Defense Acquisition System — DFARS, DoD 5000, and MDAPs
The Department of Defense spends approximately $400 billion per year on contracts — more than the entire federal discretionary non-defense budget — through a regulatory system that is formally distinct from (though built on top of) the civilian procurement framework. The Defense Federal Acquisition Regulation Supplement (DFARS), the DoD 5000-series acquisition policies, and the Planning, Programming, Budgeting, and Execution (PPBE) process together form a parallel universe of rules that governs everything from $500 spare parts orders to the F-35 program's lifetime cost of $1.7 trillion. What surprises most outside observers is how little the FAR itself constrains major defense acquisitions — the real action is in program management doctrine, congressional notification requirements, and the budget cycle, not the contracting rulebook.
Legal Authority
- 10 U.S.C. § 3001 et seq. — Defense acquisition statutes (Title 10, Chapter 137A): establishes the defense acquisition system, the Under Secretary of Defense for Acquisition and Sustainment (USD(A&S)) as the principal acquisition official, and the major defense acquisition program (MDAP) framework
- 10 U.S.C. § 4201 — Major defense acquisition programs: defines MDAPs, requires Milestone A/B/C decision authorities, establishes Acquisition Decision Memorandums
- 48 CFR Parts 200–253 — Defense Federal Acquisition Regulation Supplement (DFARS): the DoD-specific supplement to the FAR governing contracting procedures, clauses, and special requirements
- DoD Instruction 5000.02 — The principal DoD policy document establishing the Adaptive Acquisition Framework (AAF) and the acquisition pathways for defense programs
- National Defense Authorization Acts (NDAA) — Annual legislation that imposes statutory requirements on defense acquisition, procurement procedures, and reporting
Key Mechanics
The DoD acquisition system operates through acquisition pathways under the Adaptive Acquisition Framework (AAF): the Major Capability Acquisition pathway (for complex MDAPs like ships, aircraft, and weapon systems), Middle Tier Acquisition (rapid prototyping and rapid fielding), Software Acquisition, Defense Business Systems, and Others (Services Acquisition, Urgent Capability Acquisition). MDAPs must pass through Milestone reviews (A: materiel solution, B: technology readiness, C: production readiness) before advancing. Funding flows through the PPBE process: programs are funded in a specific budget cycle 18–24 months before execution, meaning a program's budget request in FY2026 was formulated in FY2024. Congressional oversight operates through the NDAA annual authorization cycle plus Appropriations, giving Congress two separate levers on every major program.
System Overview
| Parameter | Value |
|---|---|
| DoD annual contract obligations | ~$400 billion (FY 2024) |
| Primary regulation supplement | Defense FAR Supplement (DFARS, 48 CFR 200–253) |
| Major acquisition policy | DoD Instruction 5000.02 — Adaptive Acquisition Framework |
| MDAP threshold (RDT&E) | >$480 million in research, development, test & evaluation |
| MDAP threshold (procurement) | >$2.79 billion in procurement |
| Number of current MDAPs | ~86 programs (as of FY 2024) |
| MDAP total cost (baseline) | >$1.8 trillion in current estimates |
| Key oversight body | USD(A&S) — Under Secretary of Defense for Acquisition and Sustainment |
| Congressional reporting | Selected Acquisition Reports (SARs), required annually for MDAPs |
| Audit authority | Defense Contract Audit Agency (DCAA); ~1,500 auditors |
The DFARS: DoD's Supplement to the FAR
The Defense Federal Acquisition Regulation Supplement (DFARS, 48 CFR Parts 200–253) adds DoD-specific requirements on top of the FAR. Key DFARS provisions that civilian contracts don't face:
Cybersecurity — CMMC and DFARS 252.204-7012
DoD contractors handling Controlled Unclassified Information (CUI) must comply with NIST SP 800-171 cybersecurity controls and report cyber incidents within 72 hours. The Cybersecurity Maturity Model Certification (CMMC) program — finalized in 2024 — will require third-party assessments for many DoD contractors, adding significant compliance costs. Industry estimates suggest CMMC Level 2 certification costs $200,000–$1M+ for a mid-sized defense contractor.
Specialty Metals — DFARS 252.225-7014
The Berry Amendment (10 U.S.C. § 4862) requires that specialty metals (titanium, steel, high-temperature alloys) in weapon systems and aircraft components be domestically melted and manufactured. This is the defense-sector analog to the Buy American Act, and it creates supply chain certification requirements that flow down to multiple tiers of subcontractors.
