What is the difference between FAR and DFARS?

FAR (Federal Acquisition Regulation) applies to all federal executive agency acquisitions and is located at 48 CFR Chapter 1. DFARS (Defense Federal Acquisition Regulation Supplement) applies only to Department of Defense acquisitions and supplements FAR with additional requirements, located at 48 CFR Chapter 2. Key differences include cybersecurity (FAR requires 15 controls vs DFARS requires 110 NIST SP 800-171 controls) and DFARS adds requirements for cost accounting, specialty metals, and Berry Amendment domestic sourcing.

Does DFARS apply to all government contracts?

No. DFARS only applies to Department of Defense (DoD) contracts and subcontracts. Contracts with civilian agencies like GSA, HHS, or DOE follow FAR plus their own agency supplements (GSAR, HHSAR, DEAR). If your contract is with a DoD component (Army, Navy, Air Force, DLA, DISA, etc.), both FAR and DFARS apply.

What cybersecurity requirements does DFARS add beyond FAR?

FAR 52.204-21 requires 15 basic safeguarding controls for Federal Contract Information (FCI). DFARS 252.204-7012 requires all 110 NIST SP 800-171 controls for Covered Defense Information (CDI), plus 72-hour cyber incident reporting to DoD, FedRAMP-authorized cloud services, and subcontractor flow-down. DFARS 252.204-7021 adds CMMC certification requirements phased in through 2027.

FAR vs. DFARS: What Every Contractor Needs to Know

What Is the FAR?

The Federal Acquisition Regulation (FAR) is the primary set of rules governing how all federal executive agencies buy goods and services. Codified at 48 CFR Chapter 1 (Parts 1 through 53), it covers everything from how solicitations are issued to how contracts are administered and closed out.

The FAR is maintained by the FAR Council, which includes representatives from the Department of Defense, the General Services Administration, and NASA. Every federal contractor, regardless of which agency they work with, must comply with the FAR.

What Is the DFARS?

The Defense Federal Acquisition Regulation Supplement (DFARS) adds DoD-specific requirements on top of the FAR. Codified at 48 CFR Chapter 2 (Parts 201 through 253), it mirrors the FAR's numbering structure (DFARS Part 225 supplements FAR Part 25, for example) and includes additional clauses that apply only to defense contracts.

The DFARS is issued by the Department of Defense. If you hold a DoD contract or subcontract, you must comply with both the FAR and any applicable DFARS clauses in your contract.

Side-by-Side Comparison

Dimension	FAR	DFARS
Full Name	Federal Acquisition Regulation	Defense Federal Acquisition Regulation Supplement
Issuing Authority	FAR Council (DoD, GSA, NASA)	Department of Defense (DoD)
Scope	All federal executive agency acquisitions	DoD acquisitions only (supplements FAR)
CFR Location	48 CFR Chapter 1 (Parts 1-53)	48 CFR Chapter 2 (Parts 201-253)
Cybersecurity Baseline	FAR 52.204-21: 15 basic safeguarding controls	DFARS 252.204-7012: 110 NIST SP 800-171 controls
Cyber Incident Reporting	Not required under FAR 52.204-21	Mandatory within 72 hours (DFARS 252.204-7012)
CMMC Required	No	Yes, for contracts with CUI (phased rollout)
Small Business Subcontracting	Required above $750K (FAR 19.702)	Same threshold, plus DoD-specific goals and reporting
Buy American Rules	Buy American Act (FAR 25.1)	Berry Amendment + DFARS 252.225-7001 (stricter)
Cost Accounting	CAS coverage per FAR 30	Same, plus DFARS-specific cost principles in DFARS 231

Cybersecurity: 15 Controls vs. 110 Controls

This is the biggest practical difference between FAR-only and DFARS contracts for most small contractors.

FAR 52.204-21

Basic Safeguarding of Covered Contractor Information Systems. Applies to all federal contracts that involve contractor information systems.

security controls

Covers basics: access control, identification and authentication, media protection, physical protection, system and communications protection, and system and information integrity.

DFARS 252.204-7012

Safeguarding Covered Defense Information and Cyber Incident Reporting. Applies to DoD contracts involving Controlled Unclassified Information (CUI).

110

NIST SP 800-171 controls

Requires implementation of all 110 controls in NIST SP 800-171, plus mandatory 72-hour cyber incident reporting to DoD, preservation of forensic images, and CMMC certification (phased rollout).

Bottom line: If you only do civilian federal work, you need 15 basic controls. The moment you take a DoD contract with CUI, you need all 110 NIST 800-171 controls, a System Security Plan (SSP), a Plan of Action and Milestones (POA&M), and eventually CMMC certification. This is typically the most expensive compliance gap for small contractors moving from civilian to defense work.

When Does DFARS Apply to You?

1Prime contractor to DoD: DFARS clauses are incorporated directly into your contract.
2Subcontractor to a DoD prime: Many DFARS clauses flow down to subcontractors. Check your subcontract for flowdown clauses, especially DFARS 252.204-7012 (cybersecurity).
3Commercial item exception: Some DFARS clauses are waived for commercial items, but cybersecurity requirements (DFARS 252.204-7012) still apply if CUI is involved.

What Small Contractors Should Do

If you only do civilian federal work

Implement the 15 FAR 52.204-21 controls. These are baseline IT security practices that most well-run businesses already follow. No certification required.

If you are pursuing DoD work

Start with a NIST 800-171 self-assessment, create your SSP and POA&M, and budget for CMMC Level 2 assessment. Most small contractors need 6 to 18 months and $20K to $100K+ to become fully compliant, depending on their starting posture.

If you are already on a DoD contract

Verify your SPRS score is current, ensure your 72-hour incident reporting process is documented and tested, and track CMMC assessment deadlines in your contract. Non-compliance is a contract performance issue.

Have a specific FAR or DFARS question?

ClariFAR searches the full regulatory corpus and returns the exact section with a plain-English explanation.

Ask ClariFAR Scan Your NAICS Code