DFARS Compliance: The Practical Guide for DoD Contractors

If you work with the DoD and handle CUI, you are required to meet the new DFARS compliance standards. Let more about the minimum requirements, regulations, risks, and more.

With the escalating threat of cyberattacks, the Department of Defense (DoD) has been placing a high priority on addressing cybersecurity threats and protecting sensitive information.

The Defense Federal Acquisition Regulation Supplement (DFARS) is a set of cybersecurity regulations that defense contractors must follow in order to be awarded new DoD contracts.

This guide provides detailed information on how DFARS compliance applies to DoD contractors, the minimum compliance requirements, and available options for meeting those compliance requirements.

To succeed under the new Cybersecurity Maturity Model Certification (CMMC), organizations who are unable to prove full DFARS / NIST SP 800-171 implementation and continuous monitoring of DFARS compliance will not be awarded new defense contracts, and could potentially face fines as well as the loss of current contracts.

If your company provides services being sold to the Department of Defense you are required to comply with the minimum DFARS compliance security standards. CUICK TRAC by Beryllium InfoSec can help your organization implement the requirements you need to ensure compliance with DFARS clause 252.204-7012.

Call 763-546-8354 or click the link below to learn how we can help organization meet DFARS cybersecurity standards.

Get DFARS/NIST 800-171 Compliant With cuick trac™ — a private hosted, virtual enclave
Learn More

What is DFARS Compliance?

DFARS compliance is a set of cybersecurity regulations that defense contractors and suppliers must follow in order to be awarded new DoD contracts, also known as the Defense Federal Acquisition Regulation Supplement (DFARS).

As technology and the severity of cybersecurity threats continues to escalate, the federal government is increasing its priority for safeguarding sensitive defense information. Its enforcement of measures for protecting Controlled Unclassified Information (CUI) and Covered Defense Information (CDI) has become particularly intense for private defense contractors and other nonfederal information systems and organizations that work with the federal government. These entities are frequently required to update their security to meet new requirements.

The DoD published DFARS in December 2015, which will maintain cybersecurity standards specified by the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. The specific purpose of these standards is to protect CUI under the control of defense contractors.

NIST SP 800-171 went into effect on December 31, 2017, which is when contractors were required to meet the minimum standards for DFARS compliance and demonstrate that compliance to the DoD. Failure to comply with the following limits can result in, fines, the loss of current DoD contracts, and the inability to obtain a government contract in the future.

The following list shows the qualifying countries under DFARS, meaning these countries have a reciprocal defense procurement memorandum of understanding or international agreement with the United States:

  • Australia
  • Austria
  • Belgium
  • Canada
  • Czech Republic
  • Denmark
  • Egypt
  • Estonia
  • Finland
  • France
  • Germany
  • Greece
  • Israel
  • Italy
  • Japan
  • Latvia
  • Luxembourg
  • Netherlands
  • Norway
  • Poland
  • Portugal
  • Slovenia
  • Spain
  • Sweden
  • Switzerland
  • Turkey
  • United Kingdom

Who needs to be DFARS compliant?

Your company must comply with the minimum DFARS standards if it provides procurement for the DoD, whether directly or indirectly. This requirement also applies to all DoD primary and sub-contractors that process, store or transmit CUI.

What are the DFARS compliance requirements?

The minimum requirements of DFARS regulations are relatively straightforward, despite the increasing complexity of cybersecurity requirements. DoD contractors must provide adequate security for CUI that resides in or moves through their information systems. The purpose of these measures is to prevent unauthorized personnel from accessing and disclosing CUI. DoD contractors must also promptly report security incidents and cooperate with the DoD in responding to those incidents. This process includes allowing DoD personnel to access the affected media.

These requirements sound easy in theory, but the term “adequate security” is open to interpretation. NIST SP 800-171 guidelines group DFARS requirements into 14 categories, which affect many aspects of information security. This document also provides complete details on each requirement for safeguarding CUI. Contractors and other non-federal organizations must conduct a readiness assessment, while providing objective evidence as proof, that addresses all these requirements before they’re DFARS compliant. The categories of DFARS requirements are as follows:

  • Access Control
  • Awareness and Training
  • Audit and Accountability
  • Configuration Management
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Personnel Security
  • Physical Protection
  • Risk Assessment
  • Security Assessment
  • System and Communications Protection
  • System and Information Integrity

Meeting these requirements with existing resources is often challenging for contractors who don’t have expertise in technical and security administration areas, like policy and procedure documentation creation. The primary reason for this difficulty is that meeting NIST SP 800-171 requirements is a continuous process of monitoring and assessment to achieve improvement, rather than a one-time fix. DoD contractors must therefore allocate significant resources on an ongoing basis to remain DFARS compliant, especially since these requirements are constantly evolving.

The DoD has been understanding about this challenge, realizing that even the most secure computing environments experience data breaches. Working with a third-party provider for NIST 800 171 compliance solutions can allow contractors to achieve the additional security that DoD requires without making the large capital investment that’s often needed to develop the necessary controls.

What do you need to do to be DFARS compliant?

DFARS compliance requires organizations to pass a readiness assessment as specified in NIST Special Publication 800-171. Organizations typically require six to ten months to become compliant, depending on their current security posture available resources. Planning is a key requirement for success in this endeavor, as is the need to treat it as a major project. Contractors must ensure they allocate the funding and other resources ahead of time. They can also hire security specialists to expedite this process and avoid many mistakes.

