What the DFARS Means for Your Business

contracts business

Winning your first contract with the United States Department of Defense is a real privilege. It’s a lucrative opportunity that comes with a sense of satisfaction and duty. With the U.S. defense budget projected to grow steadily in the coming years, the Defense Industrial Base will see a rise in demand for small businesses like yours.

While winning contracts can be profitable, it is important to remember that they come with lots of responsibility and a number of regulations to meet. The soundness of your business’ cybersecurity apparatus is among the most critical parts of maintaining a working relationship with the DoD.

Here’s what you need to know.

The DoD and Cybersecurity

Technology has made the world more connected and has made doing business more efficient. However, it has also created new avenues for adversaries of the United States to steal sensitive information and engage in cyberwarfare. As a contractor within the DIB, you will be in possession of sensitive materials and information related to the DoD and US military. Commonly referred to as Controlled Unclassified Information or CUI, documents like technical drawings, financial documents, and intellectual property are of great interest to enemies of the United States. As such, your small business will be the first line of defense against hostile state actors, terrorist groups, and criminals. You must ensure that this information is protected.

The Defense Federal Acquisition Regulation Supplement

The Defense Department understood the potential for adversaries to exploit the vulnerabilities of its contractors. Thus, they needed to create a uniform set of cybersecurity standards for the DIB participants handling CUI. In 2015, these standards were codified in what became known as the Defense Federal Acquisition Regulation Supplement. Commonly abbreviated as DFARS, these standards were gradually phased into various DoD contracts until the end of 2017. Since then, dfars compliance is mandated in every DoD contract. Failure to comply can result in your contract being canceled, and even bar you from bidding on future contracts.

NIST 800-171

The cybersecurity clause of the DFARS is comprised of two main mandates. First, your business must be able to recognize cybersecurity breaches, report them to the DoD, and provide the DoD with updates for a period of 90 days. Most importantly though, the DFARS mandates that your cybersecurity operations are in line with DoD standards.

The standards for cybersecurity as defined by the DFARS are outlined in a document drafted by the National Institute of Standards and Technology known as NIST 800-171. This document consists of 14 points that define the protocol for things like authentication, maintenance, and incident response. There are two important things to remember here. First, complying with NIST 800-171 will be an ongoing part of running your business. You must ensure that you are acting in accordance with all 14 points at all times. Otherwise, you could risk losing your contract. Secondly, the DoD is currently NIST 800-171 with an additional measure known as the Cybersecurity Maturity Model Certification or CMMC.

Cybersecurity Maturity Model Certification

Simply put, the Cybersecurity Maturity Model Certification is a means to prove your adherence to NIST 800-171. Though many of the standards will remain the same, CMMC will require your compliance with NIST 800-171 to be verified by a third-party accreditation service rather than allowing your business to complete a self-assessment. CMMC will also introduce 5 levels of readiness to rank your cybersecurity readiness. The readiness level you will need to meet will be determined by the nature of your business and will be specified in your contract.

As a DoD contractor, you should be familiar with DFARS and everything that it requires. If you feel overwhelmed, consider investing in a relationship with a compliance management service. This will free you up to focus on other parts of your business.

The following two tabs change content below.

Editorial Staff

This article was written by SBMarketingTools.com editorial staff.