DFARS — the Defense Federal Acquisition Regulation Supplement — governs how DoD contractors and their supply chains operate. For a machine shop taking defense work, DFARS compliance isn't a single certification you earn once. It's two parallel sets of obligations that most shops don't fully understand: material sourcing requirements and cybersecurity requirements. Failing either one can knock you off a program, trigger contract termination, or result in a False Claims Act exposure you don't see coming until it's too late.
This guide covers what DFARS actually requires at the subcontractor machining level — not the prime contractor's legal interpretation, not the cybersecurity consultant's upsell. What a shop needs to know, what it needs to do, and what the November 2026 CMMC 2.0 deadline means for shops that haven't started yet.
- What DFARS Is (and What It Isn't)
- Clause 252.225-7014: Specialty Metals
- Clause 252.204-7012: Cybersecurity and CUI
- CMMC 2.0 Phase 2: The November 2026 Deadline
- Supply Chain Verification and Flowdown
- What to Do Now: Practical Steps for Small Shops
- DFARS vs. ITAR: How They Interact
- Common DFARS Questions from Machine Shops
What DFARS Is (and What It Isn't)
DFARS is a supplement to the Federal Acquisition Regulation (FAR) — the main federal procurement rulebook — that applies specifically to Department of Defense contracts. Where FAR sets baseline federal contracting rules, DFARS adds DoD-specific requirements on top. A machine shop doesn't contract directly with DFARS; the prime contractor's purchase order flows DFARS clauses down to subcontractors, which is why you'll see "DFARS" appear in your PO terms rather than on a government solicitation.
Two DFARS clauses matter most at the machine shop level:
- 252.225-7014 — Preference for Domestic Specialty Metals (the specialty metals clause)
- 252.204-7012 — Safeguarding Covered Defense Information and Cyber Incident Reporting (the cybersecurity clause)
These address entirely different compliance domains. A shop can be fully compliant with the specialty metals clause and completely non-compliant with 252.204-7012 — and vice versa. Understanding each obligation separately is the first step.
DFARS and ITAR regulate different things. ITAR (International Traffic in Arms Regulations) controls the export of defense articles and technical data. DFARS governs procurement requirements for DoD contracts — what materials you can use, how you protect sensitive data. A shop can be ITAR-registered and still fail DFARS compliance. Both matter for defense work; they are not interchangeable. For a full breakdown of ITAR requirements, see our ITAR machining guide.
Clause 252.225-7014: Specialty Metals
The specialty metals clause requires that any specialty metal incorporated into an end item delivered under a DoD prime contract must be melted or produced in the United States, a qualifying country, or a non-qualifying country subject to specific exceptions. For a machine shop, the practical impact is direct: the raw material you use must come from an approved source, and you must document it.
What Counts as a Specialty Metal
DFARS 252.225-7014 defines specialty metals as:
- Steel with a maximum alloy content exceeding specific thresholds (1% manganese or various other alloying elements)
- Metal alloys consisting of nickel, iron-nickel, or cobalt base alloys
- Titanium and titanium alloys
- Zirconium and zirconium base alloys
In practical terms: if you're machining titanium (Ti-6Al-4V, Ti-3Al-2.5V, Ti-5553), Inconel (718, 625, 625+), Hastelloy, or high-alloy tool steels into a part that ends up in a DoD end item, you're working with specialty metals subject to the clause.
Standard aluminum alloys (2024, 6061, 7075) are not specialty metals under the clause. Neither is most carbon steel. But once you're in titanium or nickel superalloy territory — the materials that dominate aerospace and defense machining — you're in specialty metals territory.
The Melting/Remelting Requirement
The clause requires that specialty metals be melted or produced in the United States or a qualifying country. Qualifying countries include most NATO members and several allied nations — Australia, Canada, United Kingdom, Germany, France, among others — through bilateral Defense Cooperation Agreements. A full list is maintained in DFARS 225.003.
