NIST 800-171 DFARS Compliant Testing

What is the DFARS (Defense Federal Acquisition Regulation Supplement)?


The Department of Defense (DOD) has a specific supplement to the Federal Acquisition Regulation (FAR) which is intended to provide regulations to how DOD officials, contractors, and subcontractors manage acquisitions. All businesses and entities that do business with the DoD must adhere to DFARS regulations and standards.



What are DFARS cybersecurity requirements?


The cybersecurity standards that are required under DFARS is that all DoD contractors and subcontractors implement and maintain controls that are detailed in NIST SP (Special Publication) 800-171. This publication lists how organizations are to protect Controlled Unclassified Information (CUI) when used on non-Federal Information Systems.


All contractors or subcontractors that maintain contracts through the DoD must meet the minimum-security requirements that are identified in the DFARS documents. If contract companies do not meet these standards then they could lose their contracts with the DoD.

How to become DFARS Compliant


There are three different ways that a contracting company can comply with DFARS regulations.


  1. A self-assessment of a contracting company can be performed and then a claim is made that the requesting company is in compliance with NIST SP 800-171 security guidelines.

  2. An independent third party can provide an audit of the contractor or the certification that a contractor holds to ensure that the contractor has met and/or maintained the requirements for the certification.

  3. An inspection of the contractor can be performed by a federal auditing team to ensure that the contractor’s security posture meets the minimum requirements of DFARS.




Who Must Be DFARS-Compliant?


Any company or corporation that works for the DoD must ensure that they are DFARS compliant. While this can largely be major defense companies that maintain perpetual contracts for the DoD, there are also many other smaller businesses that are able to pick up DoD contracts as well. The major defense companies tend to build in processes and procedures to ensure they stay DFARS compliant. The smaller companies, however, tend to have to adapt their business model to ensure they are compliant with the DFARS regulations.


The major DoD contractors include:


  • Lockheed Martin

  • Boeing

  • Raytheon

  • BAE Systems

  • Northrop Grumman

  • General Dynamics

  • L3Harris Technologies

  • Airbus

  • Thales Group

  • United Technologies

  • Honeywell

  • Rolls-Royce

  • General Electric

  • Tactical Missiles Corporation

  • Mitsubishi Heavy Industries


DFARS compliance is an absolute requirement under the following conditions:

  • If you are a subcontractor of one of the major defense contracts listed (this even includes subcontractors that are working with a non-major defense contractor)

  • If your contract/project with the DoD involves the use of CUI, or Unclassified Controlled Technical Information (UCTI)

  • If the bid you are proposing contains language found in DFARS Provision 252.204-7008

  • If you are awarded a contract and it contains language found in DFARS Clause 252.204-7012