What is DFARS?

This question is coming up more and more with businesses that have or work on government contracts. FAR (Federal Acquisitions Regulation) governs the acquisition process used by the US government to acquire goods and services by contract or appropriated funds. DFARS (Defense Federal Acquisition Regulation Supplement) is a supplement, or addendum, to the original regulation of FAR. DFARS is designed to govern all aspects of data protection in unclassified environments. It follows a new standard from National Institute of Standards and Technology called NIST 800-171. This standard kept the core controls from NIST 800-53 but did away with a few items and added a few others.

Here are a few tips that might help further your compliance posture:

  • Perform a Risk Assessment of your physical, technical and administrative safeguards of your data protection systems
  • Perform internal and external vulnerability scans of your network and create a remediation plan
  • Create a system to classify, unclassified CUI (Controlled Unclassified Information) data
  • Create a security training regimen for your staff
  • Make sure you have all of your policies and plans written and implemented
  • Digitally enforce as many policies as you can
  • Make sure your Incident Response and Breach notification Policy has a 72 hour reporting requirement
  • Upon contract being awarded you have 30 days to report deficiencies in your data protection systems
  • Make sure auditing is enable and regularly reviewed
  • Encrypt all mobile devices
  • You have until December 31, 2017 to implement 2 factor authentication to any system that has access to CUI Data

If you have further questions or would like to talk to us about a DFARS Risk assessment or Policy creation, please contact us


Need help finding ways to reduce business costs? Our FREE eBook has the answer.Learn more here