What this means practically: you cannot source specialty metal stock from a non-qualifying country and incorporate it into a DFARS-covered part. China is not a qualifying country. Raw material that originates from Chinese mills — even if purchased through a U.S. distributor — does not satisfy the clause.
Purchasing titanium bar stock from a U.S. metals distributor does not automatically guarantee DFARS compliance. Distributors often hold inventory from multiple sources. You need the mill certificate (MTR) identifying the specific heat lot and melt origin — not just the distributor's country of origin declaration. Verify melt country on the MTR, not the invoice.
Documenting Compliance on Your Certs
When you ship a DFARS-covered part, the documentation trail matters as much as the material itself. Standard practice for DFARS specialty metals compliance:
- Retain the MTR (Material Test Report) for every heat of specialty metal used. The MTR must identify the melt origin and qualifying country.
- Reference the MTR on your certificate of conformance. Your CoC should state: "Material sourced in compliance with DFARS 252.225-7014. MTR on file identifying domestic/qualifying country melt."
- Maintain records for the duration of the contract plus three years — DoD audits on specialty metals compliance can come years after delivery.
- Flow the requirement to your material sub-tier suppliers. If you're buying pre-cut blanks or bar stock from another machining shop, they need to provide the same documentation chain.
| Requirement | What You Need | Common Gap |
|---|---|---|
| Melt origin verification | MTR identifying heat lot + melt country | Accepting distributor country-of-origin statement without MTR |
| Certificate of conformance language | DFARS 252.225-7014 reference + qualifying country declaration | CoC with no DFARS language; assumed implicit |
| Record retention | MTR on file, retrievable by part number and heat lot | MTR filed but not cross-referenced to shipped part |
| Sub-tier flowdown | DFARS clause flowed to material suppliers in PO terms | No PO language; compliance assumed but not required |
Clause 252.204-7012: Cybersecurity and CUI
Clause 252.204-7012 requires contractors and subcontractors to provide "adequate security" on all covered systems that process, store, or transmit Covered Defense Information (CDI) — and to report cyber incidents to DoD within 72 hours of discovery. For most machine shops, CDI means: controlled technical data, engineering drawings marked as Controlled Unclassified Information (CUI), and any information received from the government or prime that carries a CUI marking.
The specific standard for "adequate security" under 252.204-7012 is NIST SP 800-171, which defines 110 security requirements across 14 control families: access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity.
What "CUI" Means at a Machine Shop
CUI — Controlled Unclassified Information — is a government-wide category for unclassified information that requires safeguarding. For a machine shop, CUI typically includes:
- Engineering drawings and CAD models marked CUI or bearing a CUI marking from the prime or government
- Technical specifications, material requirements, and manufacturing process requirements received from the government
- Contract performance information that identifies controlled programs
- Any document the prime sends you with a "CUI" header or footer marking
If you're receiving drawings from a defense prime and those drawings show part numbers, tolerances, and materials for a DoD program, there's a reasonable probability those drawings carry CUI status whether they're explicitly marked or not. The safe assumption: treat defense program drawings as CUI, protect them accordingly, and ask your prime contract administrator if you're uncertain about classification.
The 110 Controls: What Actually Matters for a Small Shop
NIST 800-171's 110 controls are not uniformly difficult. Many small shops already satisfy a significant portion without formal documentation. The controls that tend to reveal gaps:
- 3.1.1 — Access control: Only authorized users can access CUI. This means your CAD files, drawings, and defense program data should be on systems where access is limited to employees with a need. Shared network drives with no access controls fail this requirement.
- 3.4.1 — Configuration management: Establish and maintain baseline configurations of your systems. For most small shops, this means documenting what software runs on which machines and keeping that list current.
- 3.5.3 — Multi-factor authentication: Require MFA for access to systems with CUI, especially remote access. A single password for email or cloud storage holding defense drawings is not compliant.
- 3.6.1 — Incident response capability: You need a documented process for what to do when you detect a cyber incident. Not a detailed playbook — but something written down, with a 72-hour reporting obligation to DoD clearly understood by whoever handles IT.
