7/18/2018 1:56 PM
Blog 2: DFARS Explained 5
Understanding government nomenclature and practices is confusing. While writing this blog, even our editors had to fact check themselves. In this blog article we lightly touch on FARs, the FAR, the FARS, DFARS and some of these entities’ major components.
This article is not meant to educate you on every aspect of the FAR and its derivatives. This article is meant to get your feet wet, and to give you an idea of what to expect as you begin your research in this area.
Federal Acquisition Regulations (not to be confused with FARS). FARs is a slang term used to refer to all of the rules within the FAR document.
Federal Acquisition Regulations System (not to be confused with FARs)
Federal Acquisition Regulation – A federal document that contains all of the federal acquisition regulations. FAR is not to be confused with FARs or FARS.
FARs Supplements (such as DFARS) are agency-specific additions to the original FARs. These regulations only apply to entities of the agency that developed them and contractors whom do work with that agency.
NIST SP 800-53
NIST Special Publication 800-53 documents guidelines for adhering to a Security Control based system of categorization and management for an IT infrastructure. Just about all Federal Information Security regulations refer back to these security controls, so this publication is very important.
NIST SP 800-171
This Special Publication covers the Security Controls in NIST SP 800-53 that apply solely to CUI. It is a simplified set of guidelines for contractors whom only deal with CUI.
Controlled Unclassified Information – This is information that requires permission from the government to view, but not a clearance.
Covered Defense Information – This is CUI that “requires safeguarding or dissemination controls,” as required by law, and is provided to or handled by the contractor on behalf of the government.
In this article, we’ll primarily discuss DFARS, FAR and their importance, but before we go into that, it is essential to know where DFARS and the FAR comes from.
The FAR (Federal Acquisition Regulation) is a document that outlines an extensive set of rules (the rules themselves are sometimes referred to as FARs, with a lower case “s”) to which the government must adhere when acquiring products and services from contractors. These rules are jointly issued by the DoD (Department of Defense), GSA, and NASA [CITATION Gen17 \l 1033]. As defined in FARS 1.101, the FARS (Federal Acquisition Regulations System, notice the “S” is capitalized this time) was “established for the codification and publication of uniform policies and procedures for acquisition by all executive agencies.”[CITATION Gen171 \l 1033] The regulations were developed in part to consolidate the various acquisition regulations from multiple federal agencies and are enforced government-wide.
FARs are often quoted, word for word, in federal acquisition requests (for example RFPs, RFQs, MRRs, etc.) and provide insight into what requirements must be met to work with federal organizations. New contractors that aim to work in the federal space must adhere to guidelines based on these FARs to qualify for working with the government. The guidelines being talked about here are the NIST Special Publications.
From the above information, you can see that the FARs are the end-all-be-all set of standards for any federal entity you (the contractor) intends to do business with. DFARS is an example of a layer of icing that we’ll throw on top of that.
The FARs does not regulate everything they need to for many Federal agencies. As a result, many agencies have additional sets of regulations added on to the FAR that must be adhered to by only that agency.
The icing on the cake we’re talking about here are called Supplements, in the land of “Bureautopia.” Accordingly, DFARS stands for Defense Federal Acquisition Regulations Supplement. DFARS is a specific set of regulations that apply only to the DoD (Department of Defense). This means DFARS regulations only must be adhered to when working with the DoD in terms of us - contractors.
To be considered DFARS compliant, a contractor’s information systems must ensure the same protections and comply with the same requirements to federal data that would be present on a federal in-house information system. These requirements cover the protection of CDI (Covered Defense Information), which encompasses CTI (Controlled Technical Information) and CUI (Controlled Unclassified Information), on Federal and Non-Federal information systems. These requirements can have a heavy impact on a contractor’s eligibility for award of federal contracts. Fortunately, most of these requirements are based on best practices that are already used in the information security field.
The major DFARS standards that contractors need to focus are the upkeep of incident reporting, adequate security, and subcontractor management. Understanding these values is key to achieving compliancy.
Incident reporting becomes relevant whenever an event can occur that impacts the integrity of information or an information system. The DFARS specify that a report of the incident must be released within 72 hours of detection. An assessment is also required to determine the extent of the compromise, and must at least cover a list of compromised systems, users, and data, as well as a list of any other systems that might have been compromised.
The requirements for obtaining adequate security as defined by the DFARS depend on the system hosting the data. The DFARS references NIST SP 800-53 to outline the security controls used to classify and secure federal information on federal systems, excluding systems used for national security. The DFARS also references NIST SP 800-171 to define CUI (Controlled Unclassified Information) and the requirements for securing CUI on NON-federal systems. Contractors and subcontractors must also follow the DoD Cloud Computing SRG (Security Requirements Guide) when using a cloud solution to host or process CDI.
When using subcontractors, it is the primary contractor’s responsibility to ensure that the subcontractors are compliant with the regulations required for the work being performed. This includes ensuring that subcontractors report incidents, should they discover any, as well as following guidelines such as NIST SP 800-171, if they possess any CUI or are a Cloud Service Provider hosting/processing CUI.
Becoming DFARS compliant is essential to establishing your company as a capable contractor with the government. Working with the government can be a lucrative endeavor and can grow your company at an accelerated rate if approached correctly. DFARS compliance can also provide your company with better security against external threats, which benefits your commercial clients. The added security measures can prevent millions of dollars in damages from external data breaches and provide profitable options, which justify the cost of becoming DFARS compliant. Does your infrastructure meet the bar?
General Services Administration. (2017, August 13). Federal Acquisition Regulation (FAR). Retrieved from U.S. General Services Administration: https://www.gsa.gov/policy-regulations/regulations/federal-acquisition-regulation-far
General Services Administration. (2017, November 6). Federal Acquisition Regulation (FAR). Retrieved from acquisition.gov: https://www.acquisition.gov/?q=browsefar
Tyler Evans/Nick Ingram rv47
0 comment(s) so far...
Vigilant Technologies is a Veteran Owned company headquartered in Chandler, Arizona. We provide products, services and enterprise-wide integration of innovative IT solutions to commercial, Federal, State and Local government clients. Our Leading edge services include Private/Hybrid Cloud, Server Consolidation, Virtualization implementation, and Infrastructure Management.
Need to get a hold of us? No problem!
25 South Arizona Place
Chandler, Arizona 85225