DFARS Cybersecurity: Requirements and Compliance

DFARS Cybersecurity: Requirements and Compliance

Businesses that work with the Department of Defense (DoD) understand that there are precise controls for systems that utilize classified data. What might not be as well known are the specifications for DFARS (Defense Federal Acquisition Regulation Supplement) and the compliance that applies to unclassified information. 

DFARS compliance includes systems operated by or for a contractor, including processes, storage, and transmission of defense information. Security controls must be expanded to incorporate coverage for these additional systems—these changes can have a significant impact on how your business functions.

What is DFARS Cybersecurity?

Many federal contractors process, store, and transmit sensitive federal information to support various federal agencies. Content is usually related to financial services, web, electronic mail services, security clearances, healthcare data, cloud services, communications, and satellite or weapons systems.

The DoD created DFARS cybersecurity to protect military secrets from attackers who are driven to steal this information. Leaks of this secure data would compromise military activities as well as the safety of U.S. citizens. Most of this information has been classified as top secret, but there is information that's less sensitive, yet still requires protection.

The DoD requires both prime and subcontractors to use this important but less sensitive information in their IT networks. These contractors have to be on alert at all times to safeguard the information they've been entrusted with. In spite of their best efforts, contractors can unintentionally allow big gaps in the data protection system when information is stolen through the manipulations of outside organizations. 

DFARS cyber compliance was created to fill in those gaps. DFARS protects the unclassified DoD information living on a contractor’s internal information system so that it can be protected from cyber incidents. Any consequences associated with the loss of contractor information can be assessed and minimized through the utilization of the cyber incident reporting and damage assessment processes.

DFARS also requires defense contractors to comply with specific cybersecurity requirements detailed in NIST 800-171. These standards specify the proper manner in which Covered Defense Information (CDI) or Controlled Unclassified Information (CUI) must be handled and protected. 

Contractors who don’t manage CDI or CUI must get an exception and may still be held accountable for compliance with DFARS and NIST 800-171. Non-compliance with these guidelines may end in lost government business for those contractors.

NIST 800-171 Compliance Requirements 

The National Institute of Standards and Technology (NIST), located in the US Department of Commerce, develops guides and standards related to data security. The group has published a special set of security standards called the NIST 800-171, which serves as a guideline for protecting the confidentiality of CUI in organizations outside of the federal government. Contractor adherence to these guidelines helps the federal government carry out military strategies as well as business operations.

DFARS requires the following conditions to be met in order to achieve adequate compliance:

  • Implementation of cyber incident analysis and reporting

  • Adoption of 79 predefined security protocols

  • Coverage of all information, regardless of location, pertaining to Controlled Technical Information, OpSec Information, Export-Controlled Information, and anything specifically related to the contract that doesn’t fall into one of these categories

  • Adequate intrusion monitoring and disclosure

Before the development of NIST 800-171, outside contractors and agencies created their own methods for safeguarding sensitive material. NIST 800-171 standardized the handling, transmission, and disposal of this type of data, creating uniform methods to be implemented by companies working with the government.

The 14 Points of NIST 800-171

Contractor businesses that access CUI must verify compliance and implement security protocols for 14 important areas

Does Your Business Meet DFARS Cybersecurity Compliance?

Gaining DFARS compliance is critical because companies can’t do business with the DoD without it. In fact, achieving compliance can be the difference between thriving and not making the cut, so it’s important to take the appropriate steps to ensure your company meets the requirements. 

Maybe you’re a small business with inexperienced staff and no CFO or Controller. Perhaps you’d rather focus on what you’re best at and not concern yourself with regulations. Or maybe you are unsure of the regulations and don’t have confidence that your business is properly equipped.

What's Next? DFARS and CMMC

The DoD demands that all government contractors and subcontractors abide by DFARS regulations. In December 2020, DFARS transitioned to Cybersecurity Maturity Model Certification (CMMC). CMMC identifies different security controls to create a hierarchy of maturity levels so that the DoD and other government agencies align with contractors with the most appropriate maturity needs to execute on their needs.

Compliance, Security, and Trust

The protection of sensitive federal information while residing in nonfederal systems and organizations is paramount to federal agencies and can directly impact the ability of the federal government to carry out its designated missions and business operations.

Cybersecurity issues will only increase in the future, so the DoD will require proof positive that your business is set up for compliance, security, and trust.  Charles IT can help you achieve DFARS compliance and be positioned to earn lucrative DoD business. To learn more and to get a quote for CMMC services, contact us today!

Editor's Note: This blog was originally published on July 29, 2020 and was updated on June 27, 2023 for accuracy. 

Get the DFARS Compliance Checklist

Most tech consulting starts with “Press 1”

We just like to start with “Hello.”