The following four steps will help ensure your organization is DFARS compliant:

  • Calculate your organization’s applicability
  • Build a remedial plan
  • Implement your remedial plan
  • Continuously monitor your compliance

1. Calculate Your Organization’s Applicability 

Document the gaps between your current security posture and your desired goal by using the controls listed in NIST SP 800-171. Review all of your contracts to identify the critical provisions with respect to DFARS requirements. Review clause 252.204-7012 of DFARS to identify the types of CUI that apply to your contracts. Check with your contracting officer as needed to determine your applicability. Define the parts of your infrastructure that fall within the scope of your NIST 800-171 compliance, including hardware, software, systems and processes.

2. Build a Remedial Plan

Building a remedial plan that’s compliant with NIST SP 800-171 requires you to conduct a control gap analysis against the standards described in that document. You’ll also need to develop solutions for the gaps that you identify. Your subcontractors and other business partners will need to perform these steps to ensure they’re in compliance as well.

3. Implement Your Remediation Plan

Implementing your remediation plan will provide you with the peace of mind in knowing you won’t be subject to fines, new contract opportunities, or other penalties. This process includes developing new controls or revising existing ones as needed to remedy the control gaps you identified in the previous step. You’ll also need to repeat the validation testing after implementing the remediation plan to confirm the controls are operating effectively. This step will require the approval of your contracting officer.

4. Continuously Monitor Your Compliance

Developing a plan for continuously monitoring your DFARS compliance requires you to use a variety of templates and other tools to obtain the necessary metrics. You’ll also need to organize monitoring activities and provide current statuses for investors and other stakeholders. This step is needed for the accountability that many stakeholders require.

What happens if you're not compliant with DFARS/NIST 800-171 requirements?

Defense contractors are likely to receive a stop-work order if a DoD audit determines they’re in non-compliance with DFARS or NIST 800-171. This action requires contractors to suspend its work for DoD until they implement security measures that provide adequate protection for CUI. The DoD can also impose financial penalties, including damages for false claims and breach of contract. Contractors can also lose their contracts with the DoD. In the worst case, the DoD can suspend or even bar the contractor from ever working with the DoD again. NIST SP 800-171 guidelines provide more information on the importance of compliance to the DoD.

The roadmap to success — DFARS compliance service with cuick trac™

Cuick trac™ is a cost-effective turn-key solution from Beryllium that helps DoD contractors and subcontractors receive, process and transmit CUI. Contractors that currently work with the federal government or want to do so can use this solution to become compliant with DFARS requirements.

As a top DFARS compliance solution, cuick trac™ is especially beneficial for contractors that lack the bandwidth and other resources to implement and manage the controls of NIST 800-171 that DFARS 252.204-7012 requires. These contractors have a particular need for a low-cost solution they can implement in a short period of time. Beryllium InfoSec also offers other services that can help contractors become DFARS compliant and stay that way if CUICK TRAC isn’t the right solution for them.

DFARS requires contractors to report cyber incidents within 72 hours of their occurrence, which can be a challenge. Many contractors lack the personnel and other resources needed to continually monitor their security information and event management (SIEM) solution. CUICK TRAC meets this requirement within their virtual enclave, in a shared responsibility with the contractor. 

The Cybersecurity Maturity Model Certification (CMMC) serves as a single cybersecurity standard for all future DoD acquisitions. It requires DoD contractors to become CMMC certified beginning in 2021, with renewals every three years. CMMC requires companies to achieve third-party certification for best practices in cybersecurity, which will eventually determine if the DoD can award a contract to that company. CMMC includes five levels of maturity, which are based on multiple frameworks, like FAR clause 52.204-21, NIST SP 800-171, NIST SP 800-172, and others

To become CMMC certified, Certified Third Party Assessment Organizations (C3PAOs) must conduct a formal assessment of DoD contractors to demonstrate their compliance with their target CMMC level. Prime contractors can use CUICK TRAC as a CUI Vendor Risk Management solution for their supply chain and lower tier suppliers looking to achieve CMMC Level 3. Sub-contractors can also use CUICK TRAC to prepare for CMMC in a much shorter time period, at a fraction of the cost of doing it themselves, due to their Infrastructure as a Service (IaaS) and continuous monitoring of compliance program offering.

CUICK TRAC has a highly favorable return on investment (ROI), resulting an average savings of more than $100,000. It’s also quick to implement and can bring an organization into DFARS compliance within weeks, not months. CUICK TRAC helps contractors satisfy all 110 NIST SP 800-171 controls over 14 domains. Furthermore, it provides proof of compliance for contractors that store, process and transmit CUI.

Summary

DFARS compliance requires DoD contractors to establish security controls for their current information systems and the data they move, store and process. They also need to ensure they remain compliant as they acquire new systems and data. Contractors often implement these controls effectively, but reduce their vigilance once they’re up and running. 

Continuous monitoring is a requirement for DFARS compliance, especially when it comes to applying controls to new systems and data. Contractors must therefore devote the same level of attention to maintaining DFARS compliance as they do when obtaining that compliance in the first place.

Cuick trac™ can help you achieve and maintain DFARS compliance. Call 763-546-8354 today or schedule a free consultation with our cybersecurity experts to learn more about our DFARS compliance solutions and Beryllium’s other services for helping you avoid fines or the loss contract award opportunities.

Derek White
Director of Business Development
Derek’s success comes from his customer first mentality, utilizing collaboration between security and technology, to create positive outcomes & compliant solutions.

Speak With a NIST Security Expert at Beryllium InfoSec Today

To reach us please fill out the form below.