What Is DFARS and What Does it Mean to Be Compliant?

What Is DFARS and What Does it Mean to Be Compliant?

All companies are subject to an extensive set of regulations that relate to important aspects of their business. Noncompliance carries severe punishment or even the risk of discontinued business operations. 

But dealing with the federal government as a defense contractor features additional requirements that firms in the private sector may not experience. One such emerging field is the need to introduce stricter legislation in the area of cybersecurity in response to the more complex cyber threats of today.

The Defense Federal Acquisition Regulation Supplement (DFARS) is the set of regulations that aim to prioritize the security of organizations and their customers. First, let’s look at what DFARS encompasses and then consider how a contractor can achieve compliance.

What is DFARS?

DFARS was published by the Department of Defense (DoD) in 2015. The main purpose of DFARS is to protect the confidentiality of Controlled Unclassified Information (CUI)—regulations apply to all DoD contractors.

The DFARS assessment is in the process of shifting toward CMMC certification, which is a third-party certification system that will no longer allow contractors to self-certify. CMMC certification will be required to bid on all requests for proposals starting in late 2020. In the meantime, it’s smart to know your facts about DFARS so you can best prepare to transition into the new certification system.

What is CUI?

Before considering the ramifications of a DFARS compliance audit, it’s essential to note what exactly constitutes CUI. In short, CUI is simply information that is sensitive and in the interests of the United States but is not strictly regulated by the Federal government.

CUI includes any potentially sensitive and unclassified information in need of controls in place that define methods for safeguarding or dissemination. Each federal agency has provided a public registry of categories and subcategories of CUI and determines why information is considered CUI.

Who Needs to Be DFARS-Compliant?

Anyone who does contract work for the DoD and other federal agencies is required to be DFARS-compliant. Whether you belong to one of the larger defense contractors or a smaller organization, becoming DFARS-compliant is a must. And even if you do not currently engage in any work for the DoD, you can take advantage of future opportunities by becoming DFARS-compliant.

What Is NIST 800-171?

The National Institute of Standards and Technology Special Publication 800-171 (NIST 800-171) is a collection of regulations that govern CUI in Non-Federal Information Systems and Organizations. NIST 800-171 establishes a set of standards that apply to safeguarding and distributing data that is considered sensitive but not classified.

NIST 800-171 seeks to enhance cybersecurity; it was established following several well-documented breaches in various federal agencies.

A revised version of NIST compliances was introduced in 2017, which requires anyone working with CUI as part of the DoD, General Services Administration (GSA), or National Aeronautics and Space Administration (NASA) to adopt security measures in handling data.

Federal regulations, including the DFARS clause 252.204-7012, require that all companies that handle CUI must assess and document their compliance in many critical areas.

14 Key Points of NIST 800-171


All contractors that deal with CUI are required to pass a DFARS compliance audit and introduce security protocols in 14 critical areas. These areas include:

  • Audit and Accountability
  • Awareness and Training
  • Access Controls
  • Incident Response
  • Identification and Authentication
  • Configuration Management
  • Media Protection
  • Maintenance
  • Personnel Security
  • Physical Protection
  • Security Assessment
  • Risk Assessment
  • System and Information Integrity
  • System and Communications Protection

To comply with NIST 800-171, any contractor that stores, transmits, or processes CUI for the GSA, NASA, DoD, or any other state or federal agency must meet a number of strict standards. This process requires all contractors to assess networks and procedures to ensure that adequate security measures are in place. The failure to achieve NIST 800-171 compliance could result in the severance of contracts and severely damage work relationships with federal agencies.

What Are the Basic Conditions to Comply with DFARS?

There are several basic requirements in meeting a DFARS compliance audit. These include:

  • Adopting 79 fundamental security protocols
  • Providing effective intrusion monitoring as well as disclosing incidents
  • Introducing cyber incident reporting and analysis
  • Ensuring the proper handling of all information relating to OpSec Information, Export-Controlled Information, and Controlled Technical Information as well as all other data related to contracts regardless of the location

What Are Some of the Challenges in Becoming Compliant?

The process of compliance must begin with a comprehensive security assessment. It is imperative to identify the location of sensitive information. It is best to create a compliance team to monitor CUI and include all staff members in all processes. Though there are no guidelines outlined for the DFARS assessment, you should plan on running a security assessment two times or more per year, in addition to whenever your company implements any changes to relevant operations.

In addition, you must restrict access controls as subject to the standards expressed in NIST SP800-171. Given the extensive nature of cloud-based systems and most breaches are initiated by stolen login credentials, this is a crucial step in becoming DFARS-compliant. The principle of least privilege can help mitigate any risks and foster compliance, as having employees only accessing any data required for their jobs will limit any potential difficulties.

Staff training and awareness are also critical elements to ensure DFARS compliance. Data leaks and breaches most often occur due to human error. Social engineering attacks such as phishing further highlight the need to make sure your staff is aware of risks and capable of mitigating these risks.

Becoming Compliant Takes Time

It can take months to become fully compliant. The first step is to understand what DFARS is and conduct a DFARS assessment. It is crucial that you learn the minutiae of the extensive list of regulations that apply to contractors working with federal agencies. In the end, becoming compliant not only meets the legal requirements of being a DoD contractor but also provides your partners assurance in knowing that their information is adequately protected and managed.

You have help available in complying with DFARS and NIST 800-171.  A professional organization knows precisely how organizations can best comply with their standards. The experts at Charles IT can help you achieve the additional security needed for DFARS compliance while saving you costly investment in the process. Drop us a line today to get started on your path to compliance!

Get the DFARS Compliance Checklist

Most tech consulting starts with “Press 1”

We just like to start with “Hello.”