DEFENSE FEDERAL ACQUISITION REGULATION SUPPLEMENT (DFARS) COMPLIANCE

Comprehensive Compliance Solutions

Is Your Business DFARS Compliant?

Manufacturing businesses involved with the Defense Industrial Base (DIB) that are contracted with the United States Department of Defense (DoD) are required to meet the parameters outlined in the Defense Federal Acquisition Regulation Supplement (DFARS).

DFARS Compliance

DFARS and Procedures, Guidance, and Information (PGI) are meant to provide uniform acquisition policies and procedures for the DoD, its contractors, and subcontractors. An important portion of the DFARS and PGI requirements addresses the need for contractors and their subs to enhance their cybersecurity practices, policies, and procedures to adapt to the evolving threat environment in order to safeguard valuable government data.

Complete compliance with the security requirements outlined in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” is detailed in the DFARS and PGI. The protection of Controlled Unclassified Information (CUI) found in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully conduct its essential missions and functions.

Manufacturers found to be non-compliant with the requirements of DFARS and NIST SP 800-171 are unable to apply for DoD contracts. No new DoD contracts are being awarded to businesses that are not compliant, leading to large financial losses for those companies.

INQUIRE ABOUT DFARS TODAY

Dox Helps Businesses with DFARS Compliance

Dox Electronics is proud to partner with Exostar to assist businesses like yours in attaining DFARS compliance quickly and efficiently. Regardless of your business’s size, Dox provides white-glove service to support your organization in meeting the requirements of DFARS and NIST SP 800-171 so it can apply for DoD contracts with confidence.

Exostar Patch Logo DFARS 252.204-7012 and NIST SP 800-171 are both government regulations that require certain cybersecurity efforts by DoD contractors, subcontractors, and vendors. The experienced DFARS experts at Dox have mapped the 110 requirements of NIST SP 800-171 to 175 controls designed to gauge how well an organization is meeting parameters.

Dox runs scans and tests against your business’s information systems and compares the results to documented policies and procedures provided by your organization. Our experts assess your business for security gaps in its policies, procedures, and programs. We then provide simple, cost-effective solutions using a separate remediation team to quickly address all gaps identified in the following target areas:
  • Physical
  • Technical
  • Administrative

The DFARS Interim Rule

On September 29, 2020, the DoD published interim rule 2019-D041 in the Federal Register amending DFARS. This interim rule requires the implementation of the NIST SP 800-171 DoD Assessment Methodology and the CMMC framework.

The purpose behind this change was to give the DoD the ability to assess a contractor’s implementation of the NIST SP 800-171 security requirements and assure all DIB contractors are properly protecting CUI. This also accounts for the flow down of cybersecurity and other requirements to subcontractors in a multi-tiered supply chain.

DFARS Page Telecommunications Image
DFARS Subpart 204.21 addresses the prohibition on contracting for certain telecommunications and video surveillance or equipment. This section identifies telecommunications equipment, systems, and services provided by certain companies or entities owned or controlled by specific nations that are prohibited.
DFARS page Safeguarding Info and Incident Reporting Image
DFARS Subpart 204.73 addresses the safeguarding of covered defense information and cyber incident reporting. This section applies to contractors and subcontractors in terms of cybersecurity requirements and cyber incident reporting within 72 hours of any cyber incident. It also covers the physical, personnel, information, technical, and general administrative security operations for the protection of CUI.

DFARS 7019- DoD Assessment Requirements & SPRS

DFARS 252.204-7019 is the notice of NIST SP 800-171 DoD assessment requirements. This clause requires organizations wishing to conduct business with the DoD, the General Services Administration (GSA), and National Aeronautics and Space Administration (NASA) to have a current assessment for every covered contractor system relevant to each contract.

DFARS Page for SPRS Image Additionally, they must put the results of their cybersecurity assessments into the Supplier Performance Risk System (SPRS). Those assessments will be added into the system as a “Basic,” “Medium,” or “High” level. The assessment level required will be based upon the contract for which the contractor is applying. These assessments will need to be renewed every three years in order for a contractor or subcontractor to remain DFARS compliant.

This also affects the contracting authority. The contracting authorities will determine whether or not to award or decline a contract based upon the entries of contractors into SPRS. They can also decide to change the requirements of a contract such as asking potential contractors to update their assessments every two years rather than every three, for example.

SCHEDULE A FREE INITIAL CONSULTATION

DFARS 7020- Requirements for Contractors & Subcontractors

DFARS Page Flow Down DFARS 252.204-7020 outlines the DoD NIST SP 800-171 assessment requirements. This section of DFARS outlines definitions for assessments and the requirements of contractors and subcontractors.

First, contractors need to ensure assessment results are submitted to the SPRS. The DFARS 7020 also requires initial assessment findings to be rebutted within 14 days of the assessment with evidence that provides a security requirement is already being met. Doing this ensures companies meet the requirements of NIST SP 800-171 prior to contracts being approved.