- 3.11.1 — Risk assessment: Periodically assess the risk to organizational operations from unauthorized access to CUI. This doesn't require a formal penetration test — but it does require documented evidence that you've thought about it.
- 3.13.1 — System and communications protection: Monitor, control, and protect communications at external boundaries. In practical terms: a firewall, not just a consumer-grade router provided by your ISP.
The System Security Plan (SSP)
NIST 800-171 requires contractors to maintain a System Security Plan documenting how each of the 110 controls is implemented — or, for controls not yet implemented, a Plan of Action and Milestones (POA&M) showing when they will be. The SSP is the document DoD uses to evaluate whether your cybersecurity posture is adequate. You don't submit it proactively, but if DoD requests it, you must be able to produce it.
Many small shops have zero documentation of their security posture. They may be doing many things right — access controls exist, they have antivirus, they use MFA for email — but without documentation, they cannot demonstrate compliance and they cannot get credit for what they're already doing when CMMC assessors come.
CMMC 2.0 Phase 2: The November 2026 Deadline
CMMC — Cybersecurity Maturity Model Certification — is DoD's framework for verifying that contractors and subcontractors actually implement the cybersecurity requirements in 252.204-7012. Under the old system, shops self-attested compliance without third-party verification. CMMC changes that for programs involving sensitive defense information.
The Three CMMC Levels
Most machine shops doing defense work that involves CUI — defense drawings, program specifications, controlled technical data — will need CMMC Level 2. Level 2 aligns exactly with the 110 NIST 800-171 controls that 252.204-7012 already requires. The difference under Phase 2: for programs designated as "critical," self-attestation is no longer sufficient. A Certified Third-Party Assessment Organization (C3PAO) must independently verify your implementation.
Phase 2 Timeline
CMMC rulemaking was finalized in late 2024. The Phase 2 implementation timeline:
- Now through mid-2026: DoD contracts include CMMC requirements in solicitations but enforcement is phased in. Shops can still self-attest for most programs.
- November 2026: Phase 2 enforcement begins. New DoD contracts at Level 2 critical programs require a valid C3PAO assessment on file. No assessment = no award.
- 2027 and beyond: Broader rollout; more programs transition to Level 2 third-party assessment requirements. Level 3 assessments begin for highest-sensitivity programs.
The window to get a C3PAO assessment completed before November 2026 is narrowing. C3PAOs are backlogged — assessment scheduling is running 3–6 months out in many cases. If you need a third-party assessment for a specific program and haven't started, the time to start is now, not after you've won the contract.
Self-Assessment vs. Third-Party Assessment
Many programs at CMMC Level 2 will continue to accept self-assessment through 2026 and into 2027. The distinction is whether a program is designated "critical" by DoD — which relates to the sensitivity of the CUI involved and the national security significance of the program. Your prime contractor will know which tier their program falls into and will communicate the assessment requirement in their solicitation or PO.
Regardless of whether third-party assessment is required for your specific program, there's an important practical point: a shop that has done the work to be genuinely CMMC Level 2 compliant can easily self-attest. A shop that hasn't done the work cannot credibly self-attest without False Claims Act exposure. The self-attestation is a legal certification, not a checkbox.
Supply Chain Verification and Flowdown
DFARS clauses flow down through the supply chain. When a prime contractor accepts DFARS terms from DoD, they are required to flow those same obligations to their subcontractors — including machine shops — via PO terms. As a subcontractor, your DFARS obligations come from your prime's purchase order, not directly from the government contract.
What Flowdown Looks Like in Practice
A typical DFARS-compliant defense PO from a prime contractor will reference specific clauses by number: DFARS 252.225-7014, DFARS 252.204-7012, and others. When you accept that PO, you're accepting those obligations for your scope of work. This means:
- Your specialty metals sourcing must comply, even if the prime doesn't ask for MTRs on every shipment
- Your cybersecurity posture must meet NIST 800-171, even if the prime doesn't audit you
- If you use lower-tier suppliers — material vendors, heat treaters, outside processors — you must flow those same requirements down to them
The last point is where small shops most often fall short. You cannot accept DFARS specialty metals obligations and then purchase titanium bar from a distributor without flowing the sourcing requirement in your PO to that distributor. If the distributor supplies non-compliant material and you incorporate it into a defense part, the violation is yours — not the distributor's.
