One of the clauses in the Defense Federal Acquisition Regulation Supplement or DFARS includes cybersecurity regulations imposed on contractors working with the Department of Defense. Many companies refer to the cybersecurity clauses in DFARS as DFARS compliance. This isn’t exactly accurate. However, for the purpose of this article, DFARS compliance refers specifically to DFARS 252.204-7012. Here is everything you need to know to help you understand this clause and become compliant with it.
What DFARS Is
As cyber threats evolve and become more dangerous, cybersecurity measures and technology must adapt to these changes. Therefore, specific DFARS cyber clauses were introduced to address these security threats. These cyber clauses are a set of regulations that contractors must meet to protect sensitive government data, such as controlled unclassified information.
DFARS was initially released as a supplement to the Federal Acquisition Regulations in December 2015. It provides cybersecurity additional acquisition requirements that DOD must follow when buying goods and services.
Minimum Requirements for It
Even though data security is a complex field, the Department of Defense had put forth straightforward requirements. In short, a company must deliver “adequate” security and quickly report any cyber incidents.
The most frequently asked question is what “adequate” means. DFARS gives several different security requirements that must be met for a system to be considered “adequate.” Additionally, you now must receive a Cybersecurity Maturity Model Certification (CMMC) to do contract work for the government.
Potential Penalties for Not Complying
Before you can accept a contract with the Department of Defense, you must obtain a CMMC. In other words, you will not be able to perform government work unless you meet the cyber security requirements outlined in DFARS 252.204-7012. In addition, if you lie about your CMMC status and don’t receive this certification before taking a DOD contract, you may face financial penalties due to contract breaches and false claims.
Making Your Company Compliant Yourself
If you have the skills and resources, you can achieve DFARS compliance yourself. However, while working on your cybersecurity in-house, you should strive to meet the self-assessment guidelines provided in your NIST handbook. The handbook was designed specifically for people looking to do contract work with the Department of Defense.
When you are a large company that does contract work for the Department of Defense, you can also choose to have your in-house security team handle the compliance matters. You will follow the same procedure as individuals to ensure that your company is compliant. Basically, no matter the size of your company, you will need to perform a self-assessment and enact any necessary remediation.
Working With DFARS Consultants
Smaller businesses and individuals without the necessary skills will likely end up transferring matters of compliance over to a DFARS consultant. This is because Department of Defense contractors are technically responsible for ensuring compliance, so you must complete the job correctly.
Aside from ensuring compliance, outsourcing can save time and money. This is because when you outsource, you will receive the tools and skills necessary to analyze your gaps, plan for remediation, monitor your progress, and handle security breaches. That means they will be able to make your security system compliant quicker and easier, help you keep it there, and prove to the Department of Defense that you are compliant through an audit.
What To Do if You Have a Security Breach
Breaches can still happen if you meet the requirements in DFARS 252.204-7012. That’s why it is important that you report any potential or confirmed security breaches immediately to the Department of Defense.
DFARS 252.204-7012 has instituted a lot of regulations as far as cybersecurity goes. These are designed to protect the data given to contractors by the Department of Defense. Any company must meet these standards to perform contract work for the government. Fortunately, this guide will give you an understanding of the basics, so you can get started working on your compliance.