunities. Don’t wait until every contractor is required to have their CMMC- get your certification before it’s required & show a history of established compliance before the field gets inundated with requests. Simple Plan IT is nationally recognized and accredited as a registered provider organization by the Cybersecurity Maturity Model Certification Accreditation Cody (CMMC-AB). We’re happy to answer any questions about the CMMC process or help you plan the steps you need to take in order to qualify. Our team is happy to talk through the steps your particular company should take in the CMMC process, or get started on your certification.

Follow Us on Social Media

Subscribe to our Blog

Most Recent Blog Posts

Don’t Stop Here

More Useful Security Information

Top 10 IT Security Myths — Debunked


Thanks to the recent COVID-19 pandemic, there has been a historic shift in the way people work. Remote work or work-from-home (WFH) policies were set

Cybersecurity Policies That Bridge Generations


Cybersecurity policies are necessary for any business to avoid becoming cybercrime victims. Cybercrimes continue to rise as cybercriminals get more creative- it’s imperative every business