DFARS COMPLIANCE: A COMPREHENSIVE GUIDE TO UNDERSTANDING REQUIREMENTS
As a DoD contractor, you understand that compliance with federal government regulations is no easy affair. Not only are there extensive regulations, but interpretations of them may vary and are often evolving. In addition to the changing state, there is also the risks of fines and business impacts for noncompliance which can be dire.
It’s a lot to consider, which is why we have created this resource—it’s your comprehensive guide to understanding how to achieve compliance, one step at a time.
Contracting with the DoD, your business handles sensitive information and must attain a higher level of compliance with security regulations. Statistics reveal a concerning historical pattern:
It’s estimated that nine in 10, or 87%, of US defense contractors are failing to meet DFARS compliance requirements, per research commissioned by CyberSheath. To put this in a dollars and cents perspective, almost half of defense contractors would lose about 40% of their revenue if they then lost a contract with the Department of Defense.
In 2023, the Council of Economic Advisers estimated that malicious cyber activity costs the U.S. economy more than $100 billion annually.
Because of the increasing rate of cybercrime, the Defense Federal Acquisition Regulation Supplement (DFARS) established a set of rules that prioritized the security of organizations and their customers. To contractors, this may seem simple enough, however, becoming compliant takes time and requires a close look at the standards examined during an audit.
Back in late 2020, the Department of Defense (DoD) initiated a significant shift in its approach to cybersecurity requirements for contractors by transitioning from just having the Defense Federal Acquisition Regulation Supplement (DFARS) contract clause to ensuring accountability with the Cybersecurity Maturity Model Certification (CMMC). This change was driven by the increasing need to protect sensitive defense information within the Defense Industrial Base (DIB) from cyber threats.
Unlike the self-assessment approach of DFARS and CMMC 2.0 level one, CMMC 2.0 levels two and three require third-party certification to ensure compliance. The CMMC framework is designed to provide a more comprehensive and scalable method to assess and enhance the cybersecurity posture of the DIB.
What are the Key Differences Between DFARS and CMMC?
- Certification Levels: CMMC 2.0 introduces a tiered model with three maturity levels, ranging from basic cyber hygiene (Level 1) to advanced/progressive (Level 3). Each level specifies a set of practices and processes that contractors must implement and mature over time. Depending on the contract, the DoD may require a certain maturity level for eligibility to bid.
- Third-Party Assessments: Under CMMC, contractors must undergo annual assessments by accredited third-party organizations to achieve Level 2 certification. For Level 3 certification, contractors are required to undergo a triennial government-led assessment. This contrasts with DFARS, which relied solely on self-attestation of compliance with NIST SP 800-171 controls.
- Expanded Scope: CMMC 2.0 incorporates additional cybersecurity practices beyond NIST SP 800-171, aligning with multiple cybersecurity standards and frameworks. This ensures a broader and more resilient defense against cyber threats.
What is the Impact on Defense Contractors?
For defense contractors, the shift to CMMC means that achieving and maintaining compliance is no longer optional. Companies must:
- Assess Current Cybersecurity Posture: Evaluate existing cybersecurity measures against DFARS requirements and CMMC standards, identifying gaps to ensure CMMC Level 2 compliance.
- Implement Required Practices: Enhance cybersecurity practices to meet the appropriate CMMC level for their contracts.
- Prepare for Certification: Engage with accredited CMMC third-party assessment organizations (C3PAOs) to undergo certification, ensuring compliance with DFARS requirements and achieving the necessary CMMC maturity level.
By understanding DFARS, you can create a strong foundation for successfully achieving CMMC compliance, so let’s break it down.
What Is DFARS?
To understand DFARS, it helps to take a look at its history and why it was established. Published in 2015 by the Department of Defense (DoD), the main purpose of DFARS is to protect the confidentiality of Controlled Unclassified Information (CUI)— these regulations apply to all DoD contractors.
The DoD created DFARS cybersecurity to establish a framework of regulations designed to enhance the security of civil and defense organizations across the United States. Leaks of this secure data would compromise military activities as well as the safety of U.S. citizens. And there is also information that is less sensitive yet still requiring protection. This kind of content is usually related to financial services, web, electronic mail services, security clearances, healthcare data, cloud services, communications, satellite and weapons systems.
