Navigating DFARS to ensure compliance and avoiding trouble

By Heather Engel, Sera-Brynn, Executive Vice President

This article is the first in a series.

In a world of high stakes security, it’s incumbent upon government contractors to comply with federal regulations. The largest buyer of goods and services in the world is the U.S. federal government, with the Department of Defense (DoD) contributing a significant amount to those purchases. These purchases and acquisitions are subject to myriad of Federal Acquisition Regulation (FAR) requirements.

A supplement to FAR is the Department of Defense’s “Defense Federal Acquisition Regulation Supplement,” that is specific to the Department of Defense that contractors and subcontractors to the agency must follow in the procurement process for goods and services.

A critical component of DFARS was amended by DoD in 2015 at contractor and subcontractor levels to require information security standards developed by the National Institute of Standards and Technology (NIST).

If you do business with the DoD, your company is required to safeguard covered defense information and promptly report cyber incidents under DFARS Clause 252.204-7012.

DFARS responsibilities

The first step to understanding your responsibilities with DFARS regulations, including 252.204-7012 and 7008, is understanding what information you have, what information you may create and what you may share with subcontractors in the performance of the work.

There’s also the question of how you will protect the information. Other considerations include whether your network is segmented and if your segmentation is scalable as your defense-related work expands.

Once you know what you have, how will you protect the information and comply with the the NIST standards?

A typical accreditation process involves multiple steps along with a strategy for continuous improvement. Very few companies will be ready to certify immediately, so understanding how long it will take to get there is critical. It’s also important not to lose sight of overall security for compliance sake – make sure that technology and policy supports your overall cyber risk management strategy.

Besides protecting CDI, these clauses require cyber incident reporting through an online DoD site within 72 hours of discovery, so make sure you are prepared with access information and contract specifics before you need it. Images of all known, affected systems must be maintained for 90 days and contractors may be required to grant DoD access for forensic investigations. Incident response planning is a must to ensure operational and mission continuity.

Insider but not a competitor

If all this seems overwhelming, it doesn’t have to be.

At Sera-Brynn, we bring an insider’s perspective and have extensive background in DoD certification and accreditation work. Navigating DFARS regulations requires understanding intimately the processes, requirements and complexities of the Federal and DoD accreditations.

It’s important to have someone who is not a DoD contractor help you navigate the process, ensure you are compliant and help protect you from potential penalties, or even having a contract terminated. Otherwise it would be like having a competitor have access to your sensitive information.

If you have questions or seek additional information, feel free to reach out to us via phone or email: 757-243-1257 or

About Heather Engel

Heather Engel is a Fully Qualified Navy Validator, which requires credentials that include: Advanced certifications in Information Assurance; A minimum of five years performing Certification and Accreditation on Navy Systems; Additional training in Systems Management; Systems Certification and Risk Analysis; Demonstrated knowledge of Navy IA policies and the responsibilities of a Navy Validator. Engel provides risk management and business intelligence to Sera-Brynn clients across a wide variety of industries, carrying more than 15 years of experience in risk and compliance system integration, disaster recovery, security policy and security testing and evaluation.