What is DFARS and how does it impact my company?

Today, we would like to review many frequently asked questions regarding the DFARS compliance requirements and how they apply to your company. We have received questions ranging from “What is DFARS?” to “How does it affect me?” to “When do I have to be compliant?” Let’s try and answer some of those initial questions and a few others.

What is DFARS?

The Defense Federal Acquisition Regulation Supplement (DFARS) is a supplement to the Federal Acquisition Regulation (FAR) which governs the acquisition process by which contracted agencies provide services to the United States Federal Government.

DFARS is specifically tailored to the safeguarding of contract specific information that contractors and subcontractors obtain and transmit. Contractors are required to comply with standards developed by the National Institute of Security and Technology (NIST) SP 800-171: “Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations” in order to be considered DFARS compliant.

Who must comply with DFARS requirements?

All prime and subcontractors for the Department of Defense (DoD) that are working with CDI/CUI or have DFARS clause 252.204.7008 as a part of the contract. If you fall into this category, then you must meet the minimum security standards and incident reporting requirements specified by NIST 800-171.

What is in scope for DFARS requirements?

DFARS is specifically tailored to the safeguarding of contract specific information that contractors and subcontractors obtain, transmit, process, and/or store. All information systems, people, locations, technology assets, and applications involved in the handling of Covered Defense Information (CDI).

What is NIST SP 800-171?

NIST SP 800-171 was designed to establish guidelines for an organization that is working with the government and possesses Controlled Unclassified Information (CUI). Within this NIST publication, 109 specific security controls that are derived from NIST SP 800-53 are called out that are required to be in place for any organization required to be DFARS compliant.

What are “CDI” and “CUI”?

Covered Defense Information and Controlled Unclassified Information. Both are defined as a broad range of any sensitive but unclassified information that is provided to the contractor by the DoD. This information includes anything pertaining to the specific contract and/or any information that the contractor gathers, creates, receives, and/or transmits in order to satisfy the contract requirements.

When is my company required to be DFARS compliant?

From the time you are awarded a contract (prior to October 1, 2017), you have 30 days to report your current DFARS compliance status to the DoD Chief Information Officer (CIO) by submitting a PoAM.  Any non-compliant controls must be remediated as soon as possible.

What is a “P0AM”?

A Plan of Actions & Milestones is a list of all non-compliant controls, the planned remediation efforts, and the timeline for implementation.

DFARS compliance, while in its early stages, looks like it is here to stay. While there are still many unknowns surrounding the enforcement of current requirements, it’s important for all contractors that are working with CUI or considering bidding on federal contracts in the future to make sure they are prepared to take steps to meet and report on their compliance.