DFARS Compliance Guide

By Scott Dawson
May 13, 2022


If you do contract work with the Department of Defense (DoD), you’ve probably heard about the coming CMMC cybersecurity requirements. But in the meantime, you have important cybersecurity requirements to meet right now—and the DoD is increasing contractor accountability. 

The DoD is now increasing the number of assessments performed for DFARS compliance. They want to see both a self-assessed cybersecurity score (SPRS score) and a System Security Plan (SSP). It’s more important than ever to meet the cybersecurity of requirements of DFARS. 

What Is DFARS?

DFARS is a defense-specific supplement to the Federal Acquisition Regulations (FAR). It exists to safeguard sensitive government information among contractors. Compliance has been mandatory since 2017, but low accountability allowed many contractors to ignore the requirements. 

Hackers have learned that it’s much easier to steal data from less-protected subcontractors than from heavily-guarded government networks. 

cyber security hackers

That’s why the DoD now requires advanced cybersecurity protections for any contractor who handles controlled unclassified information (CUI). Learn more about CUI. 

DFARS clause 252.204-7012 deals with “Safeguarding Covered Defense Information and Cyber Incident Reporting.” This clause makes cybersecurity compliance a requirement for DoD contractors. It adopts the NIST SP 800-171 cybersecurity standard as the basis for this compliance.  

To comply with DFARS, you must demonstrate abilities such as: 

    • Adequate security to protect CUI that is stored in or transmitted through your systems. 
    • Rapid reporting of security breaches and cooperation with the DoD by granting them access to affected media and malicious software. 

To document your compliance, you must develop a System Security Plan (SSP) and submit a self-assessment score to the Supplier Performance Risk System (SPRS).  

The Benefits of DFARS Compliance

For DoD contractors, DFARS compliance brings some major benefits:  

    • DFARS compliance meets legal requirements. This is the most obvious advantage. In the past, the DoD has been lax with contractor cybersecurity assessments. But current signals suggest this won’t be the case for long. The DoD plans to increase assessments. 
    • DFARS compliance offers a competitive advantage. Meeting DFARS requirements gives your company an advantage over your competition. If you’re aiming for DoD contracts or subcontracts, compliance makes you ready to compete.
    • DFARS compliance verifies your competence: DFARS compliance ensures companies who work with the DoD keep sensitive data in the covered contractor information system confidential. 
    • DFARS compliance prepares you for future CMMC requirements. The latest version of CMMC (CMMC 2.0) has been adjusted to match the requirements of NIST SP 800-171. If you’re prepared for DFARS now, you’ll be prepared for CMMC in the future.  

DFARS 252.204-7012 vs. NIST 800-171

DFARS and NIST SP 800-171 are not the same. DFARS 252.204-7012 enforces NIST SP 800-171 as the security standard defense contractors must follow. 

If you handle CUI and you are required to implement NIST SP 800-171 , this DFARS clause applies to you. In NIST SP 800-171, you will find the security controls needed to keep CUI secure. 

Who Needs to Meet DFARS Compliance Requirements?

DFARS 252.204-7012 applies to defense contractors of any size who meet one or both of these criteria: 

    • They handle CUI. 
    • They sell products or services to the DoD or a DoD contractor. The only exception is commercial-off-the-shelf (COTS) products that have not been modified for defense use.

Simply put: if you want to win or keep DoD contracts, you need to be DFARS compliant. 

Military Jet representing DFARS Compliance

This applies to prime contractors and subcontractors. If you currently contract with the DoD and handle CUI, you should see DFARS 252.204-7012 referenced in your contract. 

What DFARS Compliance Means

Achieving DFARS compliance means more than meeting NIST requirements. The most recent DFARS additions (DFARS 252.204-7019 – 7020) lay out reporting requirements for contractors and give the DoD authority to assess systems as needed. 

Here’s a look at some of the additional requirements you must meet: 

    • Conduct a self-assessment against 110 security controls and submit your score to the SPRS database. 
    • Develop a system security plan (SSP) to explain how you meet the security requirements. 
    • Create a plan of action and milestones (POAM) to outline how the controls you haven’t implemented will be met. 

