Defense Federal Acquisition Regulation Supplement clause 252.204-7012 requires all defence contractors processing Covered Defense Information to implement the 110 security requirements of NIST SP 800-171, report cybersecurity incidents to DoD within 72 hours, and preserve images of compromised systems for forensic analysis — creating a legally binding cybersecurity baseline that flows to all subcontractors in the supply chain. Zero Trust architecture maps directly to the DFARS/NIST 800-171 control families for access control, audit, configuration management, and incident response, making DFARS compliance a natural entry point for Zero Trust adoption conversations with defence contractors.
Related: CMMC 2.0 · DIB · CUI · DoD · Privileged Access