DFARS Compliance Checklist

The Defense Federal Acquisition Regulation Supplement (DFARS) is a set of cybersecurity standards that non-government contractors and their suppliers must meet to do business with the Department of Defense (DoD).

Their purpose is to ensure these contractors can protect government data from cyber threats that continue to increase in severity as security technology evolves.

The federal government has prioritized the importance of addressing these threats, including the protection of Controlled Unclassified Information (CUI). As a result, private contractors and other non-federal organizations must continually update their security procedures to remain DFARS compliant.

The DoD published DFARS in December 2015 to maintain cybersecurity standards according to the requirements specified by National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.

This document is entitled Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations. The purpose of the DFARS standards is to protect CUI that’s stored or processed by contractor information systems, who had until December 31, 2017 to meet the requirements needed to become DFARS compliant.

Failure to meet these requirements can result in severe penalties, including the loss of current DoD contracts. Since that deadline has now passed, all DoD contractors must meet the minimum requirements of DFARS and document their compliance for all contracts.

This guide to DFARS compliance describes how DFARS applies to DoD contractors, the minimum standards and the options available to DoD contractors for meeting those standards.

What is the DFARS Compliance Checklist and How Does It Apply to CUI?

The DFARS is a security standard developed by the DoD. Any entity that holds CUI must meet the minimum DFARS requirements to avoid the risk of losing their DoD contracts. The DoD issued DFARS clause 252.204-7012 entitled “Safeguarding Covered Defense Information and Cyber Incident Reporting” in October 2016. This clause requires contractors and their suppliers to provide adequate security for all applicable DoD information that they process, store or transmit on their systems.

DFARS 252.204-7012 is a supplemental summary based on NIST Handbook 162, which includes a complete breakdown of cybersecurity requirements and step-by-step guide for implementing them. This publication can be highly useful, although it’s difficult to read.

DoD contractors will be particularly interested in NIST Handbook 162, as it includes information about DFARS and NIST SP 800-171. These two documents are closely related but separate, such that DoD contractors must comply with both of them to maintain their contracts.

The last update to DFARS compliance went into effect on December 31, 2017. The technological nature of digital security requires the DoD to update DFARS on a regular basis, typically every few years. DFARS requirements are particularly complex due to its wide scope.

Cuick Trac helps contractors of all sizes become DFARS compliant, from large enterprises to micro sub-contractors. We are a leader in information, data and cyber security and well versed in all aspects of security compliance, so we can get you DFARS compliant the right way, saving you time and resources. We also have a close relationship with top industry peers that allows us to ease some of the hurdles in this process.

Schedule a free consultation with our cybersecurity experts if you need to be DFARS 252.204-7012 compliant. Avoid fines, loss of contract or missed contract award opportunities by implementing all of the NIST 800-171 controls. 

Call us today at 612-428-3008 or schedule a free consultation online.

How Do I Know If I Need to Be DFARS Compliant?

Your company needs to meet the minimum standards specified by DFARS if it provides products and services that are sold specifically to the DoD, even if it isn’t the direct seller. DFARS provides a set of security controls for protecting controlled unclassified information. Manufacturers, service providers, engineering companies, and others must implement these controls for all levels of their supply chain to meet NIST 800-171 compliance requirements.

Does My Company Require a DFARS Compliance Checklist?

Your company needs to complete a DFARS compliance assessment if it processes, stores or transmits CUI. There are also a few other conditions that require an organization to perform this task. For example, you definitely need to comply with DFARS if you’re offering a contract that contains language for DFARS provision 252.204-7008 or DFARS provision 252.204-7012. It’s also very likely your company will need to complete a DFARS compliance assessment if you’re a DoD contractor, subcontractor or have some other business relationship with the DoD.

Cuick Trac can provide a free consultation with one of our cybersecurity experts to explain the details of DFARS compliance.

What are the Consequences of Non-DFARS compliance?

The consequences of non-compliance with DFARS cyber security are swift and straightforward, as the United States takes DFARS compliance very seriously. It will continue to do so as the intensity and severity of cyber attacks continue to increase. Defense contractors who outsource their work to subcontractors must confirm that those subcontractors are also DFARS compliant.

The consequences of non-DFARS compliance include the following:

  • Proposal exclusion
  • Adverse performance review
  • Termination for Default
  • Criminal Fraud
  • False Claims Act Actions
  • Breach of Contract Lawsuits

Proposal Exclusion

The bidding process for DoD contracts is typically very competitive, so each contract has many well-qualified bidders. Contractors with a low level of compliance will therefore be at a disadvantage, even when their compliance meets the minimum requirements of the contract. An organization that’s unable to compete for these contracts can quickly lose revenue if it doesn’t become accurately compliant.

Adverse Performance Reviews

A business can win a contract even when its security isn’t very good. This can happen when the contractor barely meets the minimum standard or fails to meet it at all, usually by exaggerating its compliance with specific security controls. In these cases, an assessment by the DoD can result in poor performance reviews that will make it particularly difficult to get the next contract.

