The Defense Federal Acquisition Regulation Supplement (DFARS)

The Defense Federal Acquisition Regulation Supplement (DFARS) is a set of cybersecurity regulations which requires all Department of Defense (DoD) prime contractors and subcontractors to implement “adequate security” based on a set of security controls referenced in NIST SP 800-171, and to conduct cyber incident analysis and reporting.

To meet the minimum requirements, DoD contractors must:

  1. Provide adequate security; and
  2. Conduct cyber incident analysis and reporting.

Adequate Security is provided by implementing “protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information.”

Covered contractor information system is subject to the security requirements in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. DFARS contains fourteen groups of security requirements covering various components of IT information security. Contractor information systems must pass a readiness assessment of the following NIST SP 800-171 guidelines:

  1. Access Control
  2. Awareness and Training
  3. Audit and Accountability
  4. Configuration Management
  5. Identification and Authentication
  6. Incident Response
  7. Maintenance
  8. Media Protection
  9. Personnel Security
  10. Physical Protection
  11. Risk Assessment
  12. Security Assessment
  13. System and Communications Protection
  14. System and Information Integrity

Cyber incident analysis and reporting require an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities.

Achieving Compliance

Elevate can help you assess your systems and processes to efficiently assess and manage DFARS compliance with each specific legislation/mandate.

Gap Analysis

Like any other gap analysis, the first step is to conduct a comprehensive review of all systems and processes. This analysis is then used to determine where you stand against the minimum requirements outlined in DFARS.

Remediation Plan

The outcome of the Gap Analysis is used to create the appropriate remediation plan in order to bring all systems and procedures into DFARS compliance. Elevate will also provide documentation necessary to prove compliance to the DoD.

Long Term Compliance - It is important to remember that compliance with SP 800-171 is only one step. Long term compliance requires continuous assessment, monitoring, and process improvement. Elevate can help you with achieving and maintaining DFARS compliance.

Explore our process
Explore our process