DFARS (Defense Federal Acquisition Regulation Supplement)

DFARS stands for Defense Federal Acquisition Regulation Supplement. It is a set of regulations that apply to all U.S. Department of Defense (DoD) contracts and subcontracts.

The regulations are designed to ensure that the DoD receives quality goods and services at fair and reasonable prices. The DFARS has been in effect since 2003 and is updated regularly.

DFARS cyber security requirements

The DFARS contains a set of cyber security requirements that contractors must meet to be considered compliant with the DoD’s cyber security regulations. These requirements include:

1. Establishing a cyber security programme that includes specific security controls and processes to protect data and systems from unauthorised access, misuse, disruption or destruction.
2. Ensuring that all personnel and contractors with access to DoD systems or data are properly trained and have the necessary security clearance.
3. Implementing a system of risk assessment and management to identify, assess and mitigate risks associated with DoD systems and data.
4. Ensuring that all DoD systems and data are properly protected from unauthorised access, use or disclosure.
5. Developing and implementing a plan to respond to cyber attacks and other incidents that could threaten DoD systems or data.
6. Implementing audit and accountability measures to ensure the security of DoD systems and data.

DFARS compliance requirements

There are three ways contractors can comply with the DFARS (ranging from basic to intensive):

1. Contractors can self-verify their DFARS compliance and confirm they have implemented NIST SP 800-171 security controls.
2. A third-party organisation can provide external auditing on the contractor or certification that the contractor has met the requirements for certification.
3. A federal team can be dispatched to inspect the contractor’s security plan.

The first level is the easiest to implement but lacks the credibility that the other two levels provide. The third level is only available to certain contractors.

The second level can be achieved by gaining certification through a third party. ISO 27001 is the international standard that describes best practice for an ISMS (information security management system). An ISMS is a system of processes, documents and technology that helps manage, monitor, audit and improve your organisation’s information security.