Compliance

Compliance

Compliance

What’s The Difference Between FAR and DFARS? 

07/2024

5  

min read

Introduction

Companies working in the Aerospace and Defense industry are likely to end up selling their product into the defense supply chain. Consequently, their contracts with customers incorporate flow-down requirements, meaning contractors must familiarize themselves with the Federal Acquisition Regulation (FAR) terms and conditions. Organizations handling Department of Defense (DoD) data must also understand the Defense Federal Acquisition Regulation Supplement (DFARS).

What is FAR?

FAR stands for Federal Acquisition Regulation (FAR) and is the contracting regulation of the Federal Government. Contracts with NASA, the DoD, and other Federal Organizations will incorporate the FAR requirements. Contracting officers are required to have cybersecurity clauses in your contract - most commonly, that is FAR § 52.204-21, which defines IT Security requirements for Federal contracts that process, store, or transmit FCI data.

What is DFARS?

DFARS stands for Defense Federal Acquisition Regulation Supplement (DFARS) and is the defense-specific requirements that dictate how the Department of Defense contracts. The contract clauses your contracting officer incorporates are dependent on the type of data you are expected to handle or create as part of your contract.

The most notable is DFARS 252.204-7012 which dictates how Defense contractors must handle specific types of Defense Data. DFARS 7012 has 4 important components: implementing adequate security, using FedRAMP moderate authorized cloud services, reporting cyber incidents to the DoD, and flowing down requirements to your subcontractors. If you have any questions about these requirements, feel free to book a meeting with one of our cybersecurity experts.  

Conclusion

Overall, understanding the distinctions between FAR and DFARS is crucial for any contractor engaging in DoD contracts. While FAR provides a broad framework applicable to all federal agencies, DFARS introduces additional, defense-specific requirements critical for contractors working with the DoD. Compliance with these regulations and NIST 800-171 and 172 is essential to safeguarding DoD data and obtaining CMMC certification. The foundation of CMMC compliance lies in adhering to the National Institute of Standards and Technology (NIST) Special Publications (SP) 800-171 and 172.

To find out more about CMMC, feel free to download our FREE CMMC Compliance Guide or schedule a meeting with one of our cybersecurity experts!

Logo image

Become Compliant with NIST 800-171, DFARS 7012, and CMMC Requirements

Talk to an Expert