What Is DFARS? (+ Your Compliance Checklist)
The Department of Defense works with thousands of suppliers, contractors, and subcontractors every year; part of what keeps this exchange alive is knowing that all parties involved are securing government information and that each organization understands how to handle sensitive data. As such, each organization involved must maintain DFARS compliance, which outlines what cybersecurity standards an entity must adhere to in order to do business with national security agencies. Keep reading to learn what is DFARS, why it’s important, and review a DFARS compliance checklist!
What Is the Department of Defense?
The US Department of Defense (DOD) is a department of the executive branch of the federal government responsible for overseeing the numerous agencies related to national security and the US military, including national intelligence agencies like the National Security Agency (NSA), the departments of the Army, Navy, and Air Force, and countless more.
The DoD comes from a long line of military, intelligence, and defense initiatives over the course of the country’s history. For example, the First and Second Continental Congresses were organized into the Continental Army during the Revolutionary War. President George Washington later oversaw Congress’s creation of the War Department in 1789, with the later creation of the Navy Department in 1798. The secretaries of each department reported directly to the President as Cabinet-level officials up until 1949 when all defense powers were consolidated to the Secretary of Defense’s role.
Fast forward to the 20th century: President Harry S. Truman signs the National Security Act of 1947 and thus establishes the Central Intelligence Agency (CIA), the National Security Council, the US Air Force, the National Military Establishment, as well as a few other notable agencies. Two years later, in a 1949 amendment to the Act, the National Military Establishment was renamed the Department of Defense and centralized the chain of command for numerous government security organizations to form the foundation for what we know today as the DoD.
What Is DFARS?
The Defense Federal Acquisition Regulation Supplement (DFARS) to the Federal Acquisition Regulation (FAR) essentially amends the FAR in terms of policies relating to the purchasing of goods and services, including technology. In other words, DFARS is a set of standards that must be adhered to in order for the Department of Defense to make a purchase.
In the 21st century, the Department of Defense continues to secure our national economy and data around the world, fighting both physical and digital threats. DFARS requirements strive to protect Controlled Unclassified Information (CUI) or other sensitive data that third parties might access, manage, store, etc. These standards further ensure that government information is protected and secured against unauthorized use. DFARS outlines significant measures that must be followed, ranging from data education and physical security to cybersecurity fortifications and more.
Why Is DFARS Compliance Important?
DFARS compliance is important to your organization for a few reasons:
Qualify to Bid on Certain Government Projects
Since DFARS compliance is required for a plethora of DOD-related government projects, it’s vital that your organization is adherent to the appropriate standards. If your organization isn’t following DFARS requirements, then you’ll be disqualified from bidding on certain projects. This can affect your revenue cycle, overall competitive edge, reputation in the marketplace, and more.
Protect Our National Economy, Data, and Security
The US Council of Economic Advisors estimates that malicious cyber activity could cost the national economy upwards of $1 trillion by the year 2026. DFARS measures are in place—and frequently updated—in order to best protect our national security interests. Thus, following DFARS regulations equates to your business applying those measures to your operations and playing an important role in fortifying national security, no matter how small a role you might feel it is. It’s essential that all pertinent parties who work with or for the DOD do their part to protect sensitive information or government data.
Track Patterns of Cyber Attacks and Threats
One of the components of DFARS compliance is reporting on cyber attacks if—or when—they occur at your business. This helps to keep the nation’s cybersecurity posture nimble and dynamic since attacks and threats are required reporting. With near-immediate alerts to the DOD, new patterns of cyber attacks can be monitored and countered, which helps inform future standards.
Who Must Comply with DFARS?
Any organization that does contract work for the DOD or other federal departments and agencies is required to comply with DFARS standards. This includes suppliers, contractors, and even subcontractors—anyone who will handle sensitive or controlled unclassified information pertaining to a DOD project.
It’s important to note that a company doesn’t have to be based in the US in order to work with the DOD; in fact, there are dozens of countries that are eligible for contracting on DOD projects, including:
- Canada
- Australia
- Japan
- Turkey
- Egypt
- UK and Ireland
- France
- Italy
- Israel
- And more
However, simply being designated as DOD eligible doesn’t mean companies based in these countries get an automatic green light; they must still be DFARS compliant.
Your DFARS Compliance Checklist
There are multiple facets to achieving DFARS compliance; use this checklist as a place to start:
⇒Contractors that deal with controlled unclassified information are required to pass a DFARS compliance audit and establish security protocols in 14 critical areas, including:
- Audit and Accountability
- Awareness and Training
- Access Controls
- Incident Response
- Identification and Authentication
- Configuration Management
- Media Protection
- Maintenance
- Personnel Security
- Physical Protection
- Security Assessment
- Risk Assessment
- System and Information Integrity
- System and Communications Protection
⇒Perform a gap analysis that identifies your organization’s current cybersecurity measures in relation to DFARS standards; through this analysis, you’ll gain an understanding of what work your enterprise needs to do in order to achieve compliance
⇒A remediation plan to establish tangible steps towards DFARS compliance so that your organization is able to address any gaps in your cybersecurity operations that fall short of meeting DFARS regulations
⇒Continuous monitoring and reporting of malicious cyber activity, which means that your business will need to establish tools and processes that are able to monitor, detect, and report on breaches and other cyber attacks
⇒Complete a NIST SP 800-171 DOD Basic Assessment then upload assessment scoring and required documentation into the Supplier Performance Risk System (SPRS)
⇒Follow the appropriate CMMC 2.0 level certification as determined by the contracting documents or potential project involvement
Achieve DFARS Capabilities with SCA!
Understanding DFARS requirements is a tedious, time-consuming task that is challenging to do alone; partner with the experts at SCA to help you achieve DFARS capabilities!
Any contractor or subcontractor who handles Controlled Unclassified Information (CUI) is required to follow DFARS federal regulations regarding cybersecurity practices. The team at Security Compliance Associates understands that navigating these standards can be challenging, especially if you—or your suppliers—are a small firm with limited resources.
Let the team of experts at SCA guide you through the tedious process of achieving CMMC compliance as part of DFARS regulations! SCA has been trusted as a leading cybersecurity expert since 2005 and continues to diligently protect assets, resources, and reputation across a wide array of industries.