Counterfeit Parts — DFARS 252.246-7007
DoD requires contractors to detect and avoid counterfeit electronic parts, report incidents, and maintain traceability to original component manufacturers. The rule emerged from a 2011 Senate Armed Services Committee investigation that found Chinese counterfeit electronic components in DoD aircraft and missile systems.
Technical Data and Software Rights — DFARS Part 227
48 CFR Part 227 (Patents, Data, and Copyrights — 98 sections across 6 subparts) is the most consequential intellectual property framework in federal contracting. It governs what rights DoD acquires in technical data, computer software, and inventions developed under defense contracts — and what rights contractors and subcontractors retain. The DFARS Part 227 framework is substantially more complex than FAR Part 27 (which governs civilian agency IP) because of the unique national security interest DoD has in maintaining access to technical data needed to operate, maintain, and re-compete future contracts for defense systems.
Technical Data Rights (Subpart 227.71) — 40 sections establishing the "data rights" framework:
- Unlimited rights: DoD obtains unlimited rights in technical data for items developed exclusively with government funding — the government may release such data to anyone, including foreign governments and competing contractors; contractors must mark deliverable data with an explicit legend indicating the level of rights delivered
- Limited rights: technical data developed exclusively with private funds (no government R&D funding) is delivered with "limited rights" — DoD may use the data internally and for emergency repair, but may not release it to third parties or use it to solicit competitive bids; this is the primary IP protection for proprietary contractor designs
- Government purpose rights: a middle category for data developed with mixed funding (partially government, partially private) — DoD may use the data for any government purpose including disclosure to other agencies, but may not release it to commercial competitors for 5 years; after 5 years, it converts to unlimited rights
- DFARS 252.227-7013 (the mandatory clause for technical data): this contract clause must be included in all contracts requiring delivery of technical data; it requires the contractor to mark data with the applicable rights legend (unlimited, limited, government purpose, or specifically negotiated); improperly marked data can be challenged by DoD and rights resolved through a formal challenge process
Computer Software Rights (Subpart 227.72) — 27 sections governing rights in software:
- Restricted rights in computer software: commercial software delivered under a government contract is governed by the software developer's standard commercial license, not DFARS unlimited/limited rights; DFARS 252.227-7014 governs rights in noncommercial computer software; restricted rights in software permit DoD to use the software only for government purposes and prohibit reverse engineering and transfer to third parties
- DFARS 252.227-7014 (mandatory for noncommercial software): requires marking of software and documentation with rights legends; contractor retains copyright in restricted-rights software but DoD is licensed to use it in perpetuity; the contractor may "withhold" certain proprietary source code or algorithms while delivering the executable version
- Technical data for commercial items (DFARS 252.227-7015): for commercial off-the-shelf and COTS-derived items, DoD only receives "the minimum necessary rights" — typically the same rights available to the general public under the commercial license; this avoids requiring defense contractors to disclose proprietary commercial product designs as a condition of government sales
Bayh-Dole Patent Rights (Subpart 227.3): defense contracts for R&D follow the Bayh-Dole framework (see also 37 CFR Part 401), with contractor retention of invention rights, government license-to-practice, and march-in rights; DoD adds a national security restriction — contractors must obtain security review before filing foreign patent applications on DoD-funded inventions under DFARS 252.227-7039.
The Part 227 framework has become increasingly contested as DoD's reliance on commercial technology (cloud computing, AI, commercial satellites, commercial electronics) has grown. Defense contractors argue that DFARS unlimited-rights demands for commercially relevant technology deter commercial companies from doing DoD work; DoD argues that technical data rights are essential for competitive re-procurement and preventing sole-source lock-in. The DoD's "Other Transaction Authority" (OTA) agreements often contain alternative IP provisions, making OTA a vehicle for avoiding DFARS Part 227 requirements — a major driver of OTA use by commercial technology companies working with DoD.
Cost Accounting Standards (CAS)
Large defense contractors with contracts above $50M are subject to full Cost Accounting Standards — 19 standards governing how indirect costs are allocated to government contracts. See Cost Accounting Standards for detail.
