FirstCall Consulting a Global Leader in Cybersecurity and Compliance
Get a Free Consultation Now

“Compliance does not equal security”

– Robert Carey, Former Navy CIO

What is DFARS?

The Defense Federal Acquisition Regulation Supplement, or DFARS, was launched by the Department of Defense (DoD) back in 2016 in order to help protect Controlled Unclassified Information (CUI). These standards were made in an attempt to help secure the Defense Industrial Base (DIB) and is based off of NIST 800-171. Organizations are required to be compliant with NIST 800-171, and are able to self-assess their compliance. Additionally, organizations are allowed to not be fully compliant with NIST 800-171 at the time of contract award, if they have a System Security Plan (SSP) in place to address the gaps. There are four main DFARS standards to know:

  • DFARS 7012requires contractors to provide “adequate security” for covered defense information that is processed, stored, or transmitted on the contractor’s internal information system or network. Requires organizations to comply with NIST 800-171
  • DFARS 7019– requires organizations to report their score in SPRS (the Supplier Performance Risk System), and what contracting officers are required to do when awarding or denying contracts based on such results.
  • DFARS 7020– requires organizations to provide access to its facilities, systems, and personnel necessary for the Government to conduct a Medium or High NIST SP 800-171 DoD Assessment.

  DFARS 7021– requires organizations to be CMMC certified

How does it compare to CMMC:

DFARS requires all companies to be NIST 800-171 compliant, while CMMC allows some companies who do not come in contact with CUI an exemption to follow only 17 basic practices and not be compliant with all 110 controls.. CMMC also has a Level 3 called Expert that requires companies that handle critical CUI to follow a sub-set of extra controls from NIST 800-53 in addition to all 110 controls from 800-171 to reach compliance. More details will come out at a later date when they finish the rulemaking process. DFARS not only requires companies to be 800-171 compliant, but gives additional requirements about how companies should report their score, and provide access to their facilities.

The biggest difference comes in how organizations are audited on their compliance. With DFARS, organizations have been able to self-attest their compliance. With the CMMC, a majority of organizations will be required to have third party auditors test their compliance.

May 02 2023

How to prepare for a DFARS Audit

For government contractors, complying with the Defense Federal Acquisition Regulation Supplement (DFARS) clauses is a requirement to protect government data. To comply...
May 01 2023

How DFARS compliance relates to CMMC

The Cybersecurity  Maturity Model Certification (CMMC framework), is a new cyber security standard unveiled by the Department of Defense (DoD). CMMC will replace the...
May 01 2023

Importance of CMMC Compliance for DoD Contractors

The contractors of the Defense Industrial Base (DIB) are entrusted with handling Controlled Unclassified Information (CUI) to provide goods and services to the...
Apr 17 2023

Understanding the basics of CMMC Compliance

The Cybersecurity Maturity Model Certification (CMMC) is a new framework that was created by the US Department of Defense (DoD). The DoD aims to enhance the cyber...
Apr 17 2023

Steps to become CMMC compliant

The Cybersecurity Maturity Model Certification (CMMC) is a certification that ensures all contractors and subcontractors that work with the Department of Defense (DoD)...
Mar 23 2023

CMMC Level 2 / NIST 800-171

According to the Cybersecurity & Infrastructure Security Agency, the Defense Industrial Base Sector is the worldwide industrial complex that enables research and...
Feb 17 2023

Choose Vendors Wisely to Reduce Cyber Supply Chain Risk

The security of both in-house operations and the supply chain tops the list of business executive’s responsibilities. In order to help with this sensitive issue, opt to...
Feb 17 2023

How to Create a Supply Chain Risk Management Strategy that Works

The fast-paced digitalization in today’s business world has made it easier than ever before to manage inventory and orders. Unfortunately, it also increases the risk of...
Feb 17 2023

Top Methods for Cyber Supply Chain Risk Prevention

Organizations that rely on supply chain management must understand the risk of cyber attacks and their potential impact for the overall function and success of your...
Feb 14 2023

These Supply Chain Risk Misconceptions Put Your Company in Danger

Businesses across industries and niches all face the challenge of supply chain attacks. Increased digitalization and globalization can put your company in the line of...
If you want to be proactive about your cybersecurity and have a plan in place before any issues arise, contact FirstCall Consulting today. Our team of experts can help walk you through the process for conducting a GAP Analysis to determine where your weaknesses lie, getting a System Security Plan (SSP) and POA&M Plan in place that is compliant with all DFARS regulations, as well as making sure your supply chain is also fully compliant as well. Contact us now here or send an email inquiry to travis.sands@thefirstcallconsulting.com to get started on this important journey towards 100% compliance!
Share This