DFARS Compliance

Businesses of all sizes are striving to comply with the Defense Federal Acquisition Regulations System (DFARS). DFARS Compliance is a complex area, and it can be difficult for an organization to know if they’re in compliance.

Brightline IT has a deep understanding of DFARS compliance requirements and can help your organization ensure compliance. We can provide expert guidance on all aspects of DFARS, including developing and implementing policies and procedures, training employees, and assessing your organization’s risk.

The Defense Federal Acquisition Regulation Supplement (DFARS) to the Federal Acquisition Regulation (FAR) is administered by the Department of Defense (DoD). The DFARS implements and supplements the FAR. The DFARS contains requirements of law, DoD-wide policies, delegations of FAR authorities, deviations from FAR requirements, and policies/procedures that have a significant effect on the public. The DFARS should be read in conjunction with the primary set of rules in the FAR.

What is FAR?

Contracts with the federal government comprise a major source of business for many companies. Unfortunately, many businesses miss out on these contracts because they cannot demonstrate adequate cybersecurity compliance, which is necessary not only for Tier 1 suppliers, but for many of their subcontractors down the line who may be supplying parts or handling sensitive information.

FAR 52.204.21 lists fifteen requirements that all contractors must meet in order to work with the federal government. These requirements are designed to protect Federal Contract Information (FCI), which includes many contracts, financial statements, and design specs that the contractor may handle over the course of their project.

The 15 FAR Basic Requirements are a part of the NIST SP 800-171r2 Framework, and provide a good first step toward broader DFARS/NIST compliance.

Even if your company does not currently contract with the federal government, being able to demonstrate FAR 52.204.21 compliance puts you in a position to accept contracts in the future, even on short notice. More importantly, the guidelines follow best practices for cybersecurity, and are therefore useful to any company desiring to strengthen their cybersecurity policies.

What is DFARS Compliance?

 

Defense contractors whose information systems process, store, or transmit Covered Defense Information (CDI) must comply with the Department of Defense (DoD) Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012, which specifies requirements for the protection of controlled unclassified information (CUI) in accordance with NIST SP 800-171, cyber incident reporting obligations, and other considerations for cloud service providers. All DoD contractors are required to comply with DFARS requirements for adequate security.

In September 2020, DoD published a DFARS Interim Rule that established three new DFARS requirements and expanded upon the initial DFARS Clause 252.204-7012:

  • DFARS 252.204-7019 Notice of NIST SP 800-171 DoD Assessment Requirements mandates that the DIB contractor undergo self-assessments that meet the NIST SP 800-171 DoD Assessment Methodology at least every three years. Summary level scores of these assessments shall be posted in the DoD Supplier Performance Risk System (SPRS).
  • DFARS 252.204-7020 NIST SP 800-171 DoD Assessment Requirements requires that the DIB contractor provide access to their facilities, systems, and personnel when DoD is conducting a Medium or High NIST SP 800-171 assessment.
  • DFARS 252.204-7021 Cybersecurity Maturity Model Certification (CMMC) Requirements stipulates that the DIB contractor shall have current (not older than 3 years) CMMC certificate at the CMMC level required for the contract and maintain the CMMC certification at the required level for the duration of the contract.

These changes ensure that standalone self-attestation of compliance with DFARS 252.204-7012 by the Defense Industrial Base (DIB) contractors will no longer be sufficient to meet DoD contractual requirements. Instead, DoD has mandated that DIB contractors furnish evidence of both the DFARS 252.204-7012 self-attestation and an independent third-party Cybersecurity Maturity Model Certification (CMMC), depending on the final rule, to qualify for DoD contracts.

How can Brightline IT Help?

Bright line IT can help businesses with DFARS compliance by providing tools and services that protect intellectual property, ensure the safety of products, and avoid fraud and corruption. We can also help businesses to track and trace their products and services, and to meet other compliance standards. For more information about how we can help your business, contact us today.
Contact Us Call Us: (248) 886-0248