DFARS Cybersecurity Compliance

Federal government contracts are excellent vehicles for sustaining and growing companies. Included among the terms and conditions for doing business with the federal government, however, are requirements for protecting government information. These requirements “flow down” to subcontractors-they are not limited to primary contractors. Different levels of security are required. Federal Contract Information (FCI) is protected under FAR 52.204-21[i] and is required for any federal contract. Additional security controls are required for the Department of Defense (DoD) supply chain. Those controls are described in the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 by reference to the NIST SP 800-171 guidelines. Essentially, these controls protect Controlled Unclassified Information (CUI). In other words, they ensure sensitive information is kept confidential and secure.

What is DFARS?

The Defense Federal Acquisition Regulation Supplement (DFARS) is a set of rules for organizations and their supply chains that do business with the D0D. Several of its clauses[ii] address the need to protect the confidentiality of proprietary DoD information that is not classified: DoD CUI[iii]. These clauses are “included by reference.” As such, security control requirement “flow down” through the supply chain. Organizations in the DoD supply chain must comply with DFARS as a contractual obligation.

What is CUI?

CUI stands for Control Unclassified Information and is sensitive but unclassified information the tis in the national security interest of the United States of America. This information is not intended to be public[iv].

What is NIST SP 800-171?

NIST, or the National Institute of Standards and Technology, has developed the Special Publication (SP) 800-171 as a set of guidelines derived from NIST SP 800-53[v] to protect Controlled Unclassified Information (CUI) in nonfederal organizations or systems. Organizations within the DoD supply chain that handle CUI must follow the recommendations in NIST SP 800-171, in addition to satisfying sections c through g of DFARS 7012[vi]. Organizations must implement the 110 security controls contained in the 14 Security Control Families listed below:

  • Access Control
  • Incident Response
  • Identification & Authentication
  • System & Information Integrity
  • Awareness & Training
  • Configuration Management
  • Security Assessment
  • Audit & Accountability
  • Maintenance
  • Media Protection
  • Risk Assessment
  • Personnel Security
  • System & Communications Protections
  • Physical Protection
  • What are the next steps for DFARS compliance and implementation of NIST SP 800-171 controls?

    Fortunately, organizations can show evidence that they have implemented the security controls in NIST SP 800-171 by performing a self-assessment. This self-attestation can be performed as a “do it yourself” exercise or by hiring a third-party professional to provide consulting assistance to walk through the requirements, make recommendations about mitigating control gaps, assist with supporting documentation and workforce training – many service combinations are possible.


    In order to maintain current, or obtain new, contracts within the DoD supply chain, organizations must comply with DFARS and implement the NIST SP800-171 controls. This includes posting self-assessment scores (based on NIST SP 800-171) to the Supplier Performance Risk System (SPRS). Upon completion, organizations can take on more contracts by opening options in the government sector.

    iMpact Utah Services

    Is your organization ready to comply with DFARS and implement NIST SP 800-171? Contact us below for more information about these services today, so your organization can comply with DoD regulations, start taking on new federal contracts-and reduce cybersecurity risk generally.


    [i] Addresses basic safeguarding of covered contractor information systems.

    [ii] These DFARS 252.204-7008 (safe guarding covered defense information or CDI); 7009 (limitations on the use or disclosure of third-party contractor reported cyber incident information), 7012 (safeguarding covered defense information and cyber incident reporting, 7019 (Notice of NIST 800-171 DoD Assessment Requirements), 7020 (reserves the right for onsite DoD assessment), and 7021 (Cybersecurity Maturity Model Certification Requirement

    [iii] DoD CUI Program https://www.dodcui.mil/

    [iv] National Archives, CUI https://www.archives.gov/cui

    [v] NIST SP 800-53, Security and Privacy Controls for [Federal Government Controlled] Information Systems and Organizations, which is now in its fifth revision.
    [vi] Sections c through g of DFARS 7012 describe requirements for reporting security incidents that involve the compromise of CUI.

    Reach Out To Learn More!

    • This field is for validation purposes and should be left unchanged.