Module 7: Understanding Your FAR/DFARS Obligations

The FAR contains over 1,900 individual clauses. Not all of them apply to every contract. Which clauses you need to care about depends on your contract type, dollar value, NAICS code, and whether you are working with DoD or a civilian agency.

The ClariFAR FAR Scanner at /scanner takes your NAICS code and shows you which FAR and DFARS clauses are most likely to appear in contracts for your type of work. This gives you a focused reading list instead of trying to absorb all 1,900 clauses.

How to use the Scanner:

Step 1: Go to /scanner on the ClariFAR site. Step 2: Enter your primary NAICS code. Step 3: Review the results. The Scanner identifies clauses that are commonly included in solicitations for that NAICS code, organized by topic area: cybersecurity, small business, labor, intellectual property, and general compliance.

What to do with the results:

Read each flagged clause. The Scanner provides the clause number and a plain-language summary. For the full regulatory text, click through to eCFR.gov.

Identify which clauses require action. Some clauses are informational (they tell you the rules). Others require you to do something (submit a report, maintain a system, flow down to subcontractors). Focus on the action-required clauses.

Build a compliance checklist. For each action-required clause, write down: what you need to do, when you need to do it, and what evidence you need to keep. This becomes your contract compliance plan.

Common clauses that small IT contractors will see:

FAR 52.204-21: Basic Safeguarding of Covered Contractor Information Systems (15 controls, applies to almost all contracts). DFARS 252.204-7012: Safeguarding Covered Defense Information (110 NIST 800-171 controls, DoD contracts with CUI). FAR 52.219-14: Limitations on Subcontracting (for small business set-aside contracts). FAR 52.222-50: Combating Trafficking in Persons. FAR 52.232-25: Prompt Payment (how and when you get paid). FAR 52.244-6: Subcontracts for Commercial Products and Services (flow-down requirements).

The Scanner is most useful at two moments: when you first register on SAM.gov (to understand your baseline obligations) and when you read a specific solicitation (to understand what each clause in the solicitation means for you).

The Federal Acquisition Regulation underwent a significant restructuring (the "RFO" or Regulation for Overhaul) effective June 2026. If you are reading older guidance, blog posts, or training materials from before June 2026, some of the clause numbers they reference may have changed.

Here is what happened and what it means for you:

What changed:

Clause renumbering. Several FAR Part 52 clauses were renumbered as part of the restructuring. The requirements themselves did not change, but clause numbers moved. If you encounter a clause number you do not recognize in a new solicitation, check the ClariFAR Overhaul Tracker at /overhaul to see if it was renumbered from a clause you already know. Always verify clause numbers against the current eCFR at ecfr.gov before relying on them.

Threshold adjustments. The Simplified Acquisition Threshold (SAT) was adjusted to $350,000 (from $250,000). The TINA threshold for certified cost or pricing data was adjusted to $10,000,000 (from $2,000,000). The small business subcontracting plan threshold was adjusted to $900,000 (from $750,000). These are inflation adjustments from the FY2026 NDAA, not policy changes.

What was deleted:

DFARS 252.204-7019 (NIST SP 800-171 DoD Assessment Requirements) was deleted as part of the CMMC rulemaking. This clause previously required contractors to submit self-assessment scores. The requirement now lives under the CMMC framework (DFARS 252.204-7021). If you see old guidance referencing 252.204-7019, that clause no longer exists.

What did NOT change:

DFARS 252.204-7012 (Safeguarding Covered Defense Information) was NOT renumbered. It remains at 252.204-7012. The 110 NIST SP 800-171 controls it references are unchanged. Do not let anyone tell you this clause moved to 252.240-7012. That clause number does not exist.

How to stay current:

Use ClariFAR's Q&A tool to check specific clauses. Ask "What is the current version of FAR 52.204-21?" and the tool will cite the current regulatory text from eCFR.

Use the ClariFAR Overhaul Tracker at /overhaul to see all tracked changes with source citations.

When reading a solicitation, check the clause numbers against the current eCFR at ecfr.gov. Solicitations written before the overhaul may reference old clause numbers that have since changed.

