Diener & Associates

Northern Virginia CPA Firm

, by

The Defense Federal Acquisition Regulation Supplement, or DFARS, is a set of regulations governing cybersecurity matters put in place by the Department of Defense that all external contractors and suppliers must follow.

The Basics of DFARS Compliance

Cybersecurity is a pressing matter for all businesses, and government contractors are no exception. Cyber threats are becoming increasingly sophisticated, and cybersecurity technology is constantly evolving to stay on top of the latest threats. In response, the federal government is placing a heavy priority on addressing potential security threats.

The Department of Defense published the Defense Federal Acquisition Regulation Supplement in 2015 with the aim of maintaining cybersecurity standards according to the requirements listed in the National Institute of Standards and Technology. All DOD contractors must meet these requirements and prove they are compliant to obtain and maintain contracts.

DFARS Minimum Requirements

Although data security can be quite complex, the Department of Defense strives to keep contractors’ requirements relatively straightforward. To meet the minimum requirements, contractors are required to do the following:

  • Provide adequate security that can protect any covered defense information that passes through or is stored on their internal information systems from any type of unauthorized access or disclosure.
  • Quickly report any cyber incidents that take place and cooperate with the Department of Defense to respond to such incidents. This may include providing the DoD with access to any affected media and software.

To be considered compliant with DFARS, all contractor information systems and organizations must pass a readiness assessment that adheres to NIST SP 800-171 guidelines pertaining to 14 aspects of security. These include:

System and Information Integrity

This involves identifying, reporting, and fixing any information system flaws in a timely manner and protecting these systems from malicious code. It also includes monitoring information security warnings and acting on them appropriately.

System And Communications Protection

This entails monitoring, controlling, and protecting data within the system and using techniques for software development and system engineering principles that will promote successful information security.

Media Protection

This governs rules related to protecting and destroying media that contains controlled unclassified information.

Physical Protection

This involves limiting physical access to the physical facilities and support infrastructure used by the information systems and protecting and monitoring these systems.

Risk Assessment

This entails assessing the operational risk that is associated with the storage, transmission, and processing of controlled unclassified information.

Security Assessment

This refers to the assessment, monitoring, and correction of deficiencies in the organization’s information systems and reduction or elimination of any vulnerabilities.

Awareness And Training

This provides awareness of the security risks that are linked to a user’s activities and training users on the relevant policies and procedures.

Configuration Management

This pertains to the creation of baseline configurations and the use of strong change management processes.

Maintenance

This involves carrying out timely maintenance on the information systems used by the organization.

Identification and Authentication

This involves identifying and authenticating the users and devices that use the information system.

Audit and Accountability

This entails creating, protecting, retaining, and reviewing system logs.

Access Control

This limits system access to authorized users.

Personnel Security

This involves screening users prior to granting them access to the information systems used by an organization and ensuring the systems remain secure when individuals are transferred or terminated.

Incident Response

This involves developing operations that prepare for incidents and responding to them, including detection, analysis, containment, and recovery.

What Are The Penalties For Noncompliance?

If the Department of Defense carries out an audit and finds that a contractor is not in compliance, they could be issued a stop-work order that suspends their work on behalf of the DOD until appropriate security measures have been implemented. The DoD might also place financial penalties on the contractor, including damages for false claims and breach of contract.

In some cases, the contract may be terminated and the contractor could be suspended or barred from working with the Department of Defense in the future.

How To Ensure Compliance

DOD contractors who have the expertise available in-house to become compliant can follow the NIST’s Self-Assessment Handbook. If they are unable to meet these requirements on their own, they can outsource compliance to DFARS consultants, who can help them reach and prove compliance.

How Can Contractors Handle Security Breaches?

Following the minimum DFARS requirements does not guarantee that breaches will not occur. In the case of a security breach, the DoD requires contractors to report the incident within 72 hours of its discovery. The Department of Defense has provided a link to facilitate this reporting, although it may be necessary to enlist the help of cybersecurity experts to compile and provide the required information.

About Diener & Associates CPAs LLC

Diener & Associates CPAs LLC has been a leading provider of professional CPA services in the DC metropolitan area since 1989. We offer a range of consulting/advisory, outsourced accounting, and tax services to assist businesses with their most challenging processes. Regardless of your industry of operation, Diener & Associates CPAs LLC can maximize your organization’s efficiency, scalability, and profitability.

Reach Out to Us Today