Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, -7019, -7020 & -7021

What's new in AWS DFARS Compliance?

On July 27, 2022, the Cybersecurity Accreditation Body (Cyber AB), released a pre-decisional draft of its Cybersecurity Maturity Model Certification (CMMC) Assessment Process (CAP). The Cyber AB is responsible for accrediting CMMC Third Party Assessment Organizations (C3PAO). The C3PAO assess Defense Industrial Base (“DIB”) contractors and subcontractors in accordance with the Draft CAP. The CMMC Assessment Process is a guide for how CMMC assessments should be conducted.

The release of the DRAFT CAP will help the Defense Industrial Base and C3PAOs prepare for the DFARS 252.204-7020 / CMMC assessments that are expected to begin in 2023.


AWS cloud regions and services help customers address the Defense Federal Acquisition Regulation Supplement (DFARS) cyber security requirements. DFARS implements and supplements the Federal Acquisition Regulation (FAR) and is administered by the Department of Defense (DoD). The DFARS contains requirements of law, DoD-wide policies, delegations of FAR authorities, deviations from FAR requirements, and policies/procedures.

AWS offers a wide variety of FedRAMP Moderate and High Authorized services and solutions that meet the DFARS requirements for Cloud Service Provider (CSP) security. The AWS FedRAMP services in scope can be found at

DFARS Resources

For more information about the AWS solutions and services that support our customers’ DFARS, NIST SP 800-171 or CMMC requirements, please contact us at 

A list of AWS FedRAMP Authorized cloud service offerings can be found here; 

Have Questions? Connect with an AWS Business Representative
Exploring compliance roles?
Apply today »
Want AWS Compliance updates?
Follow us on Twitter »