Frequently asked questions (FAQ) about DFARS compliance


Many of the questions around the new DFARS standards are related to compliance and what it means in practice. DXC will hold a webinar on Sept 19, 2017 to help answer many of these questions. In the meantime, this blog entry offers answers to some of most common questions our clients have asked.

What does compliance mean and how is it measured?

When you sign a contract award, you are attesting to the fact that you are compliant – unless, within 30 days of contract award, you turn in a list of the compliance requirements that have not been completed.

The DoD will not certify compliance. It is up to each contractor to self-certify prior to signing a contract. Your System Security Plans (SSP), along with a POA&M indicating how you plan to address any current gaps in compliance can be used as proof of compliance. The government contracting officer may request that you submit the SSP(s) and/or POA&M.

If you have prepared an SSP and POA&M, but do not implement all of the NIST SP 800-171 requirements by the end of the year, the government may accept the risk as captured in your SSP and POA&M.

How is CDI defined in the contract?

Contract Section J should include a list of CDI data that will be provided by the government.

Contract Data Item Descriptions (DID) have marking requirements – check item 9 in each Contract Data Requirements List (CDRL).

How do I prove compliance?

At this point in time, self-attestation is considered sufficient.  We have seen some clients who fall under a Prime contractor held to a higher standard by the Prime.  This has not been consistent in execution or granularity.

DXC’s view is that well-documented System Security Plans which map the controls to their implementation (or compensating control) will be sufficient should questions arise around compliance.

What will DCMA look for?

When the DCMA performs audits, if you have CDI in your contract they will:

  • Verify that you have an SSP
  • Verify that you turned in your 30-day notification disclosing which security controls have not yet been implemented
  • Verify that you have a valid medium assurance PKI certificate for reporting cyber incidents

Do I need a 3rd party to audit and/or attest compliance?

In short, there is no requirement.  If there is real or perceived risk to the business as a result of your current state and progress toward compliance, you want an external assessment or audit of compliance.  DXC can help arm you with that data so you can focus your investments of capital and time, reducing risk and possibly cost.

Will compliance be an evaluation factor in pursuing government contracts?

The government can use a NIST SP 800-171 SSP (and POA&M if necessary) as part of the tech evaluation criteria in a selection process.

I am a 3rd tier supplier in a complex supply chain.  Do I have to comply?

Maybe. DFARS clause 252.204–7012 was amended to limit the requirement to flow down only to subcontractors whose efforts will involve covered defense information, or will involve operationally critical support.  You and your upstream supplier will need to determine on a contract-by-contract basis if you fall in-scope.

How will prime contractors ensure compliance from their suppliers down the supply chain?

Primes need to tailor and control what flows down to subcontractors based on the CDI data the subcontractors need access to in order to do their jobs. If a subcontractor cannot implement the required CDI protections, then CDI should not be shared with the subcontractor.

To hear the DXC webinar on these questions and more, register here.


Risk-based transformation: From hype to reality

L is for legal


  1. […] Frequently asked questions (FAQ) about DFARS compliance […]

  2. […] Frequently asked questions (FAQ) about DFARS compliance […]

  3. […] Frequently asked questions (FAQ) about DFARS compliance […]

Speak Your Mind


This site uses Akismet to reduce spam. Learn how your comment data is processed.