DFARS Compliance – Top Keys to Success in 2022
Thursday, September 1, 2022
Here are 10 keys to DFARS compliance success in 2022
Print Mail Download i

Federal defense contractors that are subject to the Federal Acquisition Regulations (FAR) also known as the Defense Federal Acquisition Regulation Supplement (DFARS) need to make compliance a priority. Not only is compliance mandatory when doing business with the U.S. Department of Defense (DOD), but non-compliance can potentially threaten national security. Defense contractors found in non-compliance with DFARS can face litigation and loss of their DOD contracts, and their owners and executives can even face criminal prosecution in some cases. Thus, DOD contractors must implement adequate security protocols or security measures to protect confidential defense information at all times.

So, what does it take to become DFARS compliant? How can federal defense contractors assess their compliance efforts and maintain compliance or remain compliant on an ongoing basis? What should defense contractors do if they discover internal DFARS compliance failures? Here are 10 keys to DFARS compliance success in 2022:

“DFARS compliance should be a priority for all federal defense contractors that have access to CUI. The DOD is enforcing DFARS compliance in 2022, and defense contractors that fail to meet their obligations are at risk of steep penalties. In many cases, defense contractors’ owners and executives can be at risk as well.” – Dr. Nick Oberheiden, Founding Attorney of Oberheiden P.C.

10 Keys to Establishing, Maintaining, and Proving DFARS Compliance

1. Conducting an Internal DFARS Compliance Needs Assessment

All federal defense contractors that have access to (or will have access to) Controlled Unclassified Information (CUI) are subject to the same general requirements under DFARS. Defense or DOD contractors must comprehensively satisfy these requirements of DFARS regulations, and this starts with understanding where their needs lie. 

DFARS compliance can have implications for nearly all aspects of a federal defense contractor’s operations. While the controls, systems, and protocols federal defense contractors need to maintain compliance largely fall in the cybersecurity realm, there are contractual, operational, and other aspects to DFARS compliance as well. As a result, defense contractors should conduct a comprehensive internal DFARS compliance needs assessment focused on identifying all areas of their businesses impacted by their federal duties.

2. Examining the Contractor’s Existing Cybersecurity Policies and Protocols

Most federal defense contractors (and aspiring federal defense contractors) have cybersecurity policies and protocols in place; and, to the extent that these policies and protocols are adequate, there is no need to reinvent the wheel. With that said, general cybersecurity measures implemented outside of DFARS compliance are likely to be insufficient in various regards.

Broadly speaking, the obligation for federal defense contractors to comply with DFARS seeks to ensure that all private entities in possession of CUI protect this information with at least the same level of effort and security as the federal government. As explained in NIST SP 800-171 or the National Institute of Standards and Technology (NIST) Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations:

“[F]ederal information designated as CUI has the same intrinsic value and potential adverse impact if compromised—whether such information resides in a federal or a nonfederal organization. Thus, protecting the confidentiality of CUI is critical to the mission and business success of federal agencies and the economic and national security interests of the nation.”

With this in mind, federal defense contractors should not assume that their existing cybersecurity policies, security controls, and protocols are sufficient to protect CUI in compliance with DFARS. Instead, they should examine these policies and protocols from the perspective of seeking to understand where they are insufficient to meet the DFARS compliance requirements.

3. Developing (or Upgrading) a Custom-Tailored DFARS Compliance Program

As noted above, all federal defense contractors are subject to the same basic requirements under DFARS. These DFARS compliance requirements fall into 14 “families” that National Institute of Standards and Technology (NIST) explains, “are closely aligned with the minimum security requirements for federal information and information systems described in FIPS Publication 200.” FIPS Publication 200 establishes minimum cybersecurity standards for federal offices and agencies that possess CUI.

But, while all federal defense contractors are subject to the same basic requirements, this does not mean that DFARS compliance is a standardized process. On the contrary, defense contractors need to develop a system security plan and take a custom-tailored approach to DFARS compliance that focuses on establishing and maintaining compliance within their unique relationships and operations.

The 14 “families” of DFARS requirements are:

  • Access Controls

  • Audit and Accountability

  • Awareness and Training

  • Configuration Management

  • Identification and Authentication

  • Incident Response

  • Maintenance 

  • Media Protection

  • Personnel Security

  • Physical Protection

  • Risk Assessment

  • Security Assessment

  • System and Communications Protection

  • System and Information Integrity.

