What does it mean to be DFAR Compliant?

 

DFARS compliance involves following regulations set by the U.S. Department of Defense for contractors and subcontractors, focusing on cybersecurity, supply chain risk management, and protecting sensitive information like Controlled Unclassified Information (CUI).

 

In November 2010, the White House issued Executive Order 13556, creating a standardized program across Defense and Civilian agencies for managing information that requires controlled dissemination or protection, aligned with government-wide regulations, laws, and policies.

 

The Executive Order sought to address the issue of agencies using inconsistent, agency-specific procedures for handling cyber incidents and protecting Controlled Unclassified Information (CUI). Since CUI is sensitive, it impacts security, privacy, and proprietary business interests.

 

What does DFARS stand for?

 

DFARS stands for Defense Federal Acquisition Regulation Supplement. It is a standard set of practices and regulations requiring Depart of Defense (DoD) contractors to emphasize the use of proper cybersecurity practices. It ensures meticulous handling of CUI. All DoD contractors are expected to comply with the respective DFARS specifications before bidding for a contract.

 

Understanding the Requirements for NIST SP 800-171

 

The requirements for NIST (National Institute of Standards and Technology) SP 800-171 requirements have been developed to make sure that those working in collaboration with the Defense Industrial Base (DIB), will have access to methods for meeting the specifications for protecting sensitive information.

 

The regulatory document that has been published on behalf of the government by the Under Secretary for DoD and NIST states "protection of Controlled Unclassified Information (CUI) while residing in nonfederal information systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations."

 

Requirement for DFARS Compliance

 

If selling to the DoD through direct or indirect sale it's expected to be DFARS compliant. Every DoD contractor responsible for handling CUI will be running the risk of contract termination in cases where they are unable to meet the minimum security requirements for DFARS. It will also extend to mini-contractors working with primary DoD contractors.

 

When you fail to comply with the specific DFARS regulations, it could result in hefty penalties. It could range from an upfront ban on contracts with the DoD or contract termination.

 

Compliance with DFARS is crucial for companies to maintain contracts with the DoD and operate within DFARS-compliant countries, which include the U.S. and certain allied nations adhering to its regulations. If you wish to be truly DFARS compliant, you should go through important guidelines as specified in the NIST SP 800-171.

 

DFARS and cybersecurity


The DFARs compliance checklist ensures defense contractors meet both cybersecurity and procurement standards. This also requires DFARS training to educate teams to comply with all necessary clauses.

 

An example of some of these clauses include:

Clause Overview
DFARS 252.204-7020 Requires that contractors allow the DoD to assess the contractor's implementation of NIST SP 800-171 security requirements. This clause is essential for ensuring that contractors maintain a secure environment for processing CUI and can meet the DoD’s cybersecurity expectations.
DFARS 252.225-7001 “Buy American and Balance of Payments Program,” ensures that products procured under defense contracts come from DFARS-compliant countries, adhering to U.S. trade policies and DoD standards. This clause reflects a broader policy of national security and economic security, restricting procurement from countries that may pose risks.
DFARS 252.245-7005 Relating to government property, sets standards for contractors in managing, using, and accounting for government-furnished equipment. This is critical for transparency and maintaining the integrity of defense resources.
DFARS 252.246-7007 Emphasizes contractor responsibility in submitting acceptable supplier reports, especially concerning counterfeit and defective items. This helps maintain a secure and reliable supply chain for the DoD.
DFARS 252.225 7009 Restricts the acquisition of certain defense-related articles containing specialty metals, requiring that these metals be sourced from the U.S. or other DFARS qualifying countries to ensure the security and integrity of the defense supply chain.

 

Becoming compliant

 

CalCom's solution will maintain your assets continuously hardened, preventing these often missed compliance drifts that often lead to audit failure on breaches. CalCom Hardening Automation Suite- (CHS) is a hardening automation platform designed to reduce operational costs and increase infrastructure's security and compliance posture. CHS ensures that your servers are constantly  hardened and secured while maintaining the servers availability and saving security operations administrators a tremendous amount of time.

You might be interested