Verifying Your Sub-Tier Suppliers
For specialty metals, verification means requiring MTRs with qualifying country melt origin and referencing DFARS 252.225-7014 in your purchase orders. For outside processors — anodizers, heat treaters, NDT providers — you need to verify that those processes don't introduce non-compliant materials or compromise the CUI chain of custody.
For cybersecurity, flowdown to sub-tier suppliers means: any supplier that will receive CUI — controlled drawings, technical data — must themselves have adequate NIST 800-171 controls. Emailing a controlled drawing to a heat treater who stores it on an unprotected laptop is a compliance failure in your supply chain, even if your own systems are secure.
Before awarding a sub-tier PO on a DFARS-covered program:
- Flow DFARS 252.225-7014 language in PO terms (for specialty metals programs)
- Flow DFARS 252.204-7012 language in PO terms (for programs with CUI)
- Require MTR submission with each specialty metals delivery
- Confirm sub-tier processor's data handling policy before transmitting controlled drawings
- Retain all sub-tier POs, MTRs, and CoCs alongside your own program records
What to Do Now: Practical Steps for Small Shops
If you're a small machine shop doing defense work — or trying to qualify for it — here's where to focus your compliance energy before November 2026.
Step 1: Determine Your CMMC Level Requirement
Ask your prime contractor or check the program solicitation. If you handle drawings or technical data marked CUI, you're in Level 2 territory. If your scope is purely commercial items or FCI without CUI, Level 1 may suffice. Getting this wrong in either direction wastes resources or leaves you non-compliant.
Step 2: Conduct a NIST 800-171 Gap Assessment
NIST provides a free self-assessment handbook (NIST SP 800-171A) and DoD publishes a CMMC Self-Assessment Guide. Work through the 110 controls honestly. The goal isn't a perfect score — it's knowing where you are so you can build an accurate Plan of Action and Milestones (POA&M). Most small shops discover they satisfy 60–80% of controls already; the remaining gaps are usually in documentation and formal policy rather than technical implementation.
Step 3: Document What You Already Do
The single highest-ROI activity for a shop that already has reasonable security practices: write them down. Your System Security Plan doesn't need to be 200 pages. A clear, accurate description of how you implement each of the 110 controls — even a brief paragraph per control family — creates defensible documentation that self-attestation requires.
Step 4: Fix the Actual Gaps
Common gaps that require actual remediation (not just documentation):
- Multi-factor authentication on all systems that touch CUI — email, cloud storage, CAD platforms
- Encrypted storage for controlled drawings and technical data at rest
- Formal incident response procedure with the 72-hour DoD reporting obligation explicitly assigned to a named individual
- Access log retention — who accessed which systems, when
- Boundary protection — your network should be separated from general internet access for systems handling CUI
Step 5: Engage a C3PAO if Required
If your programs require third-party assessment, engage a Certified Third-Party Assessment Organization early. The DoD maintains a list of accredited C3PAOs at cyberAB.org. Assessment timelines are 3–6 months from engagement to final report. Factor that into your program timeline — you cannot start the assessment the week before your contract award date.
DFARS vs. ITAR: How They Interact
DFARS and ITAR often apply to the same defense programs — but they regulate different aspects of the work, and compliance with one does not imply compliance with the other.
| Framework | Governing Agency | What It Regulates | Key Obligation for Machine Shops |
|---|---|---|---|
| DFARS | DoD / DAU | DoD procurement requirements: materials, cybersecurity, data protection | Specialty metals sourcing + NIST 800-171 cybersecurity + CUI protection |
| ITAR | State Dept / DDTC | Export controls on defense articles and technical data | DDTC registration + access controls for foreign persons + export license compliance |
| EAR | Commerce / BIS | Export controls on dual-use commercial items | Export classification review for dual-use items; typically less stringent than ITAR |
In practice, a machine shop doing ITAR-controlled defense work is likely also subject to DFARS requirements — both frameworks apply simultaneously. The ITAR guide covers registration and technical data export control. This guide covers the procurement compliance requirements that apply when you're actually making parts for DoD programs. You need both.