Contract Financing — DFARS Part 232
48 CFR Part 232 (Contract Financing) implements DoD-specific departures from standard FAR payment terms. Key provisions:
- § 232.006 — If a contracting officer finds substantial evidence of fraud, the payment-reduction/suspension authority flows up to the Principal Director, Defense Pricing and Contracting, who reports to the Under Secretary of Defense for Acquisition and Sustainment (USD(A&S)); unlike civilian agencies, DoD must document the fraud finding in writing before reducing or suspending progress payments.
- § 232.007 — DoD policy is to pay contractors as quickly as possible. Standard due dates are 7 days (vs. FAR's 30-day default) for certain contract types. This reflects DoD's reliance on industrial base health — late payments to prime contractors cascade downstream to subcontractors who supply critical components.
- § 232.009 — Accelerated payment terms apply to small business prime contractors and to primes that subcontract with small businesses; this implements statutory directives to reduce the cash-flow burden on small defense suppliers.
- Incremental funding — DFARS Part 232 explicitly authorizes incrementally funded contracts (where the full amount is not obligated at award but more funding is anticipated), which is common in multi-year defense R&D programs subject to annual appropriations; each increment requires a separate obligation and period of performance.
DoD's 7-day payment policy is a deliberate industrial-base subsidy — defense primes like Lockheed Martin, Raytheon, and General Dynamics depend on timely progress payments to fund production runs. DCAA audits progress payment liquidation rates to ensure contractors are not front-loading costs.
DoD Instruction 5000.02: The Adaptive Acquisition Framework
DoDI 5000.02 (updated 2020) established the Adaptive Acquisition Framework (AAF), replacing a single mandatory acquisition model with six distinct acquisition pathways:
| Pathway | Use Case | Key Feature |
|---|---|---|
| Major Capability Acquisition (MCA) | MDAPs and MAIS programs | Full milestone review; congressional reporting |
| Middle Tier Acquisition (MTA) | Rapid prototyping and fielding (<5 years) | Bypass milestone reviews; streamlined |
| Software Acquisition | Agile/iterative software programs | Continuous delivery model; no final milestone |
| Defense Business Systems | ERP and administrative IT | Less oversight than weapons programs |
| Acquisition of Services | Service contracts >$250M | Services acquisition strategy required |
| Urgent Capability Acquisition | Urgent warfighter needs | Joint Urgent Operational Need (JUON) authority |
The MTA pathway has been the most significant reform — it allows programs to prototype and field capability within 5 years without going through the full Milestone A/B/C review process. Critics argue it has become a way to avoid MDAP oversight for programs that are not truly "middle tier" in complexity or cost.
Major Defense Acquisition Programs (MDAPs)
An MDAP is any acquisition program the USD(A&S) designates, or that meets the dollar thresholds:
- Research, Development, Test & Evaluation (RDT&E): >$480 million
- Procurement: >$2.79 billion
MDAPs are the most heavily scrutinized acquisitions in the federal government. Requirements include:
Milestone Reviews: Every MDAP must pass sequential milestone reviews that authorize advancement:
- Milestone A — approves entry into Technology Maturation & Risk Reduction (TMRR) phase; program office established; competitive prototyping preferred
- Milestone B — the most critical: approves entry into Engineering & Manufacturing Development (EMD); program baseline established; Acquisition Program Baseline (APB) set; congressional notification required
- Milestone C — approves entry into Production & Deployment; full-rate production begins; Low-Rate Initial Production (LRIP) typically precedes full rate
Independent Cost Estimates (ICEs): Before Milestone B and C, the Cost Assessment and Program Evaluation (CAPE) office — independent of the program office — must produce an independent cost estimate. CAPE estimates routinely exceed program office estimates, often by 20–40%.
Selected Acquisition Reports (SARs): Annually, DoD reports to Congress on every MDAP's cost, schedule, and performance against its APB baseline. Cost growth exceeding 15% of the unit cost or 25% of program cost triggers a Nunn-McCurdy breach — requiring a presidential certification that the program is essential to national security or cancellation.
The F-35: The MDAP Cost Growth Case Study
The F-35 Joint Strike Fighter is the largest defense acquisition in history — current lifecycle cost estimates exceed $1.7 trillion through 2088, including $400B in acquisition and $1.3T in operations and sustainment. The program has experienced multiple Nunn-McCurdy breaches, a 7-year schedule slip, and unit costs roughly double the original target. It is simultaneously the most criticized program in DoD acquisition history and genuinely irreplaceable as the primary strike aircraft for the Air Force, Navy, and Marine Corps for the next 30+ years. The F-35 is cited in every acquisition reform discussion as a cautionary tale and has driven multiple changes to MDAP oversight requirements.
