What is DFARS and how does it impact suppliers that sell to the U.S. government?
“Oh no, not another acronym…”
When it comes to regulation, there are a lot of acronyms out there, and they’re not always the easiest to keep track of. RoHS, REACH, DFARS, TSCA…the list grows as more regulation gets put in place each year.
This time we’re taking a look at DFARS, so let’s dive in.
The acronym DFARS stands for Defense Federal Acquisition Regulation Supplement.
What does it stand for? An extra set of regulations that the United States Department of Defense (DoD) added to the Federal Acquisition Regulation (FAR). The FAR is a general set of rules for government acquisitions and procurement that was implemented in the 1980s. DFARS came later and served as an addition to the FAR, specifically stating the requirements for defense-related acquisitions. In other words, DFARS regulates how the U.S. government buys goods and services for military or defense purposes.
According to Acquisition.gov, the primary objective of DFARS is to acquire quality supplies and services that satisfy user needs with measurable improvements to mission capability and operational support at a fair and reasonable price. Additionally, it states that DFARS exists to manage the investments of the United States in technologies, programs, and product support necessary to achieve the national security strategy and support the United States Armed Forces.
If we look back to the ‘80s, we can see how these regulations got their start and purpose. On April 1, 1981, the FAR replaced the Federal Procurement Regulation (FSR) with the goal of establishing one set of comprehensive regulations for government procurement. The FAR cast a wide net, covering everything from acquisition planning and contract types to environmental safety standards, intellectual property, and much more. However, the Department of Defense quickly realized that defense-related acquisitions came with a separate set of complexities, such as sensitive technologies and national security considerations. Hence, DFARS was born.
Today, DFARS is continuously updated to meet modern challenges like cybersecurity, as well as the ever-evolving landscape of national security and procurement practices. Some of its main purposes include:
DFARS impacts a wide array of stakeholders, from companies directly contracted with the U.S. Department of Defense to subcontractors and support services. Defense contractors are the group most directly impacted, which can include manufacturers of military equipment, IT service providers, and more. Subcontractors and suppliers may also feel the influence of DFARS as it trickles down the supply chain, especially if primary contractors enforce specific DFARS clauses. Others affected include legal and compliance teams, program managers, and auditors within contracting companies.
Beyond stakeholders, DFARS has a direct impact on several key industries as well, including:
Any goods and materials used in the process of manufacturing military equipment are subject to DFARS regulations. This includes military vehicles, weapons, aircraft, medical supplies, communication equipment and more. You can imagine the various materials needed to manufacture these things, and yes, all of those materials are held to specific regulations and standards thanks to DFARs.
For example, DFARS 252.225-7009 governs the acquisition of certain metals, ensuring they are sourced responsibly to meet national security needs. This includes specialty metals like titanium, tantalum, and tungsten, to name a few. Another example is DFARS 252.225-7030, which reflects the U.S. government's commitment to maintaining the integrity and security of the supply chain for essential steel products used in defense-related manufacturing. This includes carbon, alloy, and armor steel plate, plus the prohibition of certain foreign-made steel items.
When talking about military equipment, the items like weapons and vehicles mentioned above are typically the first to come to mind. However, technology, software, and cybersecurity are just as important tools for national security–and yes, they too are regulated under DFARS. These regulations address cybersecurity and intellectual property to combat cyber threats, as opposed to physical materials and manufacturing parts.
For example, if a company provides computer programs or cybersecurity services to the military, DFARS ensures they follow specific security standards, like protecting sensitive information. These same rules also apply to telecommunications companies providing communication services to the DoD.
Closely tied to cybersecurity, CUI stands for Controlled Unclassified Information and refers to unclassified information that requires safeguarding. This could include sensitive information related to national security, privacy, and other critical areas.
DFARS includes several clauses related to the protection of Controlled Unclassified