A Guide to Understanding DFARS Requirements

A Guide to Understanding DFARS Requirements

Being a government contractor means having to comply with numerous regulations—including federal requirements to help safeguard against cyber attacks. With a dramatic increase in cyber threats today, it’s no surprise that this is one area that DoD contractors must examine carefully.

The Defense Federal Acquisition Regulation Supplement (DFARS) is a set of regulations that aims to enhance the security of organizations and their consumers. DFARS requirements are extensive, and compliance is critical for all government contractors.

DFARS was introduced by the Department of Defense (DoD) in 2015 to ensure the confidentiality of Controlled Unclassified Information (CUI). All DoD contractors must meet the DFARS compliance requirements.

The Cybersecurity Maturity Model Certification (CMMC) is a third-party certification system for assessing compliance with DFARS, and has been required since late 2020. All requests for proposals must meet the proper CMMC requirements.

Let’s take a closer look at the specific regulations guiding the DFARS requirements.

How Does NIST 800-171 Relate To DFARS?

The National Institute of Standards and Technology Special Publication 800-171 (NIST 800-171) is a set of regulations that specifically govern CUI in Non-Federal Information Systems and Organizations. NIST 800-171 requires standards to be applied to safeguard and distribute data that is considered sensitive, but not classified. It plays a crucial role in outlining DFARS compliance requirements.

What Are The Critical Areas Of NIST 800-171?

All contractors that handle CUI must be DFARS compliant and introduce security protocols covering the following 14 key areas:

Audit and Accountability

This protocol deals with how system logs provide valuable records. Specifically, this includes the protection, creation, review, and retention of system logs in providing feedback for information systems. In other words, contractors need to consider whether records are kept relating to authorized and unauthorized access to sensitive information and how violators can be identified.

Awareness and Training

This aspect deals with the degree of awareness relating to security risks inherent in user activities, and training staff on standards and procedures to perform their duties. This criteria will assess whether your staff possess the knowledge on how to handle and treat sensitive information.

Access Controls

This protocol refers to the need to restrict system access to authorized users. This level of control helps prevent data from being accessed by outside users and reduces the risk of information leaks. Consider which users are authorized to view system data and ensure that your systems reflect this restriction.

Incident Response

Another requirement is to create the ability to detect, contain, analyze, and respond to incidents in online systems. Contractors must develop a system to deal with any breach or security threat, which includes the need to follow proper notification directives.

Identification and Authentication

It is important to ensure that access is granted to intended users. Another requirement of effective security is to identify and authenticate all users and devices of the information system. Therefore, it is crucial to determine who is approved to access CUI and how these users are verified before they can access any sensitive information.

Configuration Management

Another DFARS requirement is to create a baseline configuration and a robust change management process in your system. Ask yourself how your networks and safety protocols are built and documented.

Media Protection

One of the DFARS compliance requirements is to manage the protection and destruction of all media that contain CUI. It is vital to examine how hard copy and electronic backups and records are stored as well as which users have access to these files.


It is essential to perform timely maintenance on all information systems. Questions to consider include: “Who is responsible for routine maintenance?” and “What timeline is in place for scheduled maintenance?”.

Personnel Security

For effective DFARS compliant information technology, contractors must employ systems that protect access to CUI. These systems should include screening users before authorizing their access to key systems and ensuring that systems remain secure following the termination of staff members.

Physical Protection

This component refers to the protection of the physical system. Specifically, this criteria considers the restrictions to physical access that include protecting and monitoring the physical facility and infrastructure of the information systems. It’s imperative to review who can access the systems, equipment, and storage environments and ensure the safety of the system.

Security Assessment

You must monitor, analyze, and deal with deficiencies and vulnerabilities in all organizational information systems. Security assessments require that you regularly test whether procedures and processes remain effective and consider whether improvements are needed.

Risk Assessment

For DFARS compliant information technology, you need to assess the operational risk for the processing, transmission, and storage of CUI. Determine whether your security measures are tested in simulations and if individuals and operations are verified frequently.

System and Information Integrity

This component covers many aspects of meeting the DFARS requirements. It is important to report, identify, and correct any problems in the information systems in a timely fashion. You must also take steps to protect systems from the introduction of malicious code and carefully monitor alerts and advisories of information security and take effective action.

System and Communications Protection

It's important to control, monitor, and protect data in all systems, as well as implement software development techniques, architectural designs, and system engineering principles that encourage effective system security.

Achieving DFARS Compliance

As a DoD contractor, meeting the DFARS requirements provides your partners the security of knowing that their information is sufficiently managed and protected. As you can see, the NIST 800-171 requirements guiding DFARS compliance are extensive. This overview is just the tip of the iceberg. While becoming DFARS compliant can take months to achieve, it doesn’t have to overwhelm your staff. The team at Charles IT is ready to help you meet the demands of DFARS compliance, so you can focus on doing what you do best, growing your business.

Easily Ensure Defense Contract Compliance

Meet data security benchmarks and maintain your contract without wasting time combing through stacks of legal language. With the help of Charles IT, you'll be able to quickly and easily comply with DFARS standards. Contact us today! 

Editors Note: This blog was originally published on July 17, 2020 and was updated June 27, 2023 for accuracy.

Get the DFARS Compliance Checklist

Most tech consulting starts with “Press 1”

We just like to start with “Hello.”