What is DFARS?

The Defense Federal Acquisition Regulation Supplement (DFARS) is administered by the U.S. Government’s Department of Defense (DoD). Implemented in 2017, DFARS is a supplement to the Federal Acquisition Regulation (FAR).

The DFARS specifies the legal requirements, DoD-wide policies, delegations of FAR authorities, and deviations from FAR requirements that contractors/subcontractors doing business with the DoD must adhere to.

The DFARS clause 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting defines covered defense information (CDI). It also specifies safeguards and cyber incident reporting requirements for cloud service providers, DoD contractors, and the defense industrial base whose information systems process, store, or transmit CDI.

Who Does DFARS Apply To?

DFARS requirements apply to all contractors doing business with the DoD and processing, storing, or transmitting Controlled Unclassified Information (CUI). 

Here, CUI refers to information held by or generated for the Federal Government that requires safeguarding or disseminating controls consistent with applicable law, regulations, or government-wide policies. 

Subcontractors selling equipment or parts to DFARS compliant contractors are also required to be DFARS-compliant.The DFARS also mandates that contractors and subcontractors implement the cybersecurity controls specified in the NIST SP (Special Publication) 800-171.

What is the Difference Between DFARS and CMMC?

According to the National Institute of Standards and Technology (NIST), the protection of CUI can “directly impact the ability of the Federal Government to successfully conduct its assigned missions and business operations.” This is why CUI is valuable information that must be appropriately handled and secured by defense contractors.

Like DFARS, the Cybersecurity Maturity Model Certification (CMMC) is also a framework for protecting Controlled Unclassified Information. It evaluates organizations based on five “maturity levels.” 

Any contractor or business working with the DoD must meet CMMC requirements and achieve CMMC certification. Achieving DFARS compliance can help defense vendors move up the maturity levels specified in CMMC. 

Also, the DoD will add CMMC standards into new DoD contracts until all entities have achieved at least CMMC Level 1 by October 1, 2025. That said, there are differences between the DFARS and CMMC that defense contractors and subcontractors must be aware of. 

The biggest is that they’re both assessed differently. CMMC compliance assessment is done by third-party assessment organizations (3PAOs), while DFARS requires vendors to perform a self-assessment to affirm that they have implemented the security controls from NIST 800-171. 

This security assessment should include a self-review of their information system security plan.

Why is DFARS Compliance Important?

As cyber threats evolve and become more serious, addressing them and mitigating their impact is essential for the Federal Government. In particular, the Government is focused on protecting CUI. And for this, it requires private contractors and other non-federal organizations to strengthen their security systems and reduce cyber risk.

The DFARS is intended to ensure that these contractors maintain cybersecurity standards according to the cybersecurity requirements laid out in the NIST SP 800-171. To stay ahead of cyber threats and protect the confidentiality of CUI, contractors must comply with DFARS. If they fail to do so, they may lose DoD contracts.

How to Get DFARS Certification

To achieve DFARS compliance, defense contractors and subcontractors must produce a:

  • System Security Plan (SSP)
  • Plan of Action and Milestones (POAM)
  • CUI Environment Management Team (CEMT)

They must also complete and submit self-assessments to the DoD. The self-assessment must cover 14 compliance requirements that must be met, including:

  • Regulate access control
  • Ensure audit and accountability controls
  • Maintain a configuration management system
  • Implement adequate identification and authentication systems
  • Implement cybersecurity awareness and training

Once the self-assessment is complete, the document is submitted to the DoD, performing an additional audit before certifying that the organization is DFARS-compliant. The vendor must then maintain DFARS certification by establishing a governance program, a data classification strategy, and an adequate security plan for cloud use.

Key Takeaways

  • DFARS specifies the legal requirements and policies that businesses working with the DoD must adhere to
  • All contractors/subcontractors processing, storing, or transmitting Controlled Unclassified Information (CUI) must achieve DFARS compliance
  • They must also implement the cybersecurity controls specified in the NIST SP (Special Publication) 800-171
  • DFARS and CMMC both address CUI protection. However, they differ in the way they ask for assessments
  • If DoD contractors are not DFARS-compliant, they may lose DoD contracts