An important part of government contracting is following all of the guidelines put in place by various agencies to ensure work is carried out safely, cost-effectively and fairly. Department of Defense contractors who handle certain types of information are responsible for adhering to the DFARS requirements.
What Is DFARS?
DFARS stands for the Defense Federal Acquisition Regulation Supplement. This is a set of security standards put in place by the Department of Defense.
Any business that transmits, stores or processes Controlled Unclassified Information (CUI) must follow the rules outlined by DFARS in order to work as a DoD contractor or subcontractor.
What Is The DFARS Compliance Checklist?
The guidelines are quite complex and are outlined in an official 170-page document known as the NIST Handbook 162, NIST MEP Cybersecurity Self-Assessment Handbook For Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements, which is free to access online at
In the NIST SP 800-171, there are more than 100 different controls divided across 14 families, and each has its own requirements and specifications. Digital security is a constantly evolving field, and the guidelines are expected to be updated every few years.
Specific Points Of The DFARS Compliance Checklist
Highlighted below are some key points to consider within the 14 control families of the DFARS Compliance Checklist.
1. Access Control
This covers whether users must log in to gain access and whether access control lists are used to limit access to data based on users’ roles or identities. It also covers architectural solutions for controlling the flow of system data, such as proxies and firewalls, and whether responsibilities are separated to eliminate conflicts of interest.
2. Awareness And Training
This looks at whether users, managers and administrators are given initial and annual training as well as basic security awareness training.
3. Audit And Accountability
Creating, protecting and retaining information system audit records for monitoring, investigating and reporting inappropriate or unlawful information system activity is a key component of this section. Other areas this point covers include internal system clocks for generating timestamps for audit records and alerting employees with security responsibilities of audit processing failures.
4. Configuration Management
This covers the development and maintenance of baseline configurations for all information system types and the tracking of changes, It also outlines how information systems should be configured to only permit authorized software to run and how user controls must be implemented to prevent unauthorized software from being installed.
5. Identification And Authentication
This pertains to best practices when it comes to using passwords, such as using at least 12 characters and a mix of lower- and upper-case letters, numbers and special characters. It also covers multifactor authentication for local access to privileged accounts, deleting accounts when individuals leave the company, salting hashed passwords, and unique account identifiers for all users.
6. Incident Response
Some of the topics covered in this point are the company’s incident response policy regarding handling incidents that involve CUI and how the company tests its incident response capabilities.
This looks at whether the company carries out maintenance on its information system and if controls are used to limit all aspects of this maintenance. It is also concerned with whether media provided by authorized maintenance personnel for diagnostics and troubleshooting are run through virus scanners prior to being used in the company’s information system.
8. Media Protection
The Media Protection section of the checklist looks at whether the company limits CUI media access to authorized users and whether CUI systems such as company laptops use asset control identifiers such as ID tags with unique numbers. It also addresses the encryption of CUI data on media prior to transport outside of the business’s secure locations.
9. Personnel Security
The Personnel Security component looks at whether individuals are screened before being granted access, and whether the company disables access to its information system before an employee is transferred or terminated.
10. Physical Protection
This addresses whether the facility or building manager has designated sensitive areas with physical security protections such as locks or guards limiting physical access to the area. It also assesses whether physical access is monitored and logs are maintained.
11. Risk Assessment
This covers the company’s risk management policy, periodic risk assessments, documentation of changes in use or infrastructure, scanning of systems for new vulnerabilities, and action plans for mitigating vulnerabilities.
12. Security Assessment
The Security Assessment component looks at whether periodic security assessments are carried out to ensure security controls are properly implemented, as well as what is included in these assessments.
13. Systems And Communications Protection
This addresses whether the system monitors and manages communications and how unauthorized information transfer is prevented, among other points.
14. System And Information Integrity
This family covers how system flaws are identified and corrected and how the company monitors for attacks and unauthorized connections.