Any organization that contracts with the DoD or any other federal agency is required to be DFARS compliant. This executive order was issued by the White House (EO 13556) in November 2010 and had a deadline of December 31, 2017 to become compliant. The DoD is strict about this and makes sure to audit all of there suppliers from the top to the bottom of the supply chain. If a supplier is non-compliant they will receive a stop-work order from the DoD or in some cases face fines, legal allegations, or be permanently banned from biding on future work with the DoD.
What Is FARS?
Federal Acquisition Regulation (FARS) or otherwise know as FAR 52.204.21 is a contract clause “for the basic safeguarding of contractor information systems that process, store, or transmit Federal contract information.” Within FARS it lists fifteen requirements that all contractors must meet in order to work with the federal government. These requirements are designed to protect Federal Contract Information (FCI) and Covered Contractor Information Systems (CCIS). In other words, this includes information and information systems that is “not intended for public release” related to contracts, financial statements, and design specs that the contractor may handle over the course of their project.
Even if your company does not currently contract with the federal government, being able to demonstrate FAR 52.204.21 compliance puts you in a position to accept contracts in the future. More importantly, the guidelines follow best practices for cybersecurity, and are useful to any company looking to enhance their cybersecurity posture.
What Is DFARS?
The Defense Federal Acquisition Regulation Supplement (DFARS) 52.204-7012 is a cyber security regulation that the DoD and other Federal agencies impose on third-party contractors. DFARS requirements are put in place to supplement the existing Federal Acquisition Regulation (FAR) requirement. DFARS is based on the National Institute of Standards and Technology (NIST), specifically NIST SP 800-171. Any prime or sub contracts who is non-compliant with DFARS will end up losing all current contracts and will not be awarded any new contract with the DoD. Also, there will be a requirement show proof of DFARS compliance to bid on DoD and other federal government contracts.
Basically, the DoD published a DFARS Interim Rule on September 2020 that established three new DFARS 70 series requirements. These were developed to protect the confidentiality of “Controlled Unclassified Information” (CUI). They included, DFARS 252.204-7019, DFARS 252.204-7020, and DFARS 252.204-7021.
- DFARS 252.204-7019 is the Notice of NIST SP 800-171 DoD Assessment Requirements that mandates that DIB contractors undergo self-assessments that meet the NIST SP 800-171 DoD Assessment Methodology at least every three years. Summary level scores of these assessments shall be posted in the DoD Supplier Performance Risk System (SPRS).
- DFARS 252.204-7020 is the NIST SP 800-171 DoD Assessment Requirements requires that the DIB contractor provide access to their facilities, systems, and personnel when DoD is conducting a Medium or High NIST SP 800-171 assessment.
- DFARS 252.204-7021 is the Cybersecurity Maturity Model Certification (CMMC) Requirements, 7021 stipulates that the DIB contractor shall have current (not older than 3 years) CMMC certificate at the CMMC level required for the contract and maintain the CMMC certification at the required level for the duration of the contract.
Penalties For Non-Compliance
The DoD takes non-compliance very seriously. In turn, the DoD/Government can terminate your contract immediately or issue a stop work order if an audit determines your company is not compliant with DFARS or NIST 800-171.This stop work order will create a domino affect if you are a prime contractor where all your current sub-contractors will be forced to suspend any operations until you implement security measures that provide adequate protection for CUI. Also, if you are a subcontractor your prime may chose to find someone else to fill your spot in the supply chain. All in all non-compliance will have a severe impact on your revenue and your bottom line.
The DoD can also impose financial penalties. Including damages for false claims, under the civil False Claims Act (FCA) or for a breach of contract. In addition, the civil False Claims Act (FCA) is a commonly used form of prosecution by the Department of Justice (DOJ) and the worst part is that no proof of specific intent to defraud is required. The FCA is defined as any person (or entity) who knowingly presents, or causes to be presented, a false or fraudulent claim to the government is liable for this action. In addition, contractors will lose all current contracts with the DoD. Worst case scenario, the DoD will suspend or permanently bar you (the contractor) from ever working with them again. NIST SP 800-171 guidelines provide more information on the importance of compliance to the DoD. This is why it is very important to make sure your cybersecurity measures are in place and you get an expert to ensure your compliant.
Minimum Requirements For DFARS
even though cybersecurity and compliance are complex, the DoD has kept the requirements on contractors fairly easy to comprehend. To meet the minimum requirements, DoD contractors/subcontractors must:
- Provide appropriate security to safeguard covered defense information, otherwise known as CDI, that resides in or transits through your internal unclassified information systems from unauthorized access and disclosure.
- Report cyber incidents within 72 hours or less and cooperate with the DoD to respond to these security incidents, including providing access to any affected media, systems, or any other items that would be applicable.
- If your a DOD contractor and need to report a cyber incident go to https://dibnet.dod.mil/portal/intranet/#reporting-2/ or contact the DoD Cyber Crime Center (DC3) at:
DFARS Control Families
There are 14 basic Control families in DFARS which are also a part of the NIST SP 800-171 Framework. Furthermore, completing these requirements will be a good start toward achieving DFARS/NIST compliance. The 14 requirements are listed below:
- Access Controls – Limit access to authorized users.
- Awareness & Training – Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
- Audit and Accountability – Verify controls on connections to external information systems.
- Configuration Management – Impose controls on information that is posted or processed on publicly accessible information systems.
- Identification and Authentication – Authenticate or verify the identities of users, processes, and devices before allowing access to an information system.
- Incident Response – Develop a strategy and operations to detect, analyze, and respond to incidents.
- Maintenance – Identify, report, and correct information and information system flaws in a timely manner.
- Media Protection – Sanitize or destroy information system media containing Federal contract information before disposal, release, or reuse.
- Personnel Security – Escort visitors and monitor visitor activity, maintain audit logs of physical access, control and manage physical access devices.
- Physical Protection – Limit physical access by taking measures to protect buildings, systems, and supporting infrastructure from threats related to their physical environment.
- Risk Assessment – Assess organizational risk of possessing, transmitting, and storing CUI.
- Security Assessment – Tests and/or reviews your company’s operational, management, and technical security requirements.
- System and Communications Protection – Monitor, protect, and control communications at internal and external boundaries to prevent unauthorized transfer of CUI.
- System and Information Integrity – Ensures that the CUI being accessed has not been tampered with or damaged by a system error. Provide protection from malicious code at appropriate locations within organizational information systems
DFARS COMPLIANCE SERVICES -
At Praetorian Secure we offer solutions for prime and subcontractors looking to meet the DFARS 70 series or NIST 800 series compliance requirements. We have worked with many DoD contracts and before we were third party consultants we worked with the U.S Army as Agents of the Certification Authority (ACA). Our compliance experience is unrivaled and we know how to make complex compliance requirement easy to understand and achieve for our clients. Let our team of compliance experts help your organization by providing assessments, documents, remediation, and other services that will position your organization to be successful in the present and long into the future.
Review & Remediation
Compliance Monitoring & Maintenance
Includes SSP & POA&M
Achieving DFARS Compliance On Your Own Can Become Time Consuming And Expensive.
Hiring us as your DFARS consultant can make compliance a breeze.