DFARS compliance software questions that you need to answer

multiple locks

There’s a lot to consider as you create and work through a strategy to achieve DFARS compliance, with new standards for information control. One common area of concern is legacy applications and commercial off-the-shelf (COTS) software. A frequent question is what steps should companies take when they don’t support multi-factor authentication (MFA)?

We hear this question from a number of our customers, as well as questions about information systems in which CUI/CDI constitutes a small portion of the data and cannot be easily segregated.

Contrary to what you may have heard, the MFA requirements of DFARS 252.204-7102 and NIST 800-171 are not mandatory at the application level, but rather should be applied at some point prior to reaching the application. This means successful cost-effective implementations of MFA controls should address the following:

  • Is there clear mapping of data access flow from user to CUI/CDI? Where along the path can MFA be effectively and economically applied?
  • Is your chosen MFA solution flexible – does it require an agent?
  • What operating systems and devices does it support?
  • What options are available for “out-of-band” access?
  • Do we have to support Personal Identity Verification (PIV) on day one or can it wait?
  • What physical form factors are available (smartcard, USB, mobile app, etc.) and which will work in your environment?

With regard to architecture design, one promising approach is to restrict (logically or physically) access from the network and establish a singular “front door” to the application or data using a jump box or presentation/publication gateway such as Citrix. This approach should only be necessary when there is no other opportunity to enforce MFA prior to the application or data (e.g. a contractor portal hosted in a DMZ).

What about COTS?

Commercial Off-The-Shelf (COTS) equipment sold under a contract is not considered CDI unless it has been modified for CDI purposes.  Please keep in mind, this exclusion does not extend to COTS packages used by a supplier to provide operational support or in any other way fulfill their contractual obligations.

DXC is available to help you evaluate these and many other questions as well as prepare for compliance.  To hear the DXC webinar on these questions and more, register here.


Frequently asked questions (FAQ) about DFARS compliance

Predictive Analyses: How Compliance Could Lead to a Leap Forward


  1. […] DFARS compliance software questions that you need to answer […]

  2. […] DFARS compliance software questions that you need to answer […]

Speak Your Mind


This site uses Akismet to reduce spam. Learn how your comment data is processed.