In spite of best efforts, DoD contractors can unknowingly have big gaps in their data protection systems, leaving them vulnerable to a cyberattack. DFARS cybersecurity was created to fill those gaps by establishing protocols for contractors’ internal systems and procedures to follow in case of an incident.
DFARS also requires defense contractors to comply with specific cybersecurity requirements detailed in NIST 800-171. These standards specify the proper manner in which Controlled Unclassified Information (CUI) must be handled and protected.
Contractors who don’t manage CUI must get an exception and may still be held accountable for compliance with DFARS and NIST 800-171. Noncompliance with these guidelines may end in lost government business for those contractors.
What is CUI?
To fully grasp DFARS, it’s essential to note what exactly constitutes CUI. The U.S. National Archives defines CUI as
information that requires safeguarding or dissemination controls pursuant to and consistent with applicable laws, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or Atomic Energy Act of 1954, as amended. quote-right
More simply put, CUI is information that is sensitive and in the interests of the United States but is not strictly regulated by the Federal government.
CUI includes any potentially sensitive and unclassified information in need of controls in place that define methods for safeguarding or dissemination. Each federal agency has provided a public registry of categories and subcategories of CUI and determines why information is considered CUI.
What Is NIST 800-171?
The NIST 800-171 is a collection of regulations that govern CUI in Non-Federal Information Systems and Organizations. NIST 800-171 establishes a set of standards that apply to safeguarding and distributing data that is considered sensitive but not classified.
A revised version of NIST compliance, that was introduced in 2017, required anyone working with CUI as part of the DoD, General Services Administration (GSA), or National Aeronautics and Space Administration (NASA) to adopt security measures in handling data. NIST 800-171 was updated again in 2024 to provide federal agencies with recommended security requirements for protecting the confidentiality of CUI when the information is residing in nonfederal systems and organizations where there are no requirements.
The overall purpose of the National Institute of Standards and Technology (NIST) Special Publication 800-171 (NIST 800-171) is to help any organization that works with federal agencies set up cybersecurity protocols and strategies.
DFARS follows the regulations specified in NIST SP 800-171. Instituted after several well-documented security breaches in federal agencies, NIST 800-171 seeks to enhance cybersecurity. If your company meets each requirement outlined in NIST 800-171, you are considered both DFARS and NIST 800-171 compliant.
Who Needs to Be DFARS Compliant?
It doesn’t matter if you are a large defense contractor or a small firm, any organization that holds contracts with the DoD or other federal agencies must be compliant. Even if you do not currently engage in any work for the DoD, you can take advantage of future opportunities by becoming DFARS-compliant.
There are several basic requirements in meeting a DFARS compliance audit. These include:
- Adopting 79 fundamental security protocols
- Providing effective intrusion monitoring as well as disclosing incidents
- Introducing cyber incident reporting and analysis
- Ensuring the proper handling of all information relating to OpSec
- Information, Export-Controlled Information, and Controlled Technical Information as well as all other data related to contracts regardless of the location
To more fully understand how a DFARS audit could affect your company, let’s examine how your current IT systems may be putting you at risk.
The Scope of DFARS Cybersecurity
The reach of DFARS cybersecurity requirements is often misunderstood. Most businesses that work with the Department of Defense (DoD) realize there are precise controls for systems that utilize classified data. But did you know there are DFARS regulations that also apply to unclassified information?
DFARS compliance extends to systems operated by or for a contractor, encompassing processes, storage, and transmission of defense information. This is where the waters get murky. For many firms, this means expanding security controls to incorporate coverage for these additional systems.
DFARS protects the unclassified DoD information residing on a contractor’s internal information system to safeguard it from cyber incidents. It also includes mechanisms for assessing and minimizing the consequences associated with the loss of contractor information through cyber incident reporting and damage assessment processes. This single DoD-wide approach to safeguarding contractor information systems prevents the proliferation of cybersecurity clauses and contract language by various DoD entities.
However, the changes required for compliance may significantly impact the way you do business. Gaining DFARS compliance is critical because companies cannot do business with the DoD without it. Furthermore, achieving compliance determines if your company can remain competitive and thrive in the defense contracting landscape.
