You’re probably familiar with the Federal Acquisition Regulation (FAR). It’s pretty much the rule book for federal contracting on both sides of the table. If you’re looking to set up shop with the Department of Defense (DoD), you’re going to want to get familiar with a supplement of FAR called DFARS and learn how to maintain DFARS compliance.

Spoiler Alert: It’s a time consuming process (but it’s worth it).

If you’re new to federal contracting or interested in working with the DoD, let this post serve as an outline or introduction to DFARS compliance. DFARS, much like FAR, is massive. There are tons of requirements depending on what products or services you offer. We can’t go into every little detail for every situation, so we’re going to cover the basics :

What is DFARS?

Government contracting is the most heavily regulated sector in the U.S. economy. FAR pretty much sets up the rules for agencies and contractors alike. However, if you know a thing or two about the U.S. federal government, there are numerous amounts of departments, agencies, and bureaus for just about everything.

FAR does cover a lot of ground, but there are further supplements needed for the particular agencies. As you probably could have guessed, there are a lot of added security measures needed to work with the DoD. That’s why there’s DFARS to further regulate this area of government contracting. In some cases, DFARS even deviates from FAR.

You can find the full set of regulations right here.

Who can work with the DoD?

The first thing you need to do in order to work with the DoD is to get registered in the System for Award Management (SAM). This database is a requirement for all businesses seeking to perform contracts with the federal government. This registration also applies to entities looking for federa grants as well.

Also, businesses located outside of the U.S. can work on some opportunities with the DoD. DFARS outlines “DFARS Countries” which means if your entity is based in one the designated nations on their list, you are eligible for DoD contracting. You can find them on the map below.

The second general requirement for DFARS compliance pertains to cybersecurity. Again, depending on what products or services you offer, there will be different regulations you will have to adhere to. The cybersecurity requirements apply all across the board…even su bcontractors.

Published in 2015, revisions to DFARS 252.204-7012 (sometimes referred to as DFARS 7012), requires all DoD contractors and subcontractors to:

Safeguard covered defense information Report cyber incidents Submit malicious software Facilitate damage

The DFARS Compliance Checklist

As you probably already guessed, requirements for DFARS compliance is much more specific than just four lines. Here’s a break down of what each item means for DoD contractors.

Safeguard Covered Defense Information

You can’t just tell the DoD that your business is safe from cyber threats. The specific requirements for safeguarding defense information are outlined in the National Insitute of Standards and Technology’s (NIST) Special Publication 800-171. This will probably be the most time-consuming requirement for working with the DoD. But remember, think of this as an investment to your business rather than just another cost. There’s a lot of money to be made in defense contracting and subcontracting.

The requirements include:

Access Control

Awareness and Training

Audit and Accountability

Configuration Management

Identification and Authentication

Incident Response

Maintenance

Media Protection

Personnel Security

Physical Protection

Risk Assessment

Security Assessment

System and Communications Protection

System and Information Integrity

Report Cyber Incidents

You can have the best cybersecurity practices in place and still face issues. What’s important is that you know how to report such incidents to the DoD. After you have conducted a review for evidence of compromise, visit the Defense Industrial Base Cybersecurity Information Sharing Program’s site at:

https://dibnet.dod.mil/portal/intranet/

As soon as possible, submit an Incident Collection Form (ICF).

Submit Malicious Software

This requirement will also be another action you need to take to remain DFARS compliant. To submit the malicious software to the DoD Cyber Crime Center (DC3), access the Malware Submission Form at:

https://dcise.cert.org/icf/

That link probably didn’t work for you. That’s because you will need a DoD-approved PKI certificate. When the time comes, you can download one for your computer right here.

Facilitate Damage Assessment

If the DoD decides to conduct a damage assessment, they will request that the contractor or subcontractor provides all media and damage assessment information to the contracting officer. Simply comply with this request and you will keep your DFARS compliance.

Failure for DFARS Compliance

As it should come with no surprise, failing to comply with government regulations comes with its penalties. If you are a DoD contractor, you will be audited by them. They take DFARS compliance and cybersecurity very seriuosly. If you are not compliant, you might:

Face a Stop Work Order.

Have all of your DoD contracts terminated.

Get banned from working with the DoD.

Becoming DFARS Compliant

Here’s the simple rundown for obtaining DFARS compliance. If you know complete the requirements yourself without any mistakes, then go ahead. This includes SAM, cybersecurity, and industry-specific conditions. Everyone else will need to bring in the big guns.

For your SAM.gov registration or other certifications, you’re going to want to work with a third-party government contracting firm. These are businesses that assist contractors with their requirements. Very few of them can actually help you write proposal s and provide other services to give you a competative edge.

For all the cybersecurity requirements, you’re going to have to subcontract a company that specializes in this field. There are even some that help DoD contractors and subcontractors specifically for helping with DFARS 252.204-7012 requirements.