What Are The DFAR Cybersecurity Requirements

Featured article by Andrew Gazer, Tech Advocate and Cybersecurity Professional

One of the primary responsibilities of the Department of Defense (DoD) is to manage the military affairs of the United States. Although the DoD has enough workforce by itself, it’s not capable of handling all military matters, especially when it comes to the production of military assets. As such, the Department of Defense outsources most of its operations and relies on the support of defense contractors.

What Are Defense Contractors?

Defense contractors are any individual, firm, partnership, company, or association that has entered a contract with the DoD, promising to provide military-related supplies and services. Examples of products and services offered by defense contractors include:

– Vehicles
– Weaponry
– Electronic systems
– Construction
– Logistics
– Information technology (IT)

The Department of Defense was founded in 1947, and just two years later, after the Geneva Conventions, the DoD decided to start relying on defense contractors. Hence, it’s safe to assume that the DoD has been using this system throughout its history. However, more than ten years ago, the Department of Defense implemented a new set of rules that determines whether a company is eligible to become a defense contractor—the DFARS.

What Is DFARS?

DFARS, or Defense Federal Acquisition Regulation Supplement, is a set of conditions implemented by DoD in 2010 to ensure that only companies with reliable cybersecurity can become a defense contractor. With these rules, all contractors, or even their subcontractors and suppliers, won’t become susceptible to cyber threats.

As a result, not every company that produces weaponry or any military-related services can become a defense contractor. So, what does one have to do to qualify for this position?

DFARS Cybersecurity Requirements

Data security can be quite complex, even for the Department of Defense. Hence, they made sure the requirements are straightforward using the standards already created by the National Institute of Standards and Technology (NIST), particularly the NIST SP 800-171. You can get to know more about this by reading this blog post.

Either way, if a company wants to be DFARS-compliant, they’ll have to meet the minimum requirements, which can be quite tricky since there are 14 groups of rules. For your reference, all defense contractors must:

– Provide sufficient security to all IT systems storing essential data
– Run assessments on environments that contain classified information
– Install either multifactor authentication or two-factor authentication to all local and network servers containing valuable data
– Identify incidents regarding cybersecurity and report them to the Department of Defense

Upon meeting these requirements, a company or even an individual can become a defense contractor, but why is there a need for these requirements in the first place?

Importance Of DFARS Cybersecurity Requirements

Since defense contractors are basically working with the Department of Defense, they’ll naturally have access to some confidential data, which can compromise national security if revealed to US adversaries. The problem is that there are contractors that don’t have a reliable security system, so outside threats, like hackers, can take advantage of this opening.

To top it all off, cyber threats are becoming more serious recently, so it’s only natural for the Department of Defense to come up with a solution, and that would be the DFARS. But, looking at the requirements, it’s apparent that meeting the requirements is difficult. So, why do numerous companies struggle to become defense contractors?

Benefits Of Being A Defense Contractor

The main advantage of being a defense contractor is profitability. After all, becoming a defense contractor is equivalent to turning a fraction of the US government into your client, providing you with a consistent stream of income.

In fact, the US spent around USD$675 billion for its overall defense budget. What’s surprising is that more than half of it (USD$350 billion) was spent as payment for defense contractors. However, this also means that companies will aim to become defense contractors, even if it means defrauding the government.

Fraudulent Defense Contractors

Due to the difficulty of meeting the DFARS cybersecurity requirements, some companies defraud the government by making false claims regarding their cybersecurity. To be precise, they will make it look like they meet the minimum standards of DFARS when, in fact, they don’t. Thankfully, there’s a respective punishment for this criminal act—the False Claims Act.

The False Claims Act affects any individual or group that defrauds governmental programs, such as defense contracts, by making false claims. The punishment involves paying a fine of at least USD$5,000 per violation, plus three times the cost of damages. Hence, if a company incurs damage to the government equal to USD$100,000, the penalty will be at least USD$305,000.

In Conclusion

Becoming a defense contractor is quite challenging. After all, not only will you have to meet the minimum requirements stated in the DFARS, but your company should also have products and services that can help the Department of Defense with their responsibilities. On the bright side, once you qualify as a contractor, the rewards will be phenomenal.

Andrew Gazer

Andrew Gazer is a tech advocate and cybersecurity professional, highly knowledgeable in cyber law. His dedication to helping individuals and companies attain a more secure system drives him to share his cybersecurity expertise through blogging and guest posting.

Andrew is happily married and has two sons. He spends his free time bonding with his boys through sports, such as playing basketball and swimming. Also, he enjoys collecting all sorts of high-tech gadgets.