Compliance and Audit Preparation
DFARS
Compliance Consulting
Practical support to meet DFARS cybersecurity obligations, prepare for assessment, and keep your DoD contracts in good standing.
DFARS clauses sit in the contracts you have already signed and in the solicitations you are about to bid. Nexeris helps you translate those clauses into a workplan with owners, evidence, and a schedule that holds up in SPRS and during prime audits.
- Defense Ready
- Nist 800-171 & CMMC
- Mission Critical
Strategic Value
Why DFARS and CMMC Matter
<span “>Most teams do not need more frameworks. They need to translate the DFARS clauses in their contracts into a defined workplan, with owners, evidence, and a schedule that holds up in SPRS and during prime audits.
DFARS obligations have stacked up over the last decade. They now form a tightly connected set:
- DFARS 252.204-7012 requires implementation of NIST SP 800-171 and 72-hour reporting of cyber incidents affecting Covered Defense Information.
- DFARS 252.204-7019 and 7020 require contractors to post a current NIST 800-171 self-assessment score in SPRS, and obligate primes to verify subcontractor scores.
- DFARS 252.204-7021, revised in 2025, requires contractors to maintain a current CMMC status throughout contract performance and to submit annual affirmations.
- DFARS 252.204-7025, new in 2025, is the solicitation provision that puts CMMC level requirements into pre-award eligibility decisions.
These clauses do not replace each other. They stack. A contractor with a strong NIST 800-171 program but weak SPRS hygiene can still lose a bid. A contractor with current CMMC status but no working incident response process can still violate 7012.
Common reasons teams engage Nexeris:
- You have new contracts with 7021 or 7025 in them and you need to know what to do
- Your SPRS score is stale, low, or you are not sure who in the organization owns it
- You are a prime trying to verify subcontractor compliance and the flow-down documentation is patchy
- You handle CUI in a cloud environment and you are unsure whether your provider meets FedRAMP Moderate equivalence
- An incident has surfaced gaps in your 72-hour reporting process
Your DFARS Engagement Includes
DFARS readiness is less about new tools and more about taking obligations that already exist on paper and making them real in operations. We help you do that across four areas.
Contract Clause Review and Gap Mapping
- Review your active contracts and recent solicitations for 7012, 7019, 7020, 7021, and 7025
- Map each clause to the specific actions, evidence, and owners required to satisfy it
- Identify clauses that have been flowed down to you but never operationalized
SPRS Scoring and Self-Assessment Support
- Conduct or refresh your NIST 800-171 self-assessment using the DoD scoring methodology
- Help you post and maintain a defensible SPRS score
- Build the supporting documentation that justifies the score if the DoD or a prime asks
Flow-Down and Subcontractor Verification
- Help primes build a repeatable process for verifying subcontractor SPRS scores and CMMC status
- Draft flow-down language for your subcontracts that satisfies 7012 and 7021 requirements
- Identify subcontractors handling CUI who pose the most risk to your contract eligibility
Incident Reporting Readiness
- Build or update the runbook for 72-hour incident reporting under DFARS 7012
- Confirm DIBNet registration and verify your media-of-record reporting pathway
- Run a tabletop to test the reporting process before you have to use it for real
How We Work
Structured 6-step methodology
Strategy • Operations • Governance
Ideal Fit For
Targeted solutions for security maturity.
Primes Managing Subcontractor Compliance
Defense primes who need a defensible process for verifying SPRS scores and CMMC status across their supply base
Subcontractors With Stacked Obligations
Subs who have inherited 7012, 7021, and other DFARS clauses through flow-down and need to operationalize them.
Contractors With Stale SPRS Scores
Organizations whose SPRS score is years old, was set without a real self-assessment, or no longer reflects their environment.
Teams Preparing for CMMC
Defense contractors who need their DFARS foundation solid before stepping into CMMC certification.
Expected Outcomes
Outcomes you can expect
01
- Defined Scope
Clear scope and boundaries tied to how CUI is actually handled
02
- Requirements Alignment
Improved alignment to NIST 800-171 requirements with prioritized remediation
03
- Assessment Readiness
Stronger documentation and evidence organization for assessment readiness
04
- Visible Progress
A roadmap with assigned owners and a governance cadence so leadership can see what is moving and what is stuck
05
- Sustainable Program
A program that’s easier to maintain instead of rebuilding for every review
The Difference
Why We
Stand Out
If you want a clear plan for DFARS and support that helps your team execute, we can help. Reach out to schedule a consultation and we’ll talk through your environment, timeline, and what success looks like.
