{"id":810,"date":"2021-08-02T09:30:14","date_gmt":"2021-08-02T13:30:14","guid":{"rendered":"https:\/\/www.diener.org\/?p=810"},"modified":"2023-02-20T23:44:43","modified_gmt":"2023-02-21T04:44:43","slug":"dfars-compliance-checklist","status":"publish","type":"post","link":"https:\/\/www.diener.org\/dfars-compliance-checklist\/","title":{"rendered":"DFARS Compliance Checklist"},"content":{"rendered":"<p>An important part of government contracting is following all of the guidelines put in place by various agencies to ensure work is carried out safely, cost-effectively and fairly. Department of Defense contractors who handle certain types of information are responsible for adhering to the DFARS requirements.<\/p>\n<h2>What Is DFARS Compliance?<\/h2>\n<p>DFARS stands for the <a href=\"https:\/\/www.acquisition.gov\/dfars\" rel=\"noopener\" target=\"_blank\">Defense Federal Acquisition Regulation Supplement<\/a>. This is a set of security standards and regulations put in place by the Department of Defense that affiliate organizations must comply with.<\/p>\n<p>Any business that transmits, stores or processes Controlled Unclassified Information (CUI) must follow the rules outlined by DFARS in order to work as a DoD contractor or subcontractor.<\/p>\n<h2>What Is The DFARS Compliance Checklist?<\/h2>\n<p>The guidelines are quite complex and are outlined in an official 170-page document known as the NIST Handbook 162, NIST MEP Cybersecurity Self-Assessment Handbook For Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements, which is free to access online at<br \/>\n<a href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/hb\/2017\/NIST.HB.162.pdf\" rel=\"noopener\" target=\"_blank\">https:\/\/nvlpubs.nist.gov\/nistpubs\/hb\/2017\/NIST.HB.162.pdf<\/a>.<\/p>\n<p>In the NIST SP 800-171, there are more than 100 different controls divided across 14 families, and each has its own requirements and specifications. Digital security is a constantly evolving field, and the guidelines are expected to be updated every few years.<\/p>\n<hr>\n<h2>Specific Points Of The DFARS Compliance Checklist<\/h2>\n<p>Highlighted below are some key points to consider within the 14 control families of the DFARS Compliance Checklist.<\/p>\n<h3>1. Access Control<\/h3>\n<p>This covers whether users must log in to gain access and whether access control lists are used to limit access to data based on users\u2019 roles or identities. It also covers architectural solutions for controlling the flow of system data, such as proxies and firewalls, and whether responsibilities are separated to eliminate conflicts of interest. <\/p>\n<h3>2. Awareness And Training<\/h3>\n<p>This looks at whether users, managers and administrators are given initial and annual training as well as basic security awareness training.<\/p>\n<h3>3. Audit And Accountability<\/h3>\n<p>Creating, protecting and retaining information system audit records for monitoring, investigating and reporting inappropriate or unlawful information system activity is a key component of this section. Other areas this point covers include internal system clocks for generating timestamps for audit records and alerting employees with security responsibilities of audit processing failures.<\/p>\n<h3>4. Configuration Management<\/h3>\n<p>This covers the development and maintenance of baseline configurations for all information system types and the tracking of changes, It also outlines how information systems should be configured to only permit authorized software to run and how user controls must be implemented to prevent unauthorized software from being installed. <\/p>\n<h3>5. Identification And Authentication<\/h3>\n<p>This pertains to best practices when it comes to using passwords, such as using at least 12 characters and a mix of lower- and upper-case letters, numbers and special characters. It also covers multifactor authentication for local access to privileged accounts, deleting accounts when individuals leave the company, salting hashed passwords, and unique account identifiers for all users.