What is the DFARS (Defense Federal Acquisition Regulation Supplement)?
The DFARS is a DoD (Department of Defense)-specific supplement to the FAR (Federal Acquisition Regulation). It provides acquisition regulations that are specific to the DoD. DoD government acquisition officials and contractors and subcontractors doing business with the DoD must adhere to the regulations in the DFARS.
The DFARS contains:
- Requirements of law
- DoD-wide policies
- Delegations of FAR authorities
- Deviations from FAR requirements
- Policies and procedures that have a significant effect on the public
DFARS cybersecurity requirements
The cybersecurity requirements under the DFARS mandate that DoD contractors and subcontractors must implement controls that are specified in the NIST SP (Special Publication) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” CUI (Controlled Unclassified Information) requires safeguarding in accordance with applicable laws, regulations, and policies.
All contractors and subcontractors processing, storing, or transmitting CUI need to meet minimum security standards specified in the DFARS. Failing to meet these standards can end up in the loss of contracts with the DoD.
Achieving compliance with the DFARS
There are three ways contractors can comply with the DFARS (ranging from basic to intensive):
- Contractors can self-assess their compliance, and make an attestation that they are complying with the DFARS and have implemented the NIST SP 800-171 security controls
- A third-party organization can provide external auditing on the contractor or certification that the contractor has met the requirements for certification
- A federal team can be dispatched to inspect the contractor’s security plan
The first level is the easiest to implement but lacks the credibility that the other two levels provide. The third level is only available to certain contractors.
The second level can be achieved through gaining certification by a third party such as ISO 27001 certification. ISO 27001 is the international standard that describes best practice for an ISMS (information security management system). An ISMS is a system of processes, documents, and technology that helps manage, monitor, audit, and improve your organization’s information security.
Start your compliance journey today
Download our free green paper to learn more about the NIST Cybersecurity Framework and ISO 27001, and how to get started on compliance.