Meeting the DoD-required security level the DoD can be challenging. It requires continual assessment and improvement of your processes. You have several options for achieving and maintaining DFARS compliance, including: 

    • In-house resources. You can use your own team and resources to become DFARS compliant. NIST has a handbook for contractors who choose the in-house option. However, as the DoD increases accountability, many contractors will not have the expertise on hand to meet strict compliance. 
    • Work with cyber experts. You can also work with a third-party security provider. Registered Provider Organizations like Core Business Solutions are uniquely equipped to help you meet DoD cybersecurity rules. 

Penalties for Not Meeting DFARS Requirements

If you don’t meet DFARS requirements, you will not be able to keep your current contracts or win new ones. Even if you follow DFARS 252.204-7012, errors in your documentation or implementation could disqualify you from DoD contracts.  

But if you purposely or mistakenly present a false picture of your cybersecurity by submitting an inaccurate SPRS score, you could face greater consequences.  

spaceship for DFARS Compliance

The Department of Justice introduced the Civil Cyber-Fraud Initiative in late 2021. This initiative allows the federal government to wield the False Claims Act to recover damages from false cybersecurity claims.  

What does that mean for DoD contractors? If you claim DFARS compliance without actually implementing the correct controls, you could face major financial penalties. Learn more about the Civil Cyber-Fraud Initiative. 

Work With DFARS Experts

Most small businesses simply don’t have the resources and expertise to implement full DFARS compliance. That’s why we suggest handing the burden of cybersecurity to experts who know DFARS and know small business. Compared to overhauling your current networks and learning the technical ins and outs of cybersecurity, this option can save significant time and money. 

You want to work with experts who are: 

    • Experienced: You should work with experts who have experience helping companies like yours meet not just cybersecurity requirements but also government compliance requirements. 
    • Trustworthy: Even when you work with an external provider, your company will still be responsible for making sure your practices meet the requirements. You must be able to trust that your provider will get you there. 
    • Prepared: A qualified security provider will have all the resources you need to prove your compliance. They should provide resources like document templates for your SSP and gap analysis, tools for monitoring and responding to security events, methods for completing remediation steps, documentation to help you prove your compliance and more.

A good security provider has the qualifications and experience necessary to assess your current compliance and help you fill the gaps.  

Get a Free Quote for Our DFARS Solution Today

At Core Business Solutions, we provide a complete DFARS solution through CORE Vault™. This solution makes you compliant with DFARS right now and prepares you for CMMC 2.0 compliance in the near future. Our experts have used this solution to help contractors achieve a complete 110 SPRS score in as little as 30 days.  

With CORE Vault™, you can separate government data from your network and access it through a secure, cloud-based environment managed by our cyber experts. 

cyber security consultants

This environment comes ready-made for compliance with the DoD contracting requirements of DFARS, NIST SP 800-171, and CMMC 2.0.  CORE Vault™ also includes the support needed to reach full compliance with the non-technical cybersecurity requirements, such as your system security plan and required policies. 

Our own cyber experts manage CORE Vault™ for you, removing the burden of cybersecurity so you can focus on your business. 

Core Business Solutions has more than 20 years of experience helping small businesses achieve success. When you work with us, our experts become your experts. 

Related Articles:

Cyber Hygiene Practices for Every User

Cyber Hygiene Practices for Every User

What is Cyber Hygiene? Cyber hygiene refers to the practices and measures individuals and organizations take to maintain good digital health and security. Just like personal hygiene routines keep us...

CMMC 2.0 Certification Costs

CMMC 2.0 Certification Costs

Do I Need CMMC? Cybersecurity Security Model Certification (CMMC) will soon be required for all Department of Defense contractors. Whether you are a major corporation or a small manufacturer, you’ll...

What Are FCI and CUI? NIST/CMMC Explained

What Are FCI and CUI? NIST/CMMC Explained

If you contract or subcontract with the U.S. Department of Defense (DoD), you’ve probably heard the terms “FCI” and “CUI.” These acronyms relate to different types of sensitive information....