<\/p>\n<h3>6. Incident Response<\/h3>\n<p>Some of the topics covered in this point are the company\u2019s incident response policy regarding handling incidents that involve CUI and how the company tests its incident response capabilities. <\/p>\n<h3>7. Maintenance<\/h3>\n<p>This looks at whether the company carries out maintenance on its information system and if controls are used to limit all aspects of this maintenance. It is also concerned with whether media provided by authorized maintenance personnel for diagnostics and troubleshooting are run through virus scanners prior to being used in the company\u2019s information system. <\/p>\n<h3>8. Media Protection<\/h3>\n<p><a href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-171\/rev-2\/final\" rel=\"noopener\" target=\"_blank\">The Media Protection<\/a> section of the checklist looks at whether the company limits CUI media access to authorized users and whether CUI systems such as company laptops use asset control identifiers such as ID tags with unique numbers. It also addresses the encryption of CUI data on media prior to transport outside of the business\u2019s secure locations. <\/p>\n<h3>9. Personnel Security<\/h3>\n<p>The Personnel Security component looks at whether individuals are screened before being granted access, and whether the company disables access to its information system before an employee is transferred or terminated. <\/p>\n<h3>10. Physical Protection<\/h3>\n<p>This addresses whether the facility or building manager has designated sensitive areas with physical security protections such as locks or guards limiting physical access to the area. It also assesses whether physical access is monitored and logs are maintained.<\/p>\n<h3>11. Risk Assessment<\/h3>\n<p>This covers the company\u2019s <a href=\"\/consulting-advisory\/risk-management\/\" rel=\"noopener\" target=\"_blank\">risk management policy<\/a>, periodic risk assessments, documentation of changes in use or infrastructure, scanning of systems for new vulnerabilities, and action plans for mitigating vulnerabilities. <\/p>\n<h3>12. Security Assessment<\/h3>\n<p>The Security Assessment component looks at whether periodic security assessments are carried out to ensure security controls are properly implemented, as well as what is included in these assessments.<\/p>\n<h3>13. Systems And Communications Protection<\/h3>\n<p>This addresses whether the system monitors and manages communications and how unauthorized information transfer is prevented, among other points.<\/p>\n<h3>14. System And Information Integrity<\/h3>\n<p>This family covers how system flaws are identified and corrected and how the company monitors for attacks and unauthorized connections.<\/p>\n<p>Becoming DFARS compliant gives defense contractors and suppliers confidence that your organization has met the necessary requirements set by the DOD. Follow our DFARS Compliance Checklist to help make better decisions on the state of your organization&#8217;s regulatory compliance.<\/p>\n<hr>\n<p><!--\n\n<h2>Reach Out To The Government Contract CPAs<\/h2>\n\n\n \nThe DFARS Compliance Checklist contains dozens of requirements that can be challenging to follow. Government contractors who need help with all aspects of compliance can <a href=\"\/contact\/\">reach out<\/a> to the experienced and knowledgeable government contracting CPA team at Diener And Associates.--><\/p>\n","protected":false},"excerpt":{"rendered":"<div class=\"entry-excerpt\">\n<div class=\"entry-excerpt--description\">\n<p>This will go over the DFARS compliance checklist that any business working with CUI must follow to work as a DOD contractor or subcontractor.<\/p>\n<\/div>\n<div class=\"entry-excerpt--cta\">\n<p><a class=\"read-more blog-read-more\" href=\"https:\/\/www.diener.org\/dfars-compliance-checklist\/\"><span>Read More<\/span> <span><i class=\"fa-regular fa-arrow-right-long\"><\/i><\/span><\/a><\/p>\n<\/div>\n<\/div>\n","protected":false},"author":13,"featured_media":813,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[6],"tags":[],"class_list":{"0":"post-810","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-government-contract-consulting","8":"entry"},"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.1.1 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>DFARS Compliance Checklist<\/title>\n<meta name=\"description\" content=\"This will go over the DFARS compliance checklist that any business working with CUI must follow to work as a DOD contractor or subcontractor.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.diener.org\/dfars-compliance-checklist\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"DFARS Compliance Checklist\" \/>\n<meta property=\"og:description\" content=\"This will go over the DFARS compliance checklist that any business working with CUI must follow to work as a DOD contractor or subcontractor.