Compliance with DFARS is not merely a legal requirement but also a strategic imperative. It ensures that sensitive defense-related information is adequately protected, thereby maintaining the integrity and security of the broader defense supply chain. As cyber threats continue to evolve, adherence to DFARS standards helps bolster national security and protect valuable intellectual property.
For businesses, the journey to DFARS compliance involves implementing robust cybersecurity measures, conducting regular assessments, and staying updated with the latest regulations. It requires a proactive approach to identify and mitigate potential vulnerabilities in your information systems.
Partnering with a knowledgeable Managed Service Provider (MSP) streamlines compliance with DFARS requirements because they can provide comprehensive solutions, including cybersecurity awareness training, external vulnerability scanning, dark web monitoring, and multi-factor authentication.
Achieving DFARS compliance is not just about adhering to regulations; it’s about safeguarding your business, maintaining competitiveness, and doing your part to keep our nation secure. Ensure your company meets these critical requirements to thrive in the defense contracting sector.
What Does it Mean to Be DFARS Compliant?
To understand how to achieve DFARS compliance, you must examine how DFARS and the NIST 800-171 are related. As stated, DFARS is a set of requirements requiring contractors to implement a set of cybersecurity practices to ensure the careful handling of information and resolution of cybersecurity.
The National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171), on the other hand, is a set of guidelines that contractors must adhere to in order to be DFARS compliant. Essentially, NIST SP 800-171 defines how firms should handle CUI.
In general, DFARS requires firms to have adequate cybersecurity practices in three key areas: regularly assessing the environments that contain or process CUI, implementing multi-factor or two-factor authentication for all local and network access, and having coherent and rapid incident response capabilities. Let’s break it down further.
What Are the Critical Areas of NIST 800-171?
All contractors that handle CUI must introduce security protocols covering the following 14 key areas:
1. Audit and Accountability
You should examine how system logs provide valuable records. Specifically, this includes the protection, creation, review, and retention of system logs in providing feedback for information systems. To put it simply, contractors need to consider whether records are kept relating to authorized and unauthorized access to sensitive information and determine how violators can be identified.
2. Awareness and Training
This protocol addressed the degree of awareness relating to security risks inherent in user activities, and how staff are trained on standards and performing their duties. This standard seeks to ensure your staff has the proficiency to handle and treat sensitive information.
3. Access Controls
You should address the need to restrict system access to authorized users. By establishing controls like this, you help prevent data from being accessed by outside users and reduce the risk of leaks.
4. Incident Response
Another requirement is to create a procedure to detect, contain, analyze, and respond to incidents in online systems—this includes the need to follow proper notification directives.
5. Identification and Authentication
Another key component of effective security is to identify and authenticate all users and devices of the information system. Determine who is approved to access CUI and how they will be verified before they can access any sensitive information.
6. Configuration Management
Establish a baseline configuration and a robust change management process in your system. Identify how your networks and safety protocols are built and documented.
7. Media Protection
DFARS requires that you manage the protection and destruction of all media that contain CUI. Review how hard copy and electronic backups and records are stored as well as which users have access to these files.
8. Maintenance
Timely maintenance of all information systems is not optional. Questions to consider include: “Who is responsible for routine maintenance?” and “What timeline is in place for scheduled maintenance?”.
9. Personnel Security
For this protocol, contractors must implement systems that protect access to CUI. These systems should include screening users before authorizing their access to key systems and, importantly, ensuring that systems remain secure following the termination of staff members.
10. Physical Protection
This criterion considers the restrictions to physical access that include protection and monitoring of the physical facility and infrastructure of the information systems. Again, it’s important to determine who can access the systems, equipment, and storage environments to ensure the safety of the system.
11. Security Assessment
You must prove that you monitor, analyze, and deal with deficiencies and vulnerabilities in all organizational information systems. This means regularly testing whether procedures and processes remain effective and employing improvements when needed.
12. Risk Assessment
Frequent incident simulations are necessary to gauge risks—these simulations should assess the operational risk for the processing, transmission, and storage of CUI.
