You're probably familiar with the Federal Acquisition Regulation (FAR). It's pretty much the rule book for federal contracting on both sides of the table. If you're looking to set up shop with the Department of Defense (DoD), you're going to want to get familiar with a supplement of FAR called DFARS and learn how to maintain DFARS compliance.
Spoiler Alert: It's a time consuming process (but it's worth it).
If you're new to federal contracting or interested in working with the DoD, let this post serve as an outline or introduction to DFARS compliance. DFARS, much like FAR, is massive. There are tons of requirements depending on what products or services you offer. We can't go into every little detail for every situation, so we're going to cover the basics :
- What is DFARS?
- Who can work with the DoD?
- The DFARS compliance checklist.
- Failure for DFARS compliance.
- Options for becoming DFARS compliant.
What is DFARS?
Government contracting is the most heavily regulated sector in the U.S. economy. FAR pretty much sets up the rules for agencies and contractors alike. However, if you know a thing or two about the U.S. federal government, there are numerous amounts of departments, agencies, and bureaus for just about everything.
FAR does cover a lot of ground, but there are further supplements needed for the particular agencies. As you probably could have guessed, there are a lot of added security measures needed to work with the DoD. That's why there's DFARS to further regulate this area of government contracting. In some cases, DFARS even deviates from FAR.
You can find the full set of regulations right here.
Who can work with the DoD?
The first thing you need to do in order to work with the DoD is to get registered in the System for Award Management (SAM). This database is a requirement for all businesses seeking to perform contracts with the federal government. This registration also applies to entities looking for federal grants as well.
Also, businesses located outside of the U.S. can work on some opportunities with the DoD. DFARS outlines "DFARS Countries" which means if your entity is based in one the designated nations on their list, you are eligible for DoD contracting.
The second general requirement for DFARS compliance pertains to cybersecurity. Again, depending on what products or services you offer, there will be different regulations you will have to adhere to. The cybersecurity requirements apply all across the board...even subcontractors.
Published in 2015, revisions to DFARS 252.204-7012 (sometimes referred to as DFARS 7012), requires all DoD contractors and subcontractors to:
- Safeguard covered defense information
- Report cyber incidents
- Submit malicious software
- Facilitate damage
The DFARS Compliance Checklist
As you probably already guessed, requirements for DFARS compliance is much more specific than just four lines. Here's a breakdown of what each item means for DoD contractors.
Safeguard Covered Defense Information
You can't just tell the DoD that your business is safe from cyber threats. The specific requirements for safeguarding defense information are outlined in the National Insitute of Standards and Technology's (NIST) Special Publication 800-171. This will probably be the most time-consuming requirement for working with the DoD. But remember, think of this as an investment to your business rather than just another cost. There's a lot of money to be made in defense contracting and subcontracting.
The requirements include:
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
Report Cyber Incidents
You can have the best cybersecurity practices in place and still face issues. What's important is that you know how to report such incidents to the DoD. After you have conducted a review for evidence of compromise, visit the Defense Industrial Base Cybersecurity Information Sharing Program's site at:
As soon as possible, submit an Incident Collection Form (ICF).
Submit Malicious Software
This requirement will also be another action you need to take to remain DFARS compliant. To submit the malicious software to the DoD Cyber Crime Center (DC3), access the Malware Submission Form at:
That link probably didn't work for you. That's because you will need a DoD-approved PKI certificate. When the time comes, you can download one for your computer right here.
Facilitate Damage Assessment
If the DoD decides to conduct a damage assessment, they will request that the contractor or subcontractor provides all media and damage assessment information to the contracting officer. Simply comply with this request and you will keep your DFARS compliance.
Failure for DFARS Compliance
As it should come with no surprise, failing to comply with government regulations comes with its penalties. If you are a DoD contractor, you will be audited by them. They take DFARS compliance and cybersecurity very seriously. If you are not compliant, you might:
- Face a Stop Work Order.
- Have all of your DoD contracts terminated.
- Get banned from working with the DoD.
Becoming DFARS Compliant
Here's the simple rundown for obtaining DFARS compliance. If you know complete the requirements yourself without any mistakes, then go ahead. This includes SAM, cybersecurity, and industry-specific conditions. Everyone else will need to bring in the big guns.
For your SAM.gov registration or other certifications, you're going to want to work with a third-party government contracting firm. These are businesses that assist contractors with their requirements. Very few of them can actually help you write
For all the cybersecurity requirements, you're going to have to subcontract a company that specializes in this field. There are even some that help DoD contractors and subcontractors specifically for helping with DFARS 252.204-7012 requirements.