German cyber, FedRAMP, and CMMC.
How DACH cyber and cloud firms sequence FedRAMP authorisation, CMMC alignment, and US federal market entry.
Read the pillar →
The Department of Defense supplement to the FAR, codified at 48 CFR Chapter 2, adding defense-mission-specific acquisition requirements.
The Defense Federal Acquisition Regulation Supplement (DFARS) is the Department of Defense's agency-specific supplement to the Federal Acquisition Regulation. It is codified at Title 48 of the Code of Federal Regulations, Chapter 2. The DFARS is issued by the Defense Acquisition Regulations Council and applies to acquisitions by the Army, Navy, Marine Corps, Air Force, Space Force, and the various DOD components. Where the FAR sets the government-wide baseline, the DFARS adds defense-mission requirements and tailors clauses to the defense acquisition environment.
The most operationally consequential DFARS coverage clusters in three areas. Cybersecurity and supply-chain risk: DFARS 252.204-7012 imposes safeguarding and rapid incident-reporting requirements for covered defense information; DFARS 252.204-7019 and 252.204-7020 require contractors to post a NIST SP 800-171 self-assessment score in the Supplier Performance Risk System (SPRS); DFARS 252.204-7021 implements the Cybersecurity Maturity Model Certification (CMMC) regime. Domestic-source preferences: the DFARS 252.225 series implements the Buy American Act with defense-specific overlays and country-of-origin restrictions for specialty metals and other categories. Berry Amendment compliance: 10 U.S.C. 4862, implemented through DFARS 252.225-7012, restricts DOD procurement of food, clothing, tents, fabrics, and certain hand or measuring tools to domestic sources.
The DFARS does not replace the FAR; it overlays it. A defense contract typically incorporates FAR baseline clauses, DFARS supplements, and component-level supplements (Army FAR Supplement, Air Force FAR Supplement, Defense Logistics Acquisition Directive, and others). Foreign suppliers and their US subsidiaries must read the full clause matrix to assess compliance scope before bidding.
For internationally-headquartered firms supplying the US Department of Defense, the DFARS overlay is where the foreign-supplier scrutiny concentrates. CMMC certification, NIST SP 800-171 score posting, Berry Amendment country-of-origin restrictions, and specialty-metals provenance all sit inside DFARS clauses that flow through prime contracts to subcontractors at every tier. The compliance work runs in parallel with US LLC or C-corp formation, US-cleared personnel onboarding, US facility security clearances where applicable, and supply-chain documentation that maps every component to a country of origin.
DFARS interlocks with the FAR baseline and with export-control regimes (ITAR and EAR) when the contract involves defense articles, technical data, or controlled dual-use items. Further reading: German cyber, FedRAMP, and CMMC and cross-border defense and dual-use technology in US procurement.
How DACH cyber and cloud firms sequence FedRAMP authorisation, CMMC alignment, and US federal market entry.
Read the pillar →How foreign defense and dual-use firms approach US procurement under ITAR, EAR, and DFARS overlays.
Read the pillar →The RFP architecture US federal procurement reads on, and what foreign suppliers rebuild before responding.
Read the pillar →