13. System and Information Integrity
Simply put, you must take steps to protect systems from the introduction of malicious code and carefully monitor alerts and advisories of information security and take effective action. This component also stresses the need to report, identify, and correct any problems in the information systems in a timely fashion.
14. System and Communications Protection
This requirement focuses on the data sharing boundaries of all systems, which must be controlled, monitored, and protected. It’s advisable to only implement software development techniques, architectural designs, and system engineering principles that encourage effective system security.
The failure to achieve NIST 800-171 compliance could have lasting impacts—from failed audits to severance of contracts. It could even lead to contract suspension or an outright ban on contracting with the DoD (or even bidding to do so). If you are unsure whether you need to be DFARS compliant, you can check out NIST’s official self-assessment handbook.
Changes Made In Recent Years
Over the years, the DoD struggled with a low rate of DFARS compliance among its contractors. To combat this problem while increasing the security of defense data and networks, the department introduced the Cybersecurity Maturity Model Certification (CMMC).
CMMC builds upon existing cybersecurity frameworks and requirements, such as the NIST SP 800-171, and therefore DFARS as well. The updated CMMC framework now has three levels of cybersecurity maturity. Contractors achieving CMMC 2.0 Levels 1 and 2 are already compliant with all aspects of DFARS. If you are DFARS compliant, you are aligned with the requirements for CMMC 2.0 Level 2 certification.
Unlike DFARS’s self-assessment approach, CMMC Levels 2 and 3 require third-party accreditation. Therefore, you can’t be DFARS-compliant without necessarily earning your CMMC certification.
CMMC Levels and DFARS Compliance
As mentioned, the updated CMMC model includes three levels of cybersecurity maturity:
- Level 1 (Foundational): Focuses on basic cybersecurity hygiene practices suitable for protecting Federal Contract Information (FCI).
- Level 2 (Advanced): Aligns with NIST SP 800-171 and introduces more advanced practices to protect Controlled Unclassified Information (CUI).
- Level 3 (Expert): Requires the implementation of advanced and sophisticated cybersecurity practices to safeguard CUI and meet the highest standards of security required for defense contracts.
To be DFARS-compliant, defense contractors must now achieve CMMC 2.0 Level 2 compliance. This third-party certification process ensures that contractors not only adhere to required cybersecurity practices but also undergo rigorous verification to confirm compliance.
Steps to Achieve CMMC and DFARS Compliance:
- Assess Current Compliance: Evaluate your existing cybersecurity measures against DFARS and your desired CMMC level requirements to identify gaps and areas for improvement.
- Implement Necessary Controls: Based on the identified gaps, implement the required cybersecurity controls and practices to meet DFARS standards and the appropriate CMMC level.
- Engage with a Third-Party Assessor: Undergo an official assessment by a certified third-party assessment organization to verify compliance if you are seeking CMMC Level 2 compliance.
- Maintain and Monitor Compliance: Continuously monitor and update your cybersecurity practices to ensure ongoing compliance with DFARS and CMMC requirements.
Let’s take a closer look at the specific regulations guiding the DFARS requirements currently in place.
Tips for Achieving DFARS Compliance
As you can see from Chapter 3, the NIST 800-171 requirements guiding DFARS compliance are extensive with a lot of room for interpretation—in fact, the overview provided is just the tip of the iceberg. That’s why we came up with five tips to help companies address all 14 security requirements. Implementing these best practices will get you started on the road to compliance:
Undergo Security and Risk Assessments
Inherently, there are operational risks involved in processing, storing, and transmitting CUI, so you should routinely scan your internal procedures and IT systems for vulnerabilities that may endanger CUI. Doing so will help you identify and correct deficiencies so you can reduce or eliminate risks. Given the growing complexity of security and regulatory obligations, it’s best to ask a DFARS compliance expert like Charles IT to conduct these assessments for you.
Roll Out IT System and Physical Safeguards
Physical facilities that house IT systems must be protected too. This involves actions like restricting physical access to your office, encrypting communications, separating internal networks from publicly accessible systems, and prohibiting unauthorized data transfer to shared system resources.
