Everything You Need to Know About the Defense Federal Acquisition Regulation Supplement (DFARS) Compliance
To protect our national critical infrastructure, the Department of Defense (DoD) requires all entities in its supply chain who handle CUI (Controlled Unclassified Information) to implement certain cybersecurity measures to reduce their vulnerabilities to cyberattacks. While these requirements may seem excessive to uninformed companies, cybersecurity concerns are real and justified. In 2020, Visser Precision, LLC, a supplier to Boeing and Tesla, got hacked, and the cybercriminals posted this sensitive information on the dark web. Imagine the potential impact to our aerospace industry and our national defense!
To that end, all DoD contractors must be compliant with the Defense Federal Acquisition Regulation Supplement (DFARS) to fortify over 100,000 DoD contractors and subcontractors, the defense industrial base (DIB). In this article, we’ll discuss DFARS compliance, its significance and how to become DFARS compliant.
What is the Defense Federal Acquisition Regulation Supplement?
The 2010 Presidential executive order “13556 – controlled unclassified information (CUI)” inaugurated a federal cybersecurity program that would ensure all CUI was protected. In 2016, the DoD published the (DFARS), an addendum to the federal acquisition regulation (FAR).
The DFARS contains regulations, policies plus other requirements regarding government procurement in the United States. Several DFARS clauses exist, however, the DFARS clause 252.204-7012 is the original cybersecurity-related clause. Under this clause, those in the DoD supply chain must adopt the 110 security controls contained in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. NIST 800-171 can be found here.
If you haven’t fulfilled these security controls, you should begin a gap analysis of existing controls and draft a system security plan. This plan should show your company’s position in each of these security controls. Additionally, you must give a projected timeline for the completion of each incomplete measure.
The DFARS Interim Rule
Last year, the DoD announced a DFARS interim rule that would improve the NIST 800-171 security control adoption efficiency. The Interim Rule defines the pathway and requirements for companies who store, process, or transmit Controlled Unclassified Information (CUI) to implement NIST 800-171 controls, document compliance and ultimately become certified according to a cybersecurity maturity model. The DFARS Interim Rule includes the following clauses:
252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements
252.204-7020, NIST SP 800-171 DoD Assessment Requirements
252.204-7021, Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement
Under this rule, all contractors and sub-contractors will need to undergo a NIST 800-171 DoD Assessment and post their results to the Supplier Performance Risk System (SPRS). Also called a Basic Assessment, a DoD supplier may conduct this on their own, however enlisting the assistance of a cybersecurity partner such as SCA can help streamline the assessment process and adoption of the required controls. The assessment results in SPRS must be current within the last 3 years to be eligible to participate in a DoD contract. The DoD may perform this assessment for larger entities and prime contractors.
Once a contractor has satisfied the first two clauses of the Interim Rule, they are positioned to allow the controls to operate for a period of time (mature) until such time that a CMMC certification audit can be conducted.
Which Entities Need to Be DFARS Interim Rule Compliant?
Whether big or small, all DoD suppliers who store, process or transmit CUI must meet DFARS Interim Rule requirements. Doing so allows them to participate in DoD contracts and realize DoD revenue.
How to Achieve DFARS Interim Rule Compliance
- Self-Assess: The Nist 800-171 DoD Assessment
To check whether you meet the DoD security standards, you should perform the following actions.
- Identify which system(s) contain CUI
- Identify which employees have access to these systems
- Complete a NIST 800-171 DoD Assessment. The NIST 800-171 Assessment Methodology can be found here.
- Evaluate Gaps: Create a Plan of Action and Milestones (POAM)
The results of the NIST 800-171 DoD Assessment will identify controls in place and those that are deficient or non-existent. For controls that need to be addressed your action plan should:
- Identify the control owner
- Define how the control will be implemented
- List resources needed to implement the control
- Establish a target completion date
- Submit Your Assessment results
There are two ways to submit your assessment results and other required information:
- Upload to the Supplier Performance Risk System (SPRS), or
- Send via encrypted email to mail to:email@example.com for posting to the SPRS
- Monitor and Re-Assess Controls
Over time, changes typically occur with the people, process and technologies an organization uses. These changes may affect the required NIST 800-171 Controls. Have a plan to re-assess your controls to ensure they are meeting their objectives and reflect the actual state of practice.
- Schedule and Undergo Your CMMC Certification Audit
The final DFARS Interim Rule clause is 252.204-7021, Cybersecurity Maturity Model Certification. The DoD estimates that it will take five-plus years to get the DIB CMMC certified so your certification is likely to not happen quickly. The Interim Rule helps you get prepared and positioned for most of CMMC Level 3 (110 of 130 practices). It is wise to start looking at the 20 additional practices now which SCA routinely does for our clients.
DFARS Interim Rule Enforcement
On November 30, 2020, DoD Contracting Officers started including the new DFARS 252.204-7019 and 252.204-7020 clauses in all solicitations and contracts, with some exemptions, such as commercial-off-the-shelf (COTS) items. The other enforcement vehicle are the DoD prime contractors themselves who are responsible to ensure their sub-contractors have also met these requirements. Primes may not award contracts to subs who have not met NIST 800-171 security requirements.
SCA Offers DFARS Compliance Services
As a contractor, receiving defense federal acquisition regulation compliance can be a daunting task, especially if you have a small firm. A 2017 audit revealed that only 60% of DoD contractors were DFARS compliant. While alarming, these findings aren’t surprising considering that small business contractors have very few IT staff and resources.
Thankfully the Security Compliance Associates team can help you achieve DFARS compliance. Our team has immense experience of over 16 years delivering world-class cybersecurity assessment and advisory services to commercial and government organizations. This experience is backed by graduate degrees, leading cybersecurity certifications and the latest tools to deliver a wide array of cybersecurity services such as NIST 800-171 Assessment, risk assessment programs and gap analyses to determine information security. That’s not all! Our breach notification guide helps to keep you informed on each state’s breach notification laws. Are you working towards becoming DFARS compliant? Reach out to us at (727) 571-1141 to start your DFARS compliance journey.