Termination for Default

Non-compliance with DFARS can also result in termination for default. The government has the right to partially or completely terminate a contract if it believes the contractor has failed to meet any of its contractual obligations. Termination for default is particularly likely when it comes to DFARS requirements.

Criminal Fraud

Criminal fraud isn’t a phrase any government contractor wants to hear regarding defense contracts. However, it can happen when contractors represent their business as DFARS compliant while knowing that it isn’t. Criminal fraud can carry a sentence of one to ten years, depending on its scale and the judge’s discretion.

False Claims Act Actions

Actions under the False Claims Act are another approach the government can take with contractors who misrepresent their business’s DFARS compliance. This act is the government’s primary means of litigation against DoD contractors that knowingly, or unknowingly, commit contractual fraud by accepting contract awards while not compliant. Fines for losing these cases can range from $5,000 to $11,000 per claim.

Breach of Contract Lawsuits

The process for a breach of contract suit is similar to a termination for default, except that it also allows the government to recoup its losses. In addition to compensating the government, a contractor who loses this type of suit must also pay legal expenses, which may be more than the fine. Whether the contractor wins or loses, a breach of contract suit tarnishes the contractor’s reputation.

A History of the DFARS Compliance Checklist

DFARS 252.204-7012 provides the DFARS compliance checklist. It was originally published in 2015 as a self-assessment and is occasionally revised. The current version requires all DoD contractors and subcontractors to perform the following four general tasks:

  • Safeguard covered defense information
  • Report cyber attacks
  • Submit malicious software
  • Facilitate damage assessment

Each of these items includes many individual actions as described below.

Safeguard Covered Defense Information

NIST SP 800-171 provides the specific requirements for protecting defense information. This is usually the most time-consuming requirement for working with the DoD, since you need to document your security measures in addition to implementing them. It’s important to consider the cost of meeting these requirements as an investment in contracting for the DoD, rather than an expense.

The specific requirements safeguarding covered defense information include the following:

  • Access Control
  • Awareness and Training
  • Audit and Accountability
  • Configuration Management
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Personnel Security
  • Physical Protection
  • Risk Assessment
  • Security Assessment
  • System and Communications Protection
  • System and Information Integrity

Report Cyber Attacks

All organizations should expect cyber attacks, no matter how effective their security practices are. The DoD requires their contractors to investigate these incidents for evidence of compromise and report the results as soon as possible. Contractors can meet this requirement by visiting the Defense Industrial Base Cybersecurity Information Sharing Program’s site at https://dibnet.dod.mil/portal/intranet/ and submitting an Incident Collection Form (ICF).

Submitting Malicious Software

Contractors need to report malicious software to remain DFARS compliant, which they can do by accessing the DoD Cyber Crime Center (DC3) at https://dcise.cert.org/icf/. This step will require contractors to obtain a DoD-approved PKI certificate, which is available here. Once contractors have this certificate, they can submit a Malware Submission Form on the DC3’s site.

Facilitate Damage Assessment

The DoD may decide to conduct a damage assessment in response to a security incident. In this case, they’ll ask the contractor to provide the contracting officer with all media related to the attack as described in NIST SP 800-171. Fulfilling this request ensures that you’ll remain in NIST compliance.

Becoming DFARS Compliant with Cuick Trac

Cuick Trac is a cost-effective turn-key solution that stores, processes and transmits sensitive information in compliance with DFARS. It saves DoD contractors over $100,000 on average, and can typically bring them into DFARS compliance in a matter of weeks, not months. CUICK TRAC helps contractors satisfy all 110 NIST 800-171 controls in 14 domains across technical, administrative and physical controls, and provides proof of DFARS compliance through objective evidence

This solution is especially helpful for contractors that lack the bandwidth and other resources needed to implement and manage NIST SP 800-171 controls in-house. Primary contractors can use CUICK TRAC to improve their vendor risk management for their suppliers. Sub-contractors can also use it to obtain an on-going compliance and remediation program for CUI more quickly and at a fraction of the cost of doing it themselves. Contractors can implement CUICK TRAC in a short period of time, but we can also provide other services to help organizations become DFARS compliant and stay that way.

Contractors must report cyber incidents within 72 hours of their occurrence to remain DFARS compliant. However, this requirement can be difficult to satisfy when that contractor lacks the personnel and other resources to continually monitor their security information and something like a security information and event management solution (SIEM). CUICK TRAC helps a contractor meet this requirement as well, as part of it’s continuous monitoring of compliance program solutions.

Cuick Trac can help the potential DoD contractors understand the details of DFARS compliance with a free consultation with one of our cybersecurity experts. Schedule your consultation with us today if you need to be DFARS 252.204-7012 compliant. To learn more contact us online or call 612-428-3008 today.

Part of the most relevant industry groups and committees

department of defense badge
ndia partnership badge
cmmc certification badge
defense alliance badge
infragard partnership badge

Get a 30-minute demo from a
Cuick Trac product expert

You've made it this far, now let us show you why Cuick Trac will be the smartest decision you'll make this year.

Schedule a quick product tour

Learn how Cuick Trac can secure your CUI in less time, with less effort, and with more features than any other DFARS-compliant product on the market.