Federal contracts can be a significant source of revenue for many companies, but it is essential to adhere to the strict compliance regulations that the government has put in place. There are a lot of acronyms that government contractors need to understand and some are so similar that it can be difficult to tell them apart.
Although FAR and DFARS have several letters in common, these acronyms refer to two different concepts. In short, DFARS is one component of the broader FAR regulations. Outlined below is a look at what is covered by both FAR and DFARS.
What Is FAR?
FAR is the Federal Acquisition Regulation. This is a set of regulations that governs all the acquisitions and contracting procedures used within the federal government.
What Is Involved in FAR Compliance?
FAR sets up an umbrella of procurement regulations defining how companies must do business with the government. It covers every aspect of the procurement life cycle, including acquisition planning, source selection, and contract administration.
For example, Part 30 of FAR describes the criteria for a contract being fully covered by the cost accounting standards, while Part 31 outlines cost accounting rules. Part 44 describes a contractor’s purchasing rules.
Every company that has a federal contract must be FAR compliant. The government will review a contractor’s compliance with FAR during purchasing reviews, so staying on top of the latest rules and amendments is essential.
What is DFARS?
DFARS is the Defense Federal Acquisition Regulation Supplement. It is a supplement to FAR and is administered by the Department of Defense.
Any business that stores, processes, or transmits Controlled Unclassified Information, or CUI, is required to follow the rules of DFARS if they wish to perform as a DOD contractor or subcontractor.
What Is Involved in DFARS Compliance?
The cybersecurity guidelines for DFARS are outlined in the NIST Handbook 162, NIST MEP Cybersecurity Self-Assessment Handbook For Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements. This official 170-page document contains more than 100 controls spread across 14 “families”.
These control families include access control, awareness and training, configuration management, audit and accountability, incident response, identification and authentication, media protection, maintenance, risk assessment, security assessment, physical protection, personnel security, system and information integrity, and systems and communications protection.
The identification and authentication family, for example, covers best practices for using passwords, such as creating 12-character passwords with a mixture of numbers, upper-case and lower-case letters and special characters. It also covers multifactor authentication, unique account identifiers for all users, and deleting accounts after individuals have left the company.
The personnel security component, meanwhile, explores whether individuals undergo screening before being given access to information systems and whether access is disabled for employees before they are transferred or terminated.
The data security requirements that must be followed for DFARS compliance are complex, but there are two main components: providing adequate security for protecting covered defense information that is stored or transmitted through a contractor’s information systems from unauthorized access, and quickly reporting cyber incidents and cooperating with the Department of Defense in responding to these incidents.
If an audit reveals that a contractor is not complying with DFARS, they could receive a stop-work order that prevents them from working until the appropriate security measures have been put in place. There may also be financial penalties, such as damages for breach of contract and false claims. In extreme cases, a contract could be terminated and the contractor may be barred from future work with the Department of Defense.
Other Areas of Compliance
FAR and DFARS are just two of many areas where government contractors must be compliant. For example, government contractors must also ensure their business processes and systems comply with the rules of the Defense Contract Audit Agency (DCAA), which is responsible for auditing Department of Defense contracts. The DCAA audits DOD contractors of all sizes to ensure that taxpayers and the military are getting what they pay for.
Being DCAA compliant means following DCAA guidelines such as using accounting systems that track direct and indirect costs separately and following a set of exacting rules governing timekeeping.
Other areas in which government contractors may need to be compliant include the Code of Federal Regulations (CFR), General Services Administration (GSA), and Cost Accounting Standards (CAS).
Government contracting regulations can be very complex and failing to understand and follow them could compromise your contract and your ability to do business with the government in the future.