DFARS Compliance: The 2019 Guide

Jan 14, 2019 9:42:47 AM / by Hayden Johnson

Arial view of the pentagon

You're probably familiar with the Federal Acquisition Regulation (FAR). It's pretty much the rule book for federal contracting on both sides of the table. If you're looking to set up shop with the Department of Defense (DoD), you're going to want to get familiar with a supplement of FAR called DFARS and learn how to maintain DFARS compliance.

Spoiler Alert: It's a time consuming process (but it's worth it).

If you're new to federal contracting or interested in working with the DoD, let this post serve as an outline or introduction to DFARS compliance. DFARS, much like FAR, is massive. There are tons of requirements depending on what products or services you offer. We can't go into every little detail for every situation, so we're going to cover the basics :

What is DFARS?

Government contracting is the most heavily regulated sector in the U.S. economy. FAR pretty much sets up the rules for agencies and contractors alike. However, if you know a thing or two about the U.S. federal government, there are numerous amounts of departments, agencies, and bureaus for just about everything.

FAR does cover a lot of ground, but there are further supplements needed for the particular agencies. As you probably could have guessed, there are a lot of added security measures needed to work with the DoD. That's why there's DFARS to further regulate this area of government contracting. In some cases, DFARS even deviates from FAR.

You can find the full set of regulations right here.

Who can work with the DoD?

The first thing you need to do in order to work with the DoD is to get registered in the System for Award Management (SAM). This database is a requirement for all businesses seeking to perform contracts with the federal government. This registration also applies to entities looking for federal grants as well.

Also, businesses located outside of the U.S. can work on some opportunities with the DoD. DFARS outlines "DFARS Countries" which means if your entity is based in one the designated nations on their list, you are eligible for DoD contracting.

The second general requirement for DFARS compliance pertains to cybersecurity. Again, depending on what products or services you offer, there will be different regulations you will have to adhere to. The cybersecurity requirements apply all across the board...even subcontractors.

Published in 2015, revisions to DFARS 252.204-7012 (sometimes referred to as DFARS 7012), requires all DoD contractors and subcontractors to:

  1. Safeguard covered defense information
  2. Report cyber incidents
  3. Submit malicious software
  4. Facilitate damage

Picture of an F16 Super Hornet

The DFARS Compliance Checklist

As you probably already guessed, requirements for DFARS compliance is much more specific than just four lines. Here's a breakdown of what each item means for DoD contractors.

Safeguard Covered Defense Information

You can't just tell the DoD that your business is safe from cyber threats. The specific requirements for safeguarding defense information are outlined in the National Insitute of Standards and Technology's (NIST) Special Publication 800-171. This will probably be the most time-consuming requirement for working with the DoD. But remember, think of this as an investment to your business rather than just another cost. There's a lot of money to be made in defense contracting and subcontracting.

The requirements include:

  • Access Control
  • Awareness and Training
  • Audit and Accountability
  • Configuration Management
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Personnel Security
  • Physical Protection
  • Risk Assessment
  • Security Assessment
  • System and Communications Protection
  • System and Information Integrity

Report Cyber Incidents

You can have the best cybersecurity practices in place and still face issues. What's important is that you know how to report such incidents to the DoD. After you have conducted a review for evidence of compromise, visit the Defense Industrial Base Cybersecurity Information Sharing Program's site at:

https://dibnet.dod.mil/portal/intranet/

As soon as possible, submit an Incident Collection Form (ICF).

Submit Malicious Software

This requirement will also be another action you need to take to remain DFARS compliant. To submit the malicious software to the DoD Cyber Crime Center (DC3), access the Malware Submission Form at:

https://dcise.cert.org/icf/

That link probably didn't work for you. That's because you will need a DoD-approved PKI certificate. When the time comes, you can download one for your computer right here.

Facilitate Damage Assessment

If the DoD decides to conduct a damage assessment, they will request that the contractor or subcontractor provides all media and damage assessment information to the contracting officer. Simply comply with this request and you will keep your DFARS compliance.

Failure for DFARS Compliance

As it should come with no surprise, failing to comply with government regulations comes with its penalties. If you are a DoD contractor, you will be audited by them. They take DFARS compliance and cybersecurity very seriously. If you are not compliant, you might:

  • Face a Stop Work Order.
  • Have all of your DoD contracts terminated.
  • Get banned from working with the DoD.

Becoming DFARS Compliant

Here's the simple rundown for obtaining DFARS compliance. If you know complete the requirements yourself without any mistakes, then go ahead. This includes SAM, cybersecurity, and industry-specific conditions. Everyone else will need to bring in the big guns.

Businessman on cell phone

For your SAM.gov registration or other certifications, you're going to want to work with a third-party government contracting firm. These are businesses that assist contractors with their requirements. Very few of them can actually help you write proposal s and provide other services to give you a competitive edge.

For all the cybersecurity requirements, you're going to have to subcontract a company that specializes in this field. There are even some that help DoD contractors and subcontractors specifically for helping with DFARS 252.204-7012 requirements.

Tags: Guides

Hayden Johnson

Written by Hayden Johnson

Hayden is USFCR's Creative Copywriter. His goal is to help businesses navigate the federal marketplace with quick and simple guides.

    Subscribe to Our Blog

    Recent Posts