What Is the DFARS and How Is It Different Than the Federal Acquisition Regulation (FAR)?

The FAR, short for the Federal Acquisition Regulation, is a set of clauses under the Code of Federal Regulations and the primary regulation for use by all executive agencies in their acquisition of supplies and services with procurement contracts. The FAR is under the joint authority of the Department of Defense, General Services Administration, and NASA.

The DFARS, short for Defense Federal Acquisition Supplement, on the other hand, is an amended supplement to the FAR that was published in December 2015. In contrast with the FAR, the main purpose of the DFARS is to maintain the protection of Controlled Unclassified Information (CUI) under the National Institute of Standards and Technology’s Special Publication 800-171 to combat the growing cyber threat landscape. SP 800-171 contains a total of 110 controls that must be met by Department of Defense contractors to successfully comply with the DFARS.

Who Complies With the DFARS?

If your organization is working closely with the Department of Defense or a similar agency as a contractor, then your organization is almost certainly DFARS compliant. Contractors were given until December 31, 2017, to meet all requirements imposed by the DFARS, and those that did not adapt to meet the requirements in time risked losing their government defense contracts.

In order to circumvent the issue of organizations self-certifying their DFARS compliance, DFARS audits are in the process of shifting toward third-party certification via the Pentagon’s Cybersecurity Maturity Model Certification program, or CMMC for short.

The CMMC’s controversial implementation has raised concerns from defense contractors and lawmakers alike, and in response, this past November, the Department of Defense announced plans for a revamped “CMMC 2.0.” This change in strategic direction aims to maintain the program’s original goal of standardizing DFARS audits while “simplifying the CMMC standard and providing additional clarity on cybersecurity regulatory, policy, and contracting requirements; focusing the most advanced cybersecurity standards and third-party assessment requirements on companies supporting the highest priority programs; and increasing Department oversight of professional and ethical standards in the assessment ecosystem.”

DFARS Compliance Requirements

When including the 110 controls listed under NIST SP 800-171, it should go without saying that DFARS requirements cover a lot of ground. Thankfully, these security controls are grouped into the following 14 control “families” for the sake of clarity and can be thought of as minimum requirements:

Access Control

This ensures that only those with specific authorization to access CUI have such access and ensures CUI is not released or exposed to those not approved to receive it. Such access control can be applied virtually and/or in person depending on whether the protected CUI is being stored virtually or as hard copies.

Awareness and Training

Employees that are tasked with handling CUI need proper training and skills to do so. This should include training on their organization’s data security policies and procedures, more general cybersecurity awareness training, and perhaps even programming skills.

Audit and Accountability

Contractors must know what and how much of their CUI is in circulation, where the data lies, how it’s being handled, and who can see it. This also encompasses the creation, protection, retention, and review of system, event, and access logs.

Configuration Management

Your IT systems’ configurations should be standardized and managed so that systems and software are more predictable, definable, and measurable. 

Identification and Authentication

Rather than assuming trust, contractors must verify the identities of anyone attempting to gain access to CUI. This can be accomplished with multi-factor authentication.

Incident Response

Organizations must create and practice a sound incident response plan that will allow them to recover and resume operations as quickly as possible if a breach were to occur.

Maintenance

All components of organizations’ IT systems must be kept up to date at all times to ensure that systems run normally and that any vulnerabilities are addressed.

Media Protection

Organizations must ensure the protection, sanitation, and destruction of any and all media containing CUI, including the creation and enforcement of policies that govern media.

Personnel Security

Any employees, contractors, and other third parties must be screened and authorized to handle CUI.

Physical Protection

Just as the CUI itself requires protection, any physical object or device that contains CUI must be physically protected to prevent theft or damage. This can include personal devices like mobile devices and laptops or more critical systems like servers or storage devices.

Risk Assessment

Organizations must periodically assess their own operational risk related to personnel, systems, and the sharing of CUI along with risk control measures.

Security Assessment

Organizations must periodically assess and monitor their systems for any security vulnerabilities and promptly correct them before their exploitation.

System and Communications Protection

This can be thought of as “taking the extra step” to further lessen the chance of unauthorized access to CUI. Examples of this may include employing a zero-trust architectural design to promote greater and more segmented security or encrypting sensitive data.

System and Information Integrity

Organizations must ensure that any data moving through their systems has not been infected with a dangerous payload, malicious code, or anything else that can compromise system integrity. Any threats to system or information integrity must be promptly reported and corrected.

For more specific information on each of the 14 security control groups listed above, please refer to Chapter 3 of the most recent revision of Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations made available by the NIST (published January 28, 2021).