Federal Defense Contractors Prioritize Dfars Compliance – The National Law Review

Federal Defense Contractors Prioritize DFARS Compliance – The National Law Review

Federal defense contractors that are subject to the Federal Acquisition Regulations (FAR) also known as the Defense Federal Acquisition Regulation Supplement (DFARS) need to make compliance a priority. Not only is compliance mandatory when doing business with the U.S. Department of Defense (DOD), but non-compliance can potentially threaten national security. Defense contractors found in non-compliance with DFARS can face litigation and loss of their DOD contracts, and their owners and executives can even face criminal prosecution in some cases. Thus, DOD contractors must implement adequate security protocols or security measures to protect confidential defense information at all times.
So, what does it take to become DFARS compliant? How can federal defense contractors assess their compliance efforts and maintain compliance or remain compliant on an ongoing basis? What should defense contractors do if they discover internal DFARS compliance failures? Here are 10 keys to DFARS compliance success in 2022:
“DFARS compliance should be a priority for all federal defense contractors that have access to CUI. The DOD is enforcing DFARS compliance in 2022, and defense contractors that fail to meet their obligations are at risk of steep penalties. In many cases, defense contractors’ owners and executives can be at risk as well.” – Dr. Nick Oberheiden, Founding Attorney of Oberheiden P.C.
All federal defense contractors that have access to (or will have access to) Controlled Unclassified Information (CUI) are subject to the same general requirements under DFARS. Defense or DOD contractors must comprehensively satisfy these requirements of DFARS regulations, and this starts with understanding where their needs lie. 
DFARS compliance can have implications for nearly all aspects of a federal defense contractor’s operations. While the controls, systems, and protocols federal defense contractors need to maintain compliance largely fall in the cybersecurity realm, there are contractual, operational, and other aspects to DFARS compliance as well. As a result, defense contractors should conduct a comprehensive internal DFARS compliance needs assessment focused on identifying all areas of their businesses impacted by their federal duties.
Most federal defense contractors (and aspiring federal defense contractors) have cybersecurity policies and protocols in place; and, to the extent that these policies and protocols are adequate, there is no need to reinvent the wheel. With that said, general cybersecurity measures implemented outside of DFARS compliance are likely to be insufficient in various regards.
Broadly speaking, the obligation for federal defense contractors to comply with DFARS seeks to ensure that all private entities in possession of CUI protect this information with at least the same level of effort and security as the federal government. As explained in NIST SP 800-171 or the National Institute of Standards and Technology (NIST) Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations:
“[F]ederal information designated as CUI has the same intrinsic value and potential adverse impact if compromised—whether such information resides in a federal or a nonfederal organization. Thus, protecting the confidentiality of CUI is critical to the mission and business success of federal agencies and the economic and national security interests of the nation.”
With this in mind, federal defense contractors should not assume that their existing cybersecurity policies, security controls, and protocols are sufficient to protect CUI in compliance with DFARS. Instead, they should examine these policies and protocols from the perspective of seeking to understand where they are insufficient to meet the DFARS compliance requirements.
As noted above, all federal defense contractors are subject to the same basic requirements under DFARS. These DFARS compliance requirements fall into 14 “families” that National Institute of Standards and Technology (NIST) explains, “are closely aligned with the minimum security requirements for federal information and information systems described in FIPS Publication 200.” FIPS Publication 200 establishes minimum cybersecurity standards for federal offices and agencies that possess CUI.
But, while all federal defense contractors are subject to the same basic requirements, this does not mean that DFARS compliance is a standardized process. On the contrary, defense contractors need to develop a system security plan and take a custom-tailored approach to DFARS compliance that focuses on establishing and maintaining compliance within their unique relationships and operations.
The 14 “families” of DFARS requirements are:
Access Controls
Audit and Accountability
Awareness and Training
Configuration Management
Identification and Authentication
Incident Response
Media Protection
Personnel Security
Physical Protection
Risk Assessment
Security Assessment
System and Communications Protection
System and Information Integrity.
Within each of these 14 “families” exist both “basic security requirements” and “derived security requirements.” Most of these requirements are general in nature, and thus it is left to federal defense contractors (and their lawyers and consultants) to interpret the requirements in light of the specific risks their operations and systems present for CUI. NIST even describes these as “high-level” requirements. Ultimately, after implementing their DFARS compliance programs, federal defense contractors must be confident that their programs are adequate to prevent intrusions, prohibited disclosures, and misappropriation of CUI to a degree consistent with the risks presented.
When it comes to DFARS compliance, simply having policies and protocols is not enough. Federal defense contractors must effectively implement their policies and protocols as well, and they must do so on a company-wide scale.