For a comprehensive overview of ITAR requirements, including DDTC registration, access controls for foreign persons, and program-level requirements, see our defense CNC machining guide and ITAR machining guide.
Common DFARS Questions from Machine Shops
Do I need to be DFARS compliant if I'm a tier-2 subcontractor?
Yes — if your tier-1 prime has flowed DFARS clauses to you in your PO. DFARS obligations are not limited to direct government contractors. The clause language explicitly requires primes to flow requirements to subcontractors at all tiers. Check your PO terms. If you see references to DFARS clause numbers, those obligations apply to your scope of work.
My customer never asks for specialty metals documentation. Do I still need to comply?
Yes. Your compliance obligation is created when you accept a PO with DFARS terms — not when your customer happens to ask for documentation. "They never asked" is not a defense in a False Claims Act case or a DoD audit. Maintain your MTRs and CoC language regardless of whether the prime requests them proactively. You want that documentation ready when it's needed.
What's the actual risk if I self-attest CMMC compliance without doing the work?
The False Claims Act. In 2021, the Department of Justice launched a Civil Cyber-Fraud Initiative specifically targeting government contractors that misrepresent their cybersecurity compliance. FCA penalties run $13,900–$27,900 per false claim, plus treble damages on contract value. The qui tam provision allows employees and competitors to file on your behalf and collect a portion of the recovery. Self-attestation is a legal certification, not a form you fill out to win a contract.
We only machine a few parts per year for defense programs. Does DFARS still apply?
Volume doesn't determine applicability — contract terms do. If any of your defense POs reference DFARS clauses, those requirements apply to that work. A shop that machines ten titanium brackets per year for a defense prime has the same specialty metals obligations as one machining thousands. The documentation burden is proportional to volume in practice, but the legal obligation is not.
How is CMMC 2.0 different from the original CMMC 1.0?
CMMC 1.0 had five levels with separate practices at each. CMMC 2.0 simplified to three levels and aligned Level 2 directly with NIST 800-171 (eliminating unique CMMC practices that weren't in NIST). CMMC 2.0 also re-introduced the possibility of self-assessment for non-critical Level 2 programs — CMMC 1.0 required third-party assessment at Level 3 and above. The net effect for most machine shops: requirements are somewhat more manageable, but enforcement via C3PAO assessments is now real.
Summary: DFARS Compliance for Machine Shops in 2026
DFARS compliance for a machine shop comes down to two parallel tracks that must both be maintained:
- Specialty metals: Know which materials are covered, source from qualifying country mills, get the MTRs, cite DFARS 252.225-7014 on your CoC, and flow the requirement to your sub-tier suppliers. This is documentation-intensive but operationally straightforward once the habit is in place.
- Cybersecurity: Implement NIST 800-171 controls for any system that handles CUI (defense drawings, program specifications, controlled technical data). Document your System Security Plan. Fix the gaps — MFA, encrypted storage, access logs, incident response procedure. Get a C3PAO assessment scheduled now if you need one before November 2026.
Neither track requires outside certification to get started. The specialty metals requirement is a sourcing and documentation discipline. The cybersecurity requirement starts with an honest gap assessment against NIST 800-171 and a plan for remediating the gaps you find.
Apex Manufacturing maintains DFARS-compliant processes for specialty metals sourcing and CUI handling across our defense machining programs. If you're sourcing precision CNC parts for a DoD program and need a shop that can demonstrate compliance, send us your drawings and we'll quote accordingly.
For ITAR registration requirements and export control compliance, see our ITAR machining guide. For material selection, tolerances, and AS9100D quality requirements for aerospace and defense parts, see Aerospace CNC Machining Tolerances and our defense CNC machining guide.