Planning, Programming, Budgeting, and Execution (PPBE)
Defense acquisition is governed not just by procurement rules but by DoD's annual PPBE cycle — the internal budget process that determines what gets funded:
- Planning (spring–summer, Year -2): Joint Chiefs of Staff identify capability requirements; Secretary of Defense issues Defense Planning Guidance
- Programming (summer–fall, Year -2): Each service submits a Program Objective Memorandum (POM) — a 5-year investment plan — to OSD
- Budgeting (fall–winter, Year -2 to -1): CAPE and Comptroller challenge POMs; USD(Comptroller) produces the President's Budget Request (PBR) submitted to Congress in February
- Execution (during the appropriated year): Agencies obligate and outlay funds; PPBE starts over for the next cycle
The PPBE cycle means that a new program requirement identified today cannot receive significant funding for 2–3 years. This is why Middle Tier and Urgent Capability pathways exist — to get around the PPBE timeline for genuine urgent needs.
Joint Capabilities Integration and Development System (JCIDS)
Before a program can enter acquisition, it must have an approved requirement generated through JCIDS — the military's process for identifying capability gaps and developing materiel solutions. JCIDS documents include:
- Initial Capabilities Document (ICD): Identifies the capability gap and validates that a materiel solution is appropriate
- Capability Development Document (CDD): Specifies Key Performance Parameters (KPPs) and Key System Attributes (KSAs) — the performance requirements the system must meet
- Capability Production Document (CPD): Finalizes production requirements before Milestone C
JCIDS requirements must be approved by the Joint Requirements Oversight Council (JROC), chaired by the Vice Chairman of the Joint Chiefs. The JROC process is notoriously slow — requirements for major programs often take 2–4 years to validate — and is a frequent target of acquisition reform proposals.
How It Affects You
<!-- pria:personalize type="impact" -->If you are a defense contractor or seeking to enter the defense market: DFARS compliance is the primary barrier to entry. CMMC Level 2 certification (for CUI-handling) is becoming mandatory for most DoD prime and subcontracts; plan 12–18 months and $200K–$1M+ for certification. CAS applicability depends on your total DoD contract portfolio — if you cross $50M, budget compliance costs immediately. The MTA pathway creates real opportunity for smaller, non-traditional contractors who can deliver capability in under 5 years without the full MDAP overhead.
If you work at a federal agency (DoD): Program managers for MDAPs must understand their obligations under DoDI 5000.02 and the APB baseline. Nunn-McCurdy breaches trigger mandatory congressional reporting and can force restructuring or cancellation. Use MTA pathway designation to reduce review requirements, but recognize that programs using MTA to avoid oversight face congressional scrutiny if costs grow.
If you are a citizen, taxpayer, or journalist: SARs are publicly released annually on the USD(A&S) website and provide the most comprehensive public cost and schedule data for all MDAPs. GAO publishes annual "Assessments of Selected Major Weapon Systems" every spring — typically the most authoritative independent assessment of MDAP status available. The F-35 SAR alone runs hundreds of pages.
If you are a policy professional or researcher: The PPBE process is the primary determinant of defense investment priorities — not the acquisition system. PPBE reform has been a major initiative since the FY2022 National Defense Authorization Act required an independent commission review; the commission's 2023 report recommended major changes to improve speed and flexibility. Implementation remains incomplete.
<!-- /pria:personalize -->Recent Developments
- 2026 — FY2026 NDAA debate included provisions to streamline JCIDS for software-intensive programs and expand MTA pathway use for AI/autonomous systems; implementation guidance pending.
- 2025 — DOGE review of DoD contracts focused on service contracts and professional services (T&M, CPAF), not major weapons programs. MDAPs were largely shielded due to their statutory protections and congressional constituencies.
- 2024 — CMMC 2.0 final rule published; compliance phase-in begins with highest-priority programs in 2025; estimated to affect ~80,000 DoD contractors.
- 2023 — PPBE Reform Commission issued final report recommending separation of the programming and budgeting phases to improve DoD's ability to respond to rapidly evolving threats; Congress partially implemented recommendations in FY2024 NDAA.
- 2022 — USD(A&S) issued updated DoDI 5000.02 clarifying MTA pathway criteria after GAO found that DoD was using MTA to avoid MDAP oversight for programs that clearly exceeded MTA scope.