Implement Identification, Authentication, and Access Controls
The importance of user access cannot be overstated. It’s a best practice to register and manage every user and device that accesses your data and IT systems, taking care that each user only has access to what they need to do their job. Also, set methods to identify, track, and authenticate users and devices with proper security protocols each time they access your data or system. This means implementing multifactor authentication, prohibiting password reuse, enforcing password complexity requirements, and logging out a user automatically after a defined period of inactivity, among others.
Conduct Cybersecurity Awareness Training
Without proper training, employees cannot be made aware of the security risks associated with their use of company data and systems. Educate them about the different policies, standards, and procedures they can adopt to ensure safety.
Develop and Employ an Incident Response Plan
Designate a team and a set of procedures that allow you to detect, analyze, contain, recover from, and respond to a data breach or any kind of cybersecurity incident. Then regularly test your company’s Incident Response Plan and make adapt it as necessary.
DFARS Compliance: A Checklist
It’s clear that undertaking DFARS compliance may be an intimidating task for a small firm without a robust IT department. We’ve developed a useful tool to assess the integrity and security of their information systems to avoid the consequences of noncompliance. Use this list as a review of what we’ve outlined earlier to begin examining your processes:
Checklist 1: DFARS Compliance
Contractors can use the DFARS compliance self-assessment checklist as a resource to examine whether their information systems’ existing security mechanisms adhere to DFARS standards. It contains guidelines that must be followed, based on the NIST MEP Cybersecurity Self-Assessment Handbook.
Using this self-assessment checklist, contractors can scrutinize relevant compliance matters, including, but not limited, to:
Access Permission to System Resources
Identify users that can be given access and the type of system resource they’re authorized to use.
Information Security Awareness and Training
Increase users’ and managers’ awareness of the need to protect systems, making sure employees know how their actions impact system security and provide them with appropriate training.
Independent Audit and Review of Records and Activities
Perform this to ensure that operational procedures comply with policies, keeping a close watch of system records for unlawful or suspicious activity.
Other Pertinent Matters
Consider all possible issues, including IT systems maintenance, standard operating procedures implementation in case of security incidents (e.g., malware, natural disasters, corrupted files, etc.), and risk assessment about the transmission of CUI.
Checklist 2: Risk Assessment
Evaluating the safety of your workplace safety is also key to DFARS compliance. Use this checklist to manage workplace risks, determine the likelihood of hazards occurring, and implement measures to reduce or eliminate them.
DoD contractors must take the following details into account:
Demographic(s) At Risk
Specify which specific groups within the workplace are vulnerable. For example, is it workers at the assembly line or engineers and technicians? Each company’s list will vary.
Existing Control Measures
After defining the vulnerable demographic(s), you’ll know better how to reduce possible injuries from any workplace risk.
Control Measures Improvements
Strong internal controls are a must— learn how to find which current measures must be improved or replaced with more effective measures.
Person-In-Charge and Deadlines
Reward accountability in the organization by putting a person in charge of implementing the new risk prevention measures. Next, set deadlines for when these will be enforced.
Checklist 3: Gap Analysis
A gap analysis is a tool that we deploy to measure if system setups meet DFARS rules.
Use this list to help reveal gaps in security that need to be addressed and improved.
Analyze the Present State
Ascertain whether employees’ performance is at an optimal level.
Illustrate the Ideal state
In clear terms, express what processes must look like in the future, given the present state.
Identify Gaps
Highlight the problems that must be overcome in order for your organization to achieve the ideal state.
Create a Comprehensive Plan
Outline, in step-by-step fashion, what actions must occur to address gaps and set a deadline for closing them.
To conduct these checklists, you may either use in-house resources and expertise, or consider outsourcing the task to a qualified DFARS consultant that specializes in helping DoD contractors meet compliance rules.
DFARS and The Impact on Your Business
Consider the practical effects that lack of compliance may have on your business. Cyberattacks against the U.S. military aren’t uncommon but cyberattacks against military contractors are what worry defense officials the most. Just consider these recent examples:
- In 2022, it was reported that from January 2020 to February 2022, Russian state-sponsored threat actors breached multiple US defense contractors, according to a joint security alert from the NSA, CISA, and the FBI. These actors targeted cleared defense contractors (CDCs) supporting the US Army, Air Force, Navy, Space Force, and various DoD and Intelligence programs, maintaining persistent access to some networks for at least six months. The attackers exfiltrated sensitive but unclassified data, including emails, proprietary, and export-controlled information, gaining significant insights into US weapons platform development, deployment timelines, and communication infrastructure plans.