Clause-Level Fluency
We tell you exactly which DFARS clauses apply, what each one requires, and what evidence satisfies it.
- Defensible SPRS Scoring
We help you post a score backed by real self-assessment work, not an aspirational number that falls apart under scrutiny.
- Flow-Down Verification
We build a repeatable subcontractor verification process so flow-down stops being a one-off scramble before every award.
- Tested Incident Response
We make sure your 72-hour reporting pathway works before you need it, including DIBNet registration and tabletop exercises.
- Guaranteed Outcomes
If you fail your compliance audit for services we covered, you receive a $5,000 credit.
- Clear Communication
We translate clauses into plain English for executives and into specific actions for your security team.
Common Questions
What is DFARS 252.204-7012 and what does it require?
DFARS 252.204-7012 is the cybersecurity clause that has been in defense contracts since 2017. It requires contractors handling Covered Defense Information (a category that includes CUI) to implement the 110 security controls in NIST SP 800-171, and to report cyber incidents that affect that information to DoD within 72 hours through DIBNet. 7012 is the technical baseline that everything else in DFARS cybersecurity is built on. It is still in effect and was not replaced by the CMMC rules.
What is the difference between DFARS 7021 and 7025?
DFARS 252.204-7021 is the contract clause that lives in your contract after award. It requires you to maintain a current CMMC status throughout performance, flow the requirement down to subcontractors handling FCI or CUI, and submit annual affirmations in SPRS. DFARS 252.204-7025 is the solicitation provision that lives in the solicitation before award and makes CMMC status a condition of eligibility. In practical terms: 7025 decides whether you can bid; 7021 governs how you perform.
Did CMMC replace DFARS?
No. DFARS is the Defense Federal Acquisition Regulation Supplement, and CMMC is one set of requirements added into it. DFARS 252.204-7012 still requires NIST 800-171 implementation and 72-hour incident reporting. The newer clauses (7021 and 7025) add CMMC certification as a separate, stackable requirement on top of 7012. Contractors have to satisfy both.
Do I have to flow DFARS requirements down to my subcontractors?
Yes, if the subcontractor handles Covered Defense Information, FCI, or CUI in performance of your contract. DFARS 7012 and 7021 both require flow-down. Under the 2025 rule, primes are responsible for verifying subcontractor CMMC status before flowing CUI or FCI to them, even though DoD does not share subcontractor SPRS data with primes directly. This makes subcontractor verification one of the more operationally painful parts of DFARS compliance for primes.
What is FCI and how is it different from CUI?
FCI (Federal Contract Information) is information provided by or generated for the government under a contract that is not intended for public release. CUI (Controlled Unclassified Information) is a narrower, more sensitive category defined by 32 CFR 2002 and the National Archives CUI Registry. Most defense contracts involve FCI; a subset involve CUI. The CMMC level required for a contract depends primarily on which category the systems will handle, with FCI-only contracts requiring Level 1 and CUI-handling contracts typically requiring Level 2 or higher.
How do I report a cyber incident under DFARS?
Within 72 hours of discovery, you report the incident through DoD’s DIBNet portal at dibnet.dod.mil. To do this, you need a medium-assurance certificate registered with DoD in advance. Contractors who try to register only after an incident occurs run into delays. Reporting includes the affected systems, the type of information involved, and the technical details of the incident. You also need to preserve forensic images and logs of affected systems for DoD review.
How does my SPRS score affect my contract eligibility?
The SPRS score is the DoD’s quick read on your NIST 800-171 implementation. Under DFARS 252.204-7019, contracting officers can check your score before award and can decline to award contracts to contractors with weak or stale scores. Under the new CMMC rule, your CMMC status (also tracked in SPRS) becomes the binding eligibility check, but the underlying self-assessment score still matters because it has to be defensible if questioned by the DoD or a prime.
Related Services
Comprehensive security solutions for enterprise maturity
Keep control owners assigned and evidence current so your CMMC status holds up between assessments.
Build response playbooks and run drills aligned to reporting expectations.
Build a defensible path to DFARS readiness
If you want a clear plan to meet your DFARS obligations and stay eligible for DoD awards, Nexeris can help