There are several aspects to effectively implementing a DFARS compliance program. Engaging a qualified cybersecurity vendor is an important step, but it is just one of many. Federal defense contractors must carefully negotiate their cybersecurity vendor contracts to ensure that they have all necessary rights and remedies. They must also provide adequate training to appropriate internal personnel, and they must ensure that their internal personnel can effectively manage their cybersecurity programs to the extent that they can not only identify risks pertaining to CUI or DFARS compliance but also work to address these risks proactively.
Monitoring and assessment are also critical to successful DFARS compliance. Federal defense contractors should monitor for cybersecurity breaches and other compliance failures on an ongoing basis, and they should conduct periodic assessments focused on identifying flaws in their (and their cybersecurity vendors’) systems. Not only are these steps essential for preventing unauthorized access to CUI, but they are also essential for demonstrating good-faith compliance efforts to the DOD.
In addition to monitoring the effectiveness of their DFARS compliance policies and protocols, federal defense contractors must also monitor for necessary modifications and upgrades. The need to make modifications or upgrades can arise in three primary ways:
Discovering deficiencies in the company’s DFARS compliance program 
Modifying the company’s operations or entering into new contracts that have CUI implications 
The federal government’s implementation of new or modified standards or requirements
While the DOD might send notices to defense contractors when the government adopts new standards regarding the protection of CUI, contractors cannot rely on the DOD to tell them when they need to adapt to new rules or regulations. Instead, contractors should rely on their outside lawyers or consultants—who should be monitoring for updates on behalf of their clients on an ongoing basis.
Whether internal or external, federal defense contractors must promptly address all identified DFARS compliance failures. Defense contractors should have documented incident response plans, and they should faithfully execute these plans following malicious intrusions, employee thefts, and other events that compromise CUI. While the DOD expects defense contractors to protect CUI, the DOD has even greater expectations when it comes to remedying defense contractors’ CUI security failures.
When addressing DFARS compliance, federal defense contractors cannot rely solely on the DFARS regulations and NIST’s guidance. Defense contractors must also address their specific contractual obligations, and they must comply with all other pertinent federal laws, rules, and regulations. Among other things, these sources of authority establish requirements for defense contractors to disclose suspected cybersecurity incidents impacting CUI in many circumstances, and failure to make required disclosures can have significant legal implications for contractors (along with the implications of DFARS non-compliance).
Non-compliance with DFARS can have several consequences. The DOD actively enforces defense contractors’ compliance obligations, and contractors found in violation of DFARS can face civil or criminal penalties depending on the circumstances involved. Defense contractors’ owners and executives must take these risks into account when addressing DFARS compliance in 2022. Possible consequences of DFARS non-compliance include:
Termination of DOD contracts 
Loss of DOD contract eligibility 
Federal contract litigation 
Civil or criminal prosecution for False Claims Act violations 
Prosecution for other federal crimes
Given the risk of facing DOD scrutiny—and the potential consequences of being found in non- compliance—federal defense contractors should be prepared to affirmatively demonstrate DFARS compliance when necessary. This means that defense contractors should have on hand not only their DFARS compliance programs, but documentation of their ongoing monitoring, assessment, enforcement, and remediation efforts as well. In the event of a DOD investigation, being able to use pre-existing documentation to demonstrate good-faith compliance can significantly mitigate the risks facing defense contractors and their owners and executives.
About this Author
Dr. Nick Oberheiden focuses his litigation practice on white-collar criminal defense, government investigations, SEC & FCPA enforcement, and commercial litigation. He has defended clients in PPP Loan Fraud cases and COVID-19 investigations. Nick also directs internal corporate investigations and he leads defense teams in whistleblower actions, corporate defense cases, as well as cases involving national security and elected officials.
Clients from more than 45 U.S. states have hired Nick to seek effective protection against government…
As A Woman Owned Company, The National Law Review Is A Certified Member Of The Women'S Business Enterprise National Council
You are responsible for reading, understanding and agreeing to the National Law Review’s (NLR’s) and the National Law Forum LLC’s  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  
Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is www.NatLawReview.com  intended to be  a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 
Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.
The National Law Review – National Law Forum LLC 3 Grant Square #141 Hinsdale, IL 60521  Telephone  (708) 357-3317 or toll free (877) 357-3317.  If you would ike to contact us via email please click here.


Leave a Comment

Leave a Reply

Your email address will not be published.

Executive Order 2022-11 Establishing the Cyber Security Task Force – State of Nevada (.gov)

TSA revises and reissues cybersecurity requirements for pipeline owners and operators | Transportation Security Administration – Transportation Security Administration

Cisco investing $10 million in cybersecurity startup Island – CTech

Threat of Go-Ahead bus disruption as company manages 'cyber security incident' – Sky News