- In 2024, four Iranian nationals were indicted in Manhattan federal court for conducting a sophisticated cyberespionage campaign targeting US government departments, defense contractors, and private firms. The accused allegedly hacked into critical systems at the Departments of Treasury and State and over a dozen private US companies with access to defense-related information. They used spear-phishing and other hacking techniques to harvest hundreds of thousands of employee accounts, compromising significant defense contractor systems. Spear-phishing is when attackers send personalized emails to trick specific individuals into revealing sensitive information or installing malware. The Justice Department revealed that the group also used social engineering techniques, including impersonation, to deploy malware. Social engineering techniques are when hackers manipulate people into divulging confidential data or performing actions that compromise security by exploiting human psychology.
Attackers may be more likely to bypass primary defense contractors, in favor of the small and medium-sized businesses that support them who might not be able to provide the same level of security.
With the consequences of a cyberattack looming on one side and the consequences of violating DFARS regulations looming on the other, how can small to midsize businesses have room to navigate? Let’s explore some of the challenges small- and medium-sized businesses (SMBs) face and look at solutions.
Why Is it Difficult for SMBs to Comply with DFARS Regulations?
First off, you should understand what can happen if you suffer a data breach: you will not be automatically subject to penalties under DFARS; however, you might get subjected to a DFARS audit. If this audit reveals gaps or something out of place, you could face any number of consequences, including:
- You might be asked to stop work on the contract until the DFARS problem is fixed.
- Your business might lose the contract altogether.
- You might be subject to penalties for breach of contract.
- You might be permanently barred from working with government agencies.
Since any of these scenarios could significantly impact your business, why do DFARS violations happen in the first place? The answer is simple: it’s not the core of your business, and if you’re an SMB with few full-time IT staffers, you may have deemed such matters cost-prohibitive. On the other hand, your IT personnel may simply have little experience with information security.
Additionally, the idea of hiring a CIO/Chief Information Security Officer with experience may not be in your budget. And even if you go this route, the cost of new personnel is just the beginning of your security expenses, because you’ll also need new tools and infrastructure as well.
Finally, there’s always the shadow of doubt that even if you conduct a well-intended effort to secure your CUI and other sensitive data, you could inadvertently fail to check a DFARS box and jeopardize your next audit.
If you’re a business leader at an SMB military contractor, you don’t want to get hacked. Still, you also want to prioritize your core business priorities without getting derailed by security. So, what do you do?
First off, understand that it can take months to become fully compliant. But the good news is that there is help available in complying with DFARS and NIST 800-171. A professional organization with experience in IT consulting for DoD firms knows precisely how organizations can best comply with DFARS—and the forthcoming CMMC—standards.
You don’t have to try to hit this moving target alone. Consider our two-step process. The first important step to becoming DFARS compliant is to see where your organization stands in meeting the minimum DFARS requirements. This step is referred to as a Gap Assessment, designed to determine the “holes in your business’s security posture” and show you what you need to do to fill those gaps.
Typical results of our Charles IT GAP Assessment may uncover issues such as:
- Control of information systems and how they are accessed
- Training processes of information system administrators and managers
- Storage of data records
- Implementation of security measures and controls
- Development and implementation of incident response
The second step is the support and backing we provide for security services, such as:
- Backup and Disaster Recovery services, critical to your document management and storage requirements
- Dark Web Monitoring for notifications of credentials that are publicly available
- Endpoint Encryption to prevent sensitive information from being stolen or decrypted
- External Vulnerability Scanning for notifications on any potential threats to your network
- Security Awareness to educate employees on best practices to safeguard sensitive information
- SIEM core and endpoint protection for potential breach notification requirements
The experts at Charles IT can help you achieve the additional security needed for DFARS compliance while saving you costly investments in the process. Drop us a line today to get started on the road to DFARS compliance.