DFARS & FAR Cybersecurity Clause Reference

The contract clauses that drive DoD cybersecurity obligations — who each applies to, what it requires, and when it takes effect. Summaries are plain-English; the authoritative text is linked from each clause.

Key clauses

FAR 52.204-21
In effect (FAR; 2016)
Basic Safeguarding of Covered Contractor Information Systems
Implement 15 basic safeguarding requirements (the basis for CMMC Level 1).

Sets a baseline of 15 basic security controls for systems handling FCI. These 15 requirements are the foundation of CMMC Level 1.

Applies to

Any contractor whose systems process, store, or transmit Federal Contract Information (FCI)

What it requires
  • Apply the 15 basic safeguarding controls in FAR 52.204-21(b)
  • Flow the clause down to subcontractors handling FCI
  • Maps to CMMC Level 1 (Foundational) — yes/no self-assessment
Official text
DFARS 252.204-7012
In effect (since 2016; 800-171 compliance required by Dec 31, 2017)
Safeguarding Covered Defense Information and Cyber Incident Reporting
Implement NIST SP 800-171 and report cyber incidents to DoD within 72 hours.

Requires adequate security on covered contractor systems by implementing NIST SP 800-171, rapid (72-hour) cyber incident reporting to DoD at dibnet.dod.mil, media preservation, and flow-down.

Applies to

Contractors handling Covered Defense Information / CUI

What it requires
  • Implement NIST SP 800-171 Rev 2 (all 110 requirements)
  • Report cyber incidents at dibnet.dod.mil within 72 hours of discovery
  • Preserve/protect affected-system images for at least 90 days
  • Use cloud services meeting FedRAMP Moderate (or equivalent); flow down the clause
Official text
DFARS 252.204-7019
In effect (interim rule, Nov 30, 2020)
Notice of NIST SP 800-171 DoD Assessment Requirements
Have a current (within 3 years) NIST SP 800-171 assessment posted in SPRS before award.

Notifies offerors that, to be eligible for award, they must have a current NIST SP 800-171 DoD Assessment (not older than three years) on file in SPRS for each covered system.

Applies to

Offerors on solicitations requiring DFARS 252.204-7012

What it requires
  • Post a current Basic (self) assessment summary score in SPRS
  • Assessment must be no more than 3 years old at time of award
  • Covers each system that will process/store/transmit CUI
Official text
DFARS 252.204-7020
In effect (interim rule, Nov 30, 2020)
NIST SP 800-171 DoD Assessment Requirements
Maintain SPRS scores and give DoD access to conduct higher-level assessments; flow down.

Requires contractors to provide the government access to facilities/systems for Medium/High DoD assessments, keep SPRS results current, and ensure subcontractors have a current assessment before awarding subcontracts.

Applies to

Contractors subject to DFARS 252.204-7012

What it requires
  • Provide DoD access for Medium/High assessments when applicable
  • Keep NIST SP 800-171 assessment results current in SPRS
  • Verify subcontractors have a current SPRS assessment; flow down the clause
Official text
DFARS 252.204-7021
Effective Nov 10, 2025 (48 CFR CMMC final rule); phased rollout 2025–2028
Contractor Compliance With the CMMC Level Requirements
Achieve and maintain the CMMC level required by the contract; affirm continuing compliance.

The CMMC contract clause: requires the contractor to have a current CMMC certificate/self-assessment at the level required by the contract and to maintain it for the contract's duration, with annual affirmations. Phased in beginning Nov 10, 2025.

Applies to

Contractors on solicitations/contracts that specify a required CMMC level

What it requires
  • Meet the CMMC level stated in the solicitation/contract before award
  • Maintain the required level for the life of the contract
  • Affirm continuing compliance annually in SPRS; flow down the applicable level
Official text

CMMC phase-in schedule

The CMMC acquisition rule (DFARS 252.204-7021) took effect November 10, 2025 and rolls out over four phases (32 CFR 170.3). The phase in effect today is highlighted.

Phase 1 — Self-assessment
Nov 10, 2025 – Nov 9, 2026
In effect now

DoD includes CMMC Level 1 and Level 2 self-assessment requirements in most new solicitations and contracts as a condition of award.

  • Level 1 (self) for FCI; Level 2 (self) for CUI where applicable
  • A current SPRS score on file (DFARS 252.204-7019/7020)
  • Annual affirmation by an Affirming Official
Phase 2 — C3PAO Level 2
Nov 10, 2026 – Nov 9, 2027

DoD begins requiring CMMC Level 2 certification assessments by a C3PAO (third party) as a condition of award for contracts involving CUI, where applicable.

  • Level 2 (C3PAO) certification for applicable CUI contracts
  • Level 1 / Level 2 self-assessment continues elsewhere
Phase 3 — Broader C3PAO + Level 3
Nov 10, 2027 – Nov 9, 2028

Level 2 (C3PAO) requirements apply across a broader range of contracts, and Level 3 (DIBCAC) assessments are introduced for high-priority programs.

  • Level 2 (C3PAO) on most applicable CUI contracts
  • Level 3 (DIBCAC) for designated high-priority programs
Phase 4 — Full implementation
Nov 10, 2028 onward

Full implementation: the applicable CMMC level is a condition of award on all new DoD contracts (and exercised options), except for commercial off-the-shelf (COTS) items.

  • Applicable CMMC level on all in-scope contracts (COTS excepted)

Phase dates are set by rulemaking and can change. Verify current status at dodcio.defense.gov/CMMC before relying on them.

What does this mean for me?

Map your situation to a required CMMC level and timeline.

Map my CMMC timeline Start a free self-assessment