FAR changes come from three distinct sources. Understanding which source drove a change tells you whether it is a policy shift (pay close attention) or a mechanical update (note and move on).

Source 1: FAR Regulation for Overhaul (RFO). The RFO is a structural reorganization of the FAR. Clauses get renumbered, reorganized, and consolidated. The underlying requirements usually do not change. The RFO is about making the FAR more navigable, not about changing policy.

What it means for you: if a clause you know moved to a new number, the requirements are the same. Update your compliance checklists with the new number. Your actual compliance obligations did not change.

Source 2: National Defense Authorization Act (NDAA). Congress passes the NDAA annually. It frequently includes provisions that change FAR or DFARS requirements. Examples from FY2026:

TINA threshold increase to $10,000,000. This means fewer contractors need to submit certified cost or pricing data. If your contracts are under $10M, this is a meaningful compliance reduction.

SAT increase to $350,000. More contracts can use simplified acquisition procedures. This generally means less paperwork for both the government and contractors on smaller acquisitions.

CMMC rulemaking direction. Congress directed the implementation timeline and scope for CMMC Level 2 third-party assessments.

What it means for you: NDAA changes are policy changes. They create new obligations or remove old ones. Read the NDAA summary each year to understand how your compliance requirements shifted.

Source 3: Inflation adjustments. Certain FAR thresholds are adjusted periodically for inflation. The SAT, micro-purchase threshold, and small business subcontracting plan threshold are all inflation-adjusted. These changes happen through FAR final rules published in the Federal Register.

Current thresholds (as of June 2026): Micro-purchase threshold: $10,000 Simplified Acquisition Threshold: $350,000 TINA threshold: $10,000,000 Small business subcontracting plan: $900,000

What it means for you: know the current numbers. When you read a solicitation or guidance document, verify the thresholds cited are current. Older documents may cite outdated amounts.

Use ClariFAR's Q&A to check any threshold. Ask "What is the current simplified acquisition threshold?" and you get the verified current amount with the regulatory citation.

Not every FAR change affects every contractor. Here is a filter for which recent changes actually matter if you are a small IT services company.

Changes that matter to you:

CMMC implementation timeline. If you bid on DoD contracts that involve Controlled Unclassified Information (CUI), CMMC Level 2 certification will be required when it appears in solicitations. The implementation is phased: expect to see it in new solicitations starting in late 2026/early 2027. Module 8 covers this in detail.

FAR 52.204-21 safeguarding requirements. These 15 basic controls apply to almost every federal contract, not just DoD. They are the minimum cybersecurity requirements. If you handle any federal contract information (FCI), you must comply. These controls are straightforward for a small IT shop: access control, system patching, antivirus, encryption.

DFARS 252.204-7012 for DoD work. The 110 NIST SP 800-171 controls are required for any DoD contract involving CUI. This is a significant compliance burden for small companies. Realistic implementation for a 1-5 person IT shop takes 3-6 months and may require changes to your IT infrastructure (encrypted email, access-controlled file storage, incident response plan).

SAT increase to $350,000. More contracts fall under simplified acquisition procedures, which means shorter solicitations, faster awards, and less paperwork. For a small company, contracts under $350K are your entry point. The higher threshold expands the pool of "simpler" opportunities available to you.

Changes that probably do NOT matter to you (yet):

CAS (Cost Accounting Standards) applicability. CAS kicks in at $7.5M per contract for modified coverage and $50M in aggregate for full coverage. If your contracts are under $1M, CAS is not relevant.

EVMS (Earned Value Management). Required on major defense acquisition programs and contracts over $20M. Not relevant for small contractors.

Organizational Conflict of Interest (OCI) mitigation plans. Only relevant if you do advisory work for the government AND compete for implementation contracts with the same agency. Most small IT contractors do one or the other, not both.

Foreign ownership and CFIUS considerations. Only relevant if your company has foreign investors or you are considering foreign acquisition.

The practical filter: if a FAR change involves a dollar threshold above your contract values, a company size above yours, or a contract type you do not perform, you can safely note it and move on. Focus your compliance energy on FAR 52.204-21, DFARS 252.204-7012 (if DoD), and the set-aside rules under FAR Part 19.