FirstCall Consulting a Global Leader in Cybersecurity and Compliance
Get a Free Consultation Now

“Compliance does not equal security”

– Robert Carey, Former Navy CIO

What is DFARS?

The Defense Federal Acquisition Regulation Supplement, or DFARS, was launched by the Department of Defense (DoD) back in 2016 in order to help protect Controlled Unclassified Information (CUI). These standards were made in an attempt to help secure the Defense Industrial Base (DIB) and is based off of NIST 800-171. Organizations are required to be compliant with NIST 800-171, and are able to self-assess their compliance. Additionally, organizations are allowed to not be fully compliant with NIST 800-171 at the time of contract award, if they have a System Security Plan (SSP) in place to address the gaps. There are four main DFARS standards to know:

  • DFARS 7012requires contractors to provide “adequate security” for covered defense information that is processed, stored, or transmitted on the contractor’s internal information system or network. Requires organizations to comply with NIST 800-171
  • DFARS 7019– requires organizations to report their score in SPRS (the Supplier Performance Risk System), and what contracting officers are required to do when awarding or denying contracts based on such results.
  • DFARS 7020– requires organizations to provide access to its facilities, systems, and personnel necessary for the Government to conduct a Medium or High NIST SP 800-171 DoD Assessment.

  DFARS 7021– requires organizations to be CMMC certified

How does it compare to CMMC:

DFARS requires all companies to be NIST 800-171 compliant, while CMMC allows some companies who do not come in contact with CUI an exemption to follow only 17 basic practices and not be compliant with all 110 controls.. CMMC also has a Level 3 called Expert that requires companies that handle critical CUI to follow a sub-set of extra controls from NIST 800-53 in addition to all 110 controls from 800-171 to reach compliance. More details will come out at a later date when they finish the rulemaking process. DFARS not only requires companies to be 800-171 compliant, but gives additional requirements about how companies should report their score, and provide access to their facilities.

The biggest difference comes in how organizations are audited on their compliance. With DFARS, organizations have been able to self-attest their compliance. With the CMMC, a majority of organizations will be required to have third party auditors test their compliance.

Nov 07 2022

Cybersecurity Awareness is Just the Beginning

Readers are likely aware of some of the headline-grabbing cyber attacks in recent years–WannaCry, SolarWinds and Colonial Pipeline, just to name a few. But what about...
Sep 19 2022

Clean Data: Key to the Future of Cloud ERP

As we move further into the 21st century, more and more businesses are making the switch to cloud-based ERP systems. This is in part due to the many advantages that...
May 17 2022

Why agility is important for your people, processes, and technology

Companies need stability to achieve consistent profits. Markets are not always stable, but it’s easy for businesses when there isn’t much uncertainty about...
May 17 2022

5 Things to Avoid While Practicing Organizational Agility

Small to medium-sized businesses (SMBs) have always had to work harder than their larger counterparts to survive. This is especially true during times of crisis, such...
May 17 2022

 Making the Case for Agility: Why SMBs Need to Be More Agile

The last few years have been a perfect example of why agility is so important for SMBs. The global landscape has changed drastically, and businesses that were not able...
May 17 2022

What Organizational Agility Means for the Modern Workplace?

In the business world, things are always changing. Customers' needs and wants to evolve, technology advances, and competitors enter or leave the market. To stay ahead,...
Apr 19 2022

Sustainable Scaling: Achieving Balance in Business

The world is changing at a record pace and the landscape of business has been irrevocably altered as well by shifting customer preferences, new technologies and...
Apr 18 2022

Embracing the Future with Sustainable Thinking

Sustainable thinking is about more than just recycling and using renewable energy. It means laying the groundwork for future employee and customer growth. An...
ECC to Business Suite to S4 Hana to Hana Cloud
Jan 18 2022

The Real story of ECC to Business Suite to S4 Hana to Hana Cloud

Oh my, the sky is falling and SAP says ECC support is due to expire in 2025(See the note: 1648480). While no one, including the big wigs in Waldorf, can say with...
Jan 18 2022

6 Things to consider before an ERP upgrade

As the saying goes “the only constant thing in life is change”. We change our shoes, our jobs, even our relationships. In business knowing when is the right time for...
If you want to be proactive about your cybersecurity and have a plan in place before any issues arise, contact FirstCall Consulting today. Our team of experts can help walk you through the process for conducting a GAP Analysis to determine where your weaknesses lie, getting a System Security Plan (SSP) and POA&M Plan in place that is compliant with all DFARS regulations, as well as making sure your supply chain is also fully compliant as well. Contact us now here or send an email inquiry to travis.sands@thefirstcallconsulting.com to get started on this important journey towards 100% compliance!
Share This