• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Client Portal

125 Rowell Court, Falls Church, VA 22046

About

Blog

Careers

Contact

703.386.7864

Schedule Consultation

diener-site-logo

Diener & Associates

Northern Virginia CPA Firm

  • About
  • Industries
    • Government Contractors
    • Nonprofits
    • Small Businesses
  • Consulting & Advisory
    • Business Valuation
    • Corporate Restructuring
    • Mergers & Acquisitions
    • Process Improvement
    • Risk Management
    • Succession Planning
  • Outsourced Accounting
    • Accounts Payable
    • Accounts Receivable
    • Bookkeeping
    • Cash Disbursement
    • Financial Planning
    • Financial Reporting
    • Payroll Services
  • Tax Services
    • Compliance
    • Consulting
    • Planning
    • Preparation
  • Blog
  • Contact

DFARS Compliance Checklist

August 2, 2021, by Michael Diener

An important part of government contracting is following all of the guidelines put in place by various agencies to ensure work is carried out safely, cost-effectively and fairly. Department of Defense contractors who handle certain types of information are responsible for adhering to the DFARS requirements.

What Is DFARS Compliance?

DFARS stands for the Defense Federal Acquisition Regulation Supplement. This is a set of security standards and regulations put in place by the Department of Defense that affiliate organizations must comply with.

Any business that transmits, stores or processes Controlled Unclassified Information (CUI) must follow the rules outlined by DFARS in order to work as a DoD contractor or subcontractor.

What Is The DFARS Compliance Checklist?

The guidelines are quite complex and are outlined in an official 170-page document known as the NIST Handbook 162, NIST MEP Cybersecurity Self-Assessment Handbook For Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements, which is free to access online at
https://nvlpubs.nist.gov/nistpubs/hb/2017/NIST.HB.162.pdf.

In the NIST SP 800-171, there are more than 100 different controls divided across 14 families, and each has its own requirements and specifications. Digital security is a constantly evolving field, and the guidelines are expected to be updated every few years.


Specific Points Of The DFARS Compliance Checklist

Highlighted below are some key points to consider within the 14 control families of the DFARS Compliance Checklist.

1. Access Control

Gaining Access after DFARS Compliance ChecklistThis covers whether users must log in to gain access and whether access control lists are used to limit access to data based on users’ roles or identities. It also covers architectural solutions for controlling the flow of system data, such as proxies and firewalls, and whether responsibilities are separated to eliminate conflicts of interest.

2. Awareness And Training

This looks at whether users, managers and administrators are given initial and annual training as well as basic security awareness training.

3. Audit And Accountability

Creating, protecting and retaining information system audit records for monitoring, investigating and reporting inappropriate or unlawful information system activity is a key component of this section. Other areas this point covers include internal system clocks for generating timestamps for audit records and alerting employees with security responsibilities of audit processing failures.

4. Configuration Management

This covers the development and maintenance of baseline configurations for all information system types and the tracking of changes, It also outlines how information systems should be configured to only permit authorized software to run and how user controls must be implemented to prevent unauthorized software from being installed.

5. Identification And Authentication

This pertains to best practices when it comes to using passwords, such as using at least 12 characters and a mix of lower- and upper-case letters, numbers and special characters. It also covers multifactor authentication for local access to privileged accounts, deleting accounts when individuals leave the company, salting hashed passwords, and unique account identifiers for all users.

6. Incident Response

Some of the topics covered in this point are the company’s incident response policy regarding handling incidents that involve CUI and how the company tests its incident response capabilities.

7. Maintenance

Maintenance to check off DFARS Compliance ChecklistThis looks at whether the company carries out maintenance on its information system and if controls are used to limit all aspects of this maintenance. It is also concerned with whether media provided by authorized maintenance personnel for diagnostics and troubleshooting are run through virus scanners prior to being used in the company’s information system.

8. Media Protection

The Media Protection section of the checklist looks at whether the company limits CUI media access to authorized users and whether CUI systems such as company laptops use asset control identifiers such as ID tags with unique numbers. It also addresses the encryption of CUI data on media prior to transport outside of the business’s secure locations.

9. Personnel Security

The Personnel Security component looks at whether individuals are screened before being granted access, and whether the company disables access to its information system before an employee is transferred or terminated.

10. Physical Protection

This addresses whether the facility or building manager has designated sensitive areas with physical security protections such as locks or guards limiting physical access to the area. It also assesses whether physical access is monitored and logs are maintained.

11. Risk Assessment

This covers the company’s risk management policy, periodic risk assessments, documentation of changes in use or infrastructure, scanning of systems for new vulnerabilities, and action plans for mitigating vulnerabilities.

12. Security Assessment

Security Assement in DFARS Compliance ChecklistThe Security Assessment component looks at whether periodic security assessments are carried out to ensure security controls are properly implemented, as well as what is included in these assessments.

13. Systems And Communications Protection

This addresses whether the system monitors and manages communications and how unauthorized information transfer is prevented, among other points.

14. System And Information Integrity

This family covers how system flaws are identified and corrected and how the company monitors for attacks and unauthorized connections.

Becoming DFARS compliant gives defense contractors and suppliers confidence that your organization has met the necessary requirements set by the DOD. Follow our DFARS Compliance Checklist to help make better decisions on the state of your organization’s regulatory compliance.


About Diener & Associates CPAs LLC

Diener & Associates CPAs LLC has been a leading provider of professional CPA services in the DC metropolitan area since 1989. We offer a range of consulting/advisory, outsourced accounting, and tax services to assist businesses with their most challenging processes. Regardless of your industry of operation, Diener & Associates CPAs LLC can maximize your organization’s efficiency, scalability, and profitability.

Reach Out to Us Today

Category iconGovernment Contract Consulting

Primary Sidebar

Get in touch

  • This field is for validation purposes and should be left unchanged.

Footer

diener-site-logo
Diener & Associates CPAs LLC
125 Rowell Court Falls Church, VA 22046 703.386.7864
No social media items found. Please add socials.

Company

  • About
  • Blog
  • Careers
  • Client Portal
  • Contact

Our Services

  • Consulting & Advisory
  • Outsourced Accounting
  • Tax Services
© 2023 Diener & Associates CPAs LLC · Powered by 321 Web Marketing · Website Privacy Policy & Terms of Use