What is DFARS? What businesses does it affect?
Defense Federal Acquisition Regulation Supplement (DFARS) provides Department of Defense (DoD) specific acquisition regulations that contractors doing business with DoD must follow in the procurement process for goods and services.
DFARS protects a specific type of non-classified information, Controlled Unclassified Information (CUI), that is held within its contractors. Manufacturers who want a contract with the DoD, already have a defense contract, or are a downstream supplier to a defense contractor, all must take steps to become compliant with DFARS.
The specific regulations are a part of NIST, or the National Institute of Standards and Technology. NIST Special Publication 800-171: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
How to become complaint with DFARS:
DFARS is risk management-based confidentiality program at the organizational level. The data and corresponding systems are owned by business line leaders and the responsibilities lie with them.
DFARS Compliant businesses must produce:
- System Security Plan (SSP)
- Plan of Actions and Milestones (POAM)
- CUI Environmental Management Team (CEMT)
Peters & Associates can guide you through the compliance process to fulfill your obligations with DFARS. This includes generating or gathering security documents, making proactive plans to protect CUI, as well as assigning roles on a team tasked overseeing DFARS compliance.
Should you worry about DFARS?
CUI can be loosely defined as information held by those with Defense Contracts, which is not classified but is sensitive enough to require some protections by the DoD.
This data use to hold classification levels such as:
- Sensitive But Unclassified
- For Official Use Only
- Law Enforcement Sensitive
National Archives and Records Administration (NARA) decides what is classified as Controlled Unclassified Information (CUI). The Department of Defense must spell out clearly within the defense contract what information qualifies for this protection. The contract holder is then responsible for communicating with its downstream suppliers to ensure that compliance