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.diener.org\/dfars-compliance-checklist\/\" \/>\n<meta property=\"og:site_name\" content=\"Diener &amp; Associates\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/dienerandassociates\/\" \/>\n<meta property=\"article:published_time\" content=\"2021-08-02T13:30:14+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-02-21T04:44:43+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.diener.org\/wp-content\/uploads\/2021\/07\/1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1600\" \/>\n\t<meta property=\"og:image:height\" content=\"800\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Michael Diener\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Michael Diener\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.diener.org\/dfars-compliance-checklist\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.diener.org\/dfars-compliance-checklist\/\"},\"author\":{\"name\":\"Michael Diener\",\"@id\":\"https:\/\/www.diener.org\/#\/schema\/person\/e21af19747ec3bd7f44ac8a743caf89c\"},\"headline\":\"DFARS Compliance Checklist\",\"datePublished\":\"2021-08-02T13:30:14+00:00\",\"dateModified\":\"2023-02-21T04:44:43+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.diener.org\/dfars-compliance-checklist\/\"},\"wordCount\":854,\"publisher\":{\"@id\":\"https:\/\/www.diener.org\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.diener.org\/dfars-compliance-checklist\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.diener.org\/wp-content\/uploads\/2021\/07\/1.png\",\"articleSection\":[\"Government Contract Consulting\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.diener.org\/dfars-compliance-checklist\/\",\"url\":\"https:\/\/www.diener.org\/dfars-compliance-checklist\/\",\"name\":\"DFARS Compliance Checklist\",\"isPartOf\":{\"@id\":\"https:\/\/www.diener.org\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.diener.org\/dfars-compliance-checklist\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.diener.org\/dfars-compliance-checklist\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.diener.org\/wp-content\/uploads\/2021\/07\/1.png\",\"datePublished\":\"2021-08-02T13:30:14+00:00\",\"dateModified\":\"2023-02-21T04:44:43+00:00\",\"description\":\"This will go over the DFARS compliance checklist that any business working with CUI must follow to work as a DOD contractor or subcontractor.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.diener.org\/dfars-compliance-checklist\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.diener.org\/dfars-compliance-checklist\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.diener.org\/dfars-compliance-checklist\/#primaryimage\",\"url\":\"https:\/\/www.diener.org\/wp-content\/uploads\/2021\/07\/1.png\",\"contentUrl\":\"https:\/\/www.diener.org\/wp-content\/uploads\/2021\/07\/1.png\",\"width\":1600,\"height\":800,\"caption\":\"Checking off the DFARS Compliance Checklist\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.diener.org\/dfars-compliance-checklist\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.diener.org\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"DFARS Compliance Checklist\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.diener.org\/#website\",\"url\":\"https:\/\/www.diener.org\/\",\"name\":\"Diener &amp; Associates\",\"description\":\"Northern Virginia CPA Firm\",\"publisher\":{\"@id\":\"https:\/\/www.diener.org\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.diener.org\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.diener.org\/#organization\",\"name\":\"Diener & Associates\",\"url\":\"https:\/\/www.diener.org\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.diener.org\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.diener.org\/wp-content\/uploads\/2020\/05\/diener-site-logo.png\",\"contentUrl\":\"https:\/\/www.diener.org\/wp-content\/uploads\/2020\/05\/diener-site-logo.png\",\"width\":960,\"height\":195,\"caption\":\"Diener & Associates\"},\"image\":{\"@id\":\"https:\/\/www.diener.org\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/dienerandassociates\/\",\"https:\/\/www.linkedin.com\/company\/diener-and-associates\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.diener.org\/#\/schema\/person\/e21af19747ec3bd7f44ac8a743caf89c\",\"name\":\"Michael Diener\",\"url\":\"https:\/\/www.diener.org\/author\/michael-diener\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"DFARS Compliance Checklist","description":"This will go over the DFARS compliance checklist that any business working with CUI must follow to work as a DOD contractor or subcontractor.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.diener.org\/dfars-compliance-checklist\/","og_locale":"en_US","og_type":"article","og_title":"DFARS Compliance Checklist","og_description":"This will go over the DFARS compliance checklist that any business working with CUI must follow to work as a DOD contractor or subcontractor.","og_url":"https:\/\/www.diener.org\/dfars-compliance-checklist\/","og_site_name":"Diener &amp; Associates","article_publisher":"https:\/\/www.facebook.com\/dienerandassociates\/","article_published_time":"2021-08-02T13:30:14+00:00","article_modified_time":"2023-02-21T04:44:43+00:00","og_image":[{"width":1600,"height":800,"url":"https:\/\/www.diener.org\/wp-content\/uploads\/2021\/07\/1.png","type":"image\/png"}],"author":"Michael Diener","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Michael Diener","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.diener.org\/dfars-compliance-checklist\/#article","isPartOf":{"@id":"https:\/\/www.diener.org\/dfars-compliance-checklist\/"},"author":{"name":"Michael Diener","@id":"https:\/\/www.diener.org\/#\/schema\/person\/e21af19747ec3bd7f44ac8a743caf89c"},"headline":"DFARS Compliance Checklist","datePublished":"2021-08-02T13:30:14+00:00","dateModified":"2023-02-21T04:44:43+00:00","mainEntityOfPage":{"@id":"https:\/\/www.diener.org\/dfars-compliance-checklist\/"},"wordCount":854,"publisher":{"@id":"https:\/\/www.diener.org\/#organization"},"image":{"@id":"https:\/\/www.diener.org\/dfars-compliance-checklist\/#primaryimage"},"thumbnailUrl":"https:\/\/www.diener.org\/wp-content\/uploads\/2021\/07\/1.png","articleSection":["Government Contract Consulting"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.diener.org\/dfars-compliance-checklist\/","url":"https:\/\/www.diener.org\/dfars-compliance-checklist\/","name":"DFARS Compliance Checklist","isPartOf":{"@id":"https:\/\/www.diener.org\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.diener.org\/dfars-compliance-checklist\/#primaryimage"},"image":{"@id":"https:\/\/www.diener.org\/dfars-compliance-checklist\/#primaryimage"},"thumbnailUrl":"https:\/\/www.diener.org\/wp-content\/uploads\/2021\/07\/1.png","datePublished":"2021-08-02T13:30:14+00:00","dateModified":"2023-02-21T04:44:43+00:00","description":"This will go over the DFARS compliance checklist that any business working with CUI must follow to work as a DOD contractor or subcontractor.","breadcrumb":{"@id":"https:\/\/www.diener.org\/dfars-compliance-checklist\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.diener.org\/dfars-compliance-checklist\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.diener.org\/dfars-compliance-checklist\/#primaryimage","url":"https:\/\/www.diener.org\/wp-content\/uploads\/2021\/07\/1.png","contentUrl":"https:\/\/www.diener.org\/wp-content\/uploads\/2021\/07\/1.png","width":1600,"height":800,"caption":"Checking off the DFARS Compliance Checklist"},{"@type":"BreadcrumbList","@id":"https:\/\/www.diener.org\/dfars-compliance-checklist\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.diener.org\/"},{"@type":"ListItem","position":2,"name":"DFARS Compliance Checklist"}]},{"@type":"WebSite","@id":"https:\/\/www.diener.org\/#website","url":"https:\/\/www.diener.org\/","name":"Diener &amp; Associates","description":"Northern Virginia CPA Firm","publisher":{"@id":"https:\/\/www.diener.org\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.diener.org\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.diener.org\/#organization","name":"Diener & Associates","url":"https:\/\/www.diener.org\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.diener.org\/#\/schema\/logo\/image\/","url":"https:\/\/www.diener.org\/wp-content\/uploads\/2020\/05\/diener-site-logo.png","contentUrl":"https:\/\/www.diener.org\/wp-content\/uploads\/2020\/05\/diener-site-logo.png","width":960,"height":195,"caption":"Diener & Associates"},"image":{"@id":"https:\/\/www.diener.org\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/dienerandassociates\/","https:\/\/www.linkedin.com\/company\/diener-and-associates\/"]},{"@type":"Person","@id":"https:\/\/www.diener.org\/#\/schema\/person\/e21af19747ec3bd7f44ac8a743caf89c","name":"Michael Diener","url":"https:\/\/www.diener.org\/author\/michael-diener\/"}]}},"_links":{"self":[{"href":"https:\/\/www.diener.org\/wp-json\/wp\/v2\/posts\/810","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.diener.org\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.diener.org\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.diener.org\/wp-json\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"https:\/\/www.diener.org\/wp-json\/wp\/v2\/comments?post=810"}],"version-history":[{"count":0,"href":"https:\/\/www.diener.org\/wp-json\/wp\/v2\/posts\/810\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.diener.org\/wp-json\/wp\/v2\/media\/813"}],"wp:attachment":[{"href":"https:\/\/www.diener.org\/wp-json\/wp\/v2\/media?parent=810"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.diener.org\/wp-json\/wp\/v2\/categories?post=810"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.diener.org\/wp-json\/wp\/v2\/tags?post=810"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}