The other important piece of DFARS 7020 is the flow down clause. Not only does a company need to meet the requirements of NIST SP 800-171 and submit assessments by level to the SPRS, but its subcontractors, vendors, and suppliers must also submit their assessments into the SPRS. All subcontractor agreements should include language from DFARS 7019 and DFARS 7020 to ensure they are compliant with DFARS as well. Though some regulatory requirements may overlap, these requirements are completely separate from the requirements of CMMC.

DFARS 7021- DFARS & CMMC for New Contracts

DFARS 252.204-7021 addresses the use of the CMMC for new government contracts. This requirement means contractors will need to have a current (no more than three years old) CMMC assessment and certificate for the CMMC level required for each government contract. The CMMC certificate must be achieved by the time the contract is awarded or at option award for existing contracts.

DFARS Page Placeholder The CMMC certificate level for each contract will be required to remain in place throughout the duration of the contract term. Thus, if a contract runs the course of 10 years, the contractor will need to keep its CMMC level certification up to date throughout that entire decade. Since a CMMC certificate is only good for three years, this would require recertification at least three times over the course of the contract.

As in other parts of DFARS, government contractors will be responsible for ensuring the flow down of the CMMC requirements to subcontractors. All subcontractors will also need to remain compliant with CMMC throughout the duration of the contract.

A quick breakdown of how the process works is as follows:
  • A CMMC Third-Party Assessor Organization (C3PAO) will conduct a cybersecurity assessment of the Organization Seeking Certification (OSC)
  • The C3PAO will deliver the results of the assessment to the CMMC Accreditation Body (AB) for review
  • The CMMC-AB will award the certification to the organization if all is in order
  • The organization will place the certification into the SPRS
PREPARE FOR CMMC 2.0 NOW

Dox is a Registered Provider Organization (RPO)

CMMC-AB RPO Registered Seal LogoRegistered Provider Organizations (RPOs) such as Dox Electronics supply advice, consulting services, and recommendations to clients regarding the CMMC standards. By working with an RPO such as Dox, both primary and secondary contractors can gain insight into the requirements of CMMC from an organization with staff trained in basic CMMC methodology by the CMMC Accreditation Body (CMMC-AB). Furthermore, RPO’s are bound by a professional code of conduct while providing targeted CMMC assessment preparation to every client.

By offering consulting services including gap assessments to identify shortfalls in cybersecurity best practices, Dox assists clients in moving toward CMMC accreditation with fewer obstacles. This means Dox will provide advice and recommendations to aid businesses in preparing for CMMC certification, which will soon be required for all DoD and NASA contracts. Additionally, DoD and NASA contracts require a flow-down model in which subcontractors must also achieve CMMC certification.

Failure to Comply with DFARS

Businesses that fail to meet the DFARS & NIST SP 800-171 requirements may face stiff penalties including:
  • • Loss of existing DoD contracts
  • • Loss of new DoD contracts
  • • Loss of business reputation
  • • Loss of business reputation
The clock is ticking. For every moment your business waits to achieve DFARS compliance, it loses revenue. For assistance in conducting a complete DFARS readiness assessment including cybersecurity and remediation of gaps, complete the contact form below and we will reach out to you within one business day.

If you’d like to know more about updates and changes to DFARS, CMMC, or other government cybersecurity regulations, contact Dox at 1-888-Need-Dox (888-633-3369). As a CMMC Registered Provider Organization (RPO), Dox can assist your company with basic CMMC-AB training to help you move toward CMMC certification.

GET STARTED NOW

CMMC 2.0, Microsoft 365, & the Cloud

The credentialed CMMC experts at Dox can assist your organization with all of its government and DoD regulation compliance requirements.

As a Microsoft Gold Partner, Dox is a certified Microsoft reseller for the Microsoft 365 U.S. Government Community Cloud (GCC) High environment. Dox offers Microsoft 365 GCC High licensing for companies requiring fewer than 500 licenses to ensure your company meets the requirements of everything from NIST 800-171 to FedRAMP and ITAR.

Microsoft Gold Partner logo Many business leaders are confused about which cloud is right for them. For those businesses with government contracts through the DoD or those that fall under DFARS or ITAR requirements, GCC High is a necessity for achieving compliance. DFARS requires the business cloud environment to be FedRAMP compliant as well.

Many business leaders are confused about which cloud is right for them. For those businesses with government contracts through the DoD or those that fall under DFARS or ITAR requirements, GCC High is a necessity for achieving compliance. DFARS requires the business cloud environment to be FedRAMP compliant as well.

Microsoft cannot supply the reporting and compliance requirements of DFARS 7012 paragraphs C through G under the regular public Office 365 offering. Microsoft only certifies DFARS compliance on the GCC High environment.

Ensure your business achieves regulation compliance with support from the experienced experts at Dox. Call Dox now at 1-888-Need-Dox (888-633-3369) to schedule a free initial consultation.
Copyright ©   DoxWeb Design & SEO by Scriptable Solutions