Within each of these 14 “families” exist both “basic security requirements” and “derived security requirements.” Most of these requirements are general in nature, and thus it is left to federal defense contractors (and their lawyers and consultants) to interpret the requirements in light of the specific risks their operations and systems present for CUI. NIST even describes these as “high-level” requirements. Ultimately, after implementing their DFARS compliance programs, federal defense contractors must be confident that their programs are adequate to prevent intrusions, prohibited disclosures, and misappropriation of CUI to a degree consistent with the risks presented.

4. Ensuring Effective Company-Wide Implementation

When it comes to DFARS compliance, simply having policies and protocols is not enough. Federal defense contractors must effectively implement their policies and protocols as well, and they must do so on a company-wide scale.

There are several aspects to effectively implementing a DFARS compliance program. Engaging a qualified cybersecurity vendor is an important step, but it is just one of many. Federal defense contractors must carefully negotiate their cybersecurity vendor contracts to ensure that they have all necessary rights and remedies. They must also provide adequate training to appropriate internal personnel, and they must ensure that their internal personnel can effectively manage their cybersecurity programs to the extent that they can not only identify risks pertaining to CUI or DFARS compliance but also work to address these risks proactively.

5. Regularly Assessing DFARS Compliance

Monitoring and assessment are also critical to successful DFARS compliance. Federal defense contractors should monitor for cybersecurity breaches and other compliance failures on an ongoing basis, and they should conduct periodic assessments focused on identifying flaws in their (and their cybersecurity vendors’) systems. Not only are these steps essential for preventing unauthorized access to CUI, but they are also essential for demonstrating good-faith compliance efforts to the DOD.

6. Monitoring for Necessary Modifications and Upgrades

In addition to monitoring the effectiveness of their DFARS compliance policies and protocols, federal defense contractors must also monitor for necessary modifications and upgrades. The need to make modifications or upgrades can arise in three primary ways:

  • Discovering deficiencies in the company’s DFARS compliance program 

  • Modifying the company’s operations or entering into new contracts that have CUI implications 

  • The federal government’s implementation of new or modified standards or requirements

While the DOD might send notices to defense contractors when the government adopts new standards regarding the protection of CUI, contractors cannot rely on the DOD to tell them when they need to adapt to new rules or regulations. Instead, contractors should rely on their outside lawyers or consultants—who should be monitoring for updates on behalf of their clients on an ongoing basis.

7. Promptly Addressing Identified DFARS Compliance Failures

Whether internal or external, federal defense contractors must promptly address all identified DFARS compliance failures. Defense contractors should have documented incident response plans, and they should faithfully execute these plans following malicious intrusions, employee thefts, and other events that compromise CUI. While the DOD expects defense contractors to protect CUI, the DOD has even greater expectations when it comes to remedying defense contractors’ CUI security failures.

8. Complying with All DOD Contract and Disclosure Requirements

When addressing DFARS compliance, federal defense contractors cannot rely solely on the DFARS regulations and NIST’s guidance. Defense contractors must also address their specific contractual obligations, and they must comply with all other pertinent federal laws, rules, and regulations. Among other things, these sources of authority establish requirements for defense contractors to disclose suspected cybersecurity incidents impacting CUI in many circumstances, and failure to make required disclosures can have significant legal implications for contractors (along with the implications of DFARS non-compliance).

9. Understanding the Risks of DFARS Non-Compliance

Non-compliance with DFARS can have several consequences. The DOD actively enforces defense contractors’ compliance obligations, and contractors found in violation of DFARS can face civil or criminal penalties depending on the circumstances involved. Defense contractors’ owners and executives must take these risks into account when addressing DFARS compliance in 2022. Possible consequences of DFARS non-compliance include:

  • Termination of DOD contracts 

  • Loss of DOD contract eligibility 

  • Federal contract litigation 

  • Civil or criminal prosecution for False Claims Act violations 

  • Prosecution for other federal crimes

10. Being Prepared to Demonstrate DFARS Compliance When Necessary

Given the risk of facing DOD scrutiny—and the potential consequences of being found in non- compliance—federal defense contractors should be prepared to affirmatively demonstrate DFARS compliance when necessary. This means that defense contractors should have on hand not only their DFARS compliance programs, but documentation of their ongoing monitoring, assessment, enforcement, and remediation efforts as well. In the event of a DOD investigation, being able to use pre-existing documentation to demonstrate good-faith compliance can significantly mitigate the risks facing defense contractors and their owners and executives.

Oberheiden P.C. © 2024

Current Legal Analysis

More from Oberheiden P.C.

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins