The Defense Federal Acquisition Regulation Supplement (DFARS) is a set of rules that apply to federal defense contractors with access to Controlled Unclassified Information (CUI) and Covered Defense Information (CDI). Defense contractors must strictly maintain DFARS compliance, as failure to do so can lead to loss of federal defense contracts, prosecution under the False Claims Act, and prosecution for other federal civil and criminal offenses.

However, the compliance regulations and requirements that apply to federal defense contractors’ cybersecurity programs under DFARS are far from clear. Rather than establishing specific obligations, DFARS establishes “high-level” security requirements. Federal defense contractors are left to interpret these high-level DFARS compliance requirements in light of the unique aspects of their businesses and operations, and they must be prepared to show the U.S. Department of Defense (DOD) that they made the right decisions when called upon to do so.

“DFARS non-compliance can prove incredibly costly for federal defense contractors. As a result, defense contractors need to take an informed approach to compliance focused on avoiding mistakes that have the potential to lead to loss of CUI and unwanted DOD scrutiny.” – Dr. Nick Oberheiden, Founding Attorney of Oberheiden P.C.

Given the lack of clarity in the DFARS regulations, it is not uncommon for federal defense contractors to make mistakes even with the help of the DFARS compliance checklist. Here are 10 of the top DFARS compliance mistakes defense contractors and DOD contractors need to avoid in 2023:

1. Assuming Contractors’ Existing Cybersecurity Programs Will Meet the Current DFARS Requirements

Due to the extensiveness of the DFARS regulations, existing cybersecurity programs developed without a specific focus on DFARS compliance are unlikely to meet defense contractors’ federal obligations. Even if a defense contractor’s existing cybersecurity program is sufficient, the DOD contractor will still need to document the program’s sufficiency under DFARS—and implement additional policies and procedures designed to ensure DFARS compliance on an ongoing basis.

One of the primary tools federal defense contractors use to comply with DFARS is the NIST SP 800-171 or the National Institute of Standards and Technology (NIST) Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. Contractors must comply with the security controls of NIST SP 800-171. National Institute of Standards and Technology (NIST) Special Publication 800-171 establishes “basic security requirements” and “derived security requirements” in 14 categories. Many of these requirements are general in nature (i.e., “Review and update audit events”), and this leads many defense contractors to assume that a general cybersecurity program will suffice. However, this is not the case. Defense contractors must interpret DFARS in line with the federal government’s intent, which is to ensure that private entities protect CUI in the same manner (and to the same extent) as federal offices and agencies.

2. Focusing Solely on the “Derived Security Requirements” Under DFARS

Federal defense contractors (and many cybersecurity vendors) often assume that the derived security requirements under DFARS elaborate on the basic security requirements and that they only need to focus on the former as a result. However, this also is not the case. As NIST explains, the derived security requirements “supplement” the basic security requirements. This means that defense contractors need to address both, as the derived security requirements do not necessarily encompass all aspects of the broader basic requirements in each category.

3. Failing to Negotiate with a Qualified Cybersecurity Vendor

Federal defense contractors need to work with cybersecurity vendors that have specific experience in the defense contracting sector. Defense contractors should conduct thorough due diligence (or rely on their consulting firms to conduct thorough due diligence) and select vendors that have proven track records of helping federal defense contractors protect CUI in compliance with DFARS.

After selecting a qualified cybersecurity vendor, it is equally important that federal defense contractors carefully negotiate the terms of their service agreements. For example, defense contractors should ensure that they have an adequate audit and inspection rights so that they can confirm their cybersecurity vendors’ DFARS compliance efforts. In the event of a malicious intrusion resulting in unauthorized disclosure of CUI, “It was our vendor’s fault,” is not a valid defense.

4. Attempting to Manage DFARS Compliance In-House

Because of the breadth of the DFARS regulations and the substantial challenges involved in establishing and maintaining DFARS compliance, most federal defense contractors will need to rely on outside counsel and consultants to help them avoid costly compliance failures. Attempting to manage DFARS compliance in-house is a common mistake, and it is one that often proves far more costly than engaging outside help. As discussed below, the risks of DFARS non-compliance are substantial. Defense contractors that don’t take compliance seriously can find themselves on the outside of federal defense procurement—potentially addition to facing civil or criminal prosecution in federal district court.

5. Prioritizing Certain Areas of DFARS Compliance

While certain aspects of DFARS compliance may require more effort and resources than others, all aspects should be given equal priority. As with other areas of federal compliance, overlooking even a single issue can lead to adverse consequences. Federal defense contractors need to take a comprehensive approach to DFARS compliance, and they need to make sure they have appropriate policies and protocols in place before receiving CUI from the DOD.

6. Failing to Monitor and Assess DFARS Compliance On an Ongoing Basis

Another extremely common mistake federal defense contractors make regarding DFARS compliance is assuming that establishing compliance is a one-time event. This is decidedly not the case. While developing a comprehensive DFARS compliance program is a critical first step, it is just one of several steps defense contractors need to take to mitigate their risk effectively.

Federal defense contractors also need to monitor and assess DFARS compliance on an ongoing basis. If an unanticipated threat compromises CUI in a defense contractor’s possession, this is an issue the defense contractor needs to be able to identify and address immediately. In addition, the DOD expects its contractors to be able to affirmatively demonstrate that their DFARS compliance programs are working, and this means that contractors need to be continually generating documentation of threat prevention, identification, and resolution.

7. Failing to Document DFARS Compliance On an Ongoing Basis

Documenting DFARS compliance on an ongoing basis is essential for federal defense contractors. Not only does implementing an effective documentation policy ensure that contractors can identify and remedy issues as quickly as possible, but it also helps ensure that they will be able to withstand DOD scrutiny when necessary. Efforts to document DFARS compliance should be systematic rather than ad hoc, and contractors should focus on generating clear documentation without jargon or abbreviations that will be unintelligible to DOD investigators.

While federal defense contractors should be able to handle the generation and storage of DFARS compliance documentation in-house (once they have effective programs in place), defense contractors need to be careful to secure the protections of the attorney-client privilege when necessary. For example, when dealing with questions of whether a contractor’s compliance efforts are adequate or what to do in response to a cybersecurity incident with CUI implications, it is generally advisable for contractors to work with their outside counsel.

8. Failing to Respond Immediately to External or Internal Threats to CUI Security

When internal or external threats jeopardize CUI security, federal defense contractors must respond immediately. Delaying a contractor’s response at any length of time is a mistake that can have drastic consequences. Upon learning of a cybersecurity breach, employee theft, or any other form of unauthorized access or disclosure, defense contractors should immediately execute their response protocols with the oversight of their outside lawyers and DFARS compliance consultants.

From the DOD’s perspective, failing to address a known security incident is on par with failing to prevent such an incident from occurring. As a result, even if an incident occurs despite a contractor’s reasonable efforts to protect CUI, failure to respond to the incident appropriately can lead to enforcement action.

9. Making Misrepresentations to the Federal Government

Federal defense contractors cannot make misrepresentations to the DOD under any circumstances. They cannot misrepresent that they have DFARS-compliant cybersecurity programs during the bidding process, and they cannot misrepresent their compliance or remediation efforts as contractors. Not only is making material misrepresentations to the DOD grounds for contract termination, but it can also justify criminal charges against contractors’ owners and executives under 18 U.S.C. Section 1001 and other federal laws.

10. Ignoring the Risks of DFARS Non-Compliance

Finally, when it comes to DFARS-related mistakes, one of the biggest mistakes federal defense contractors can make is ignoring the risks of non-compliance. Billing the DOD when not in compliance with DFARS can trigger charges under the federal False Claims Act, and these charges can be either civil or criminal in nature depending on the circumstances involved. In many cases, the DOD will work with prosecutors at the U.S. Department of Justice (DOJ) to pursue other charges as well.

It is also important not to lose sight of the purpose of the DFARS regulations. These regulations apply to federal defense contractors that have access to CUI, and they are designed to ensure that defense contractors afford the same level of protection to CUI as the federal government. Failure to protect CUI can have serious national security implications, and malign foreign interests often target non-compliant defense contractors as a way to gain access to highly-sensitive U.S. government information.