A common question that small DoD contractors and subcontractors have is whether they are subject to the requirements of the Defense Federal Acquisition Regulation Supplement. This regulation concerns the way firms manage Controlled Unclassified Information and the minimum level of security practices that they need to adhere to.
https://www.nist.gov/mep/cybersecurity-resources-manufacturers/dfars800-171-compliance that any size DoD contractors “that process, store or transmit Controlled Unclassified Information (CUI) must meet the Defense Federal Acquisition Regulation Supplement (DFARS) minimum security standards.”
Subcontractors that work with Controlled Unclassified Information are also responsible for following these regulations. NIST.gov states “These security controls must be implemented at both the contractor and subcontractor levels based on the information security guidance in NIST Special Publication 800-171.”
Basically, if a firm is working with DoD Controlled Unclassified Information, they fall under DFARS requirements and should plan accordingly to bring their business into compliance.
Is It Expensive to Comply with DFARS?
The answer to this question is complicated. The areas that influence the total cost of compliance depend on several factors. The DoD contractor’s IT infrastructure complexity and the current state of its cybersecurity measures plays a large role in the expenses associated with compliance. If they already have robust IT security measures in place, it’s possible that they don’t have to change much, if anything, to meet the DFARS requirements.
The next cost-influencing consideration is whether the DoD contractor wants to do the work necessary for compliance in-house, or if they end up hiring a cyber security expert to do it for them.
A good start for small manufacturers is to purchase a gap analysis from a DFARS consultant. This analysis gives them a concrete direction on what they need to do to address the issues with security in their infrastructure. They can choose to remediate themselves or to pay an IT company to do it for them.
DoD contractors should look at the resources that they have available in-house, their current contract load and the opportunity costs associated with tackling compliance themselves. They need more than someone familiar with IT security. They need specialists who are fully acquainted with the DFARS requirements and what that looks like in practice.
The Cost of Non-compliance
Some DoD contractors may balk at the expenses associated with complying with DFARS. However, the costs for not complying with the regulations may end up being more of a resource drain in the long run. You may get a False Claims Act filed against you, be considered in breach of contract, have your existing contracts terminated or end up getting suspended. Your reputation takes a hit and you may find it difficult to get DoD contracts in the future.
The Pentagon is now factoring in cyber security assessments in their contract awards processes. If you don’t follow DFARS requirements, then you may end up losing out to your competitors during the bidding process. It takes a lot of time and effort to build up contacts and trust with the DoD. No one wants to lose that as an attempt to cut cyber security costs, especially when improving security is a best practice for businesses to begin with.
DFARS compliance should result in DoD contractors winning more contracts over time. It should be seen as a competitive advantage, as the business has proven that they’re willing to put the appropriate measures in place to keep CUI protected from unauthorized access and use.