What is DFARS?
DFARS stands for Defense Federal Acquisition Regulation Supplement. It is a set of regulations that apply to all U.S. Department of Defense (DoD) contracts and subcontracts.
The regulations are designed to ensure that the DoD receives quality goods and services at fair and reasonable prices. The DFARS has been in effect since 2003 and is updated regularly.
DFARS cybersecurity requirements
The DFARS contains a set of cybersecurity requirements that contractors must meet to be considered compliant with the DoD’s cybersecurity regulations. These requirements include:
- Establishing a cybersecurity program that includes specific security controls and processes to protect data and systems from unauthorized access, misuse, disruption, or destruction.
- Ensuring that all personnel and contractors with access to DoD systems or data are properly trained and have the necessary security clearance.
- Implementing a system of risk assessment and management to identify, assess, and mitigate risks associated with DoD systems and data.
- Ensuring that all DoD systems and data are properly protected from unauthorized access, use, or disclosure.
- Developing and implementing a plan to respond to cyber attacks and other incidents that could threaten DoD systems or data.
- Implementing audit and accountability measures to ensure the security of DoD systems and data.
DFARS compliance requirements
There are three ways contractors can comply with the DFARS (ranging from basic to intensive):
- Contractors can self-verify their DFARS compliance and confirm they have implemented NIST SP 800-171 security controls.
- A third-party organization can provide external auditing on the contractor or certification that the contractor has met the requirements for certification.
- A federal team can be dispatched to inspect the contractor’s security plan.
The first level is the easiest to implement but lacks the credibility that the other two levels provide. The third level is only available to certain contractors.
The second level can be achieved by gaining certification through a third party. ISO 27001 is the international standard that describes best practice for an ISMS (information security management system). An ISMS is a system of processes, documents, and technology that helps manage, monitor, audit, and improve your organization’s information security.
Start your compliance journey today
Download our free green paper to learn more about the NIST Cybersecurity Framework and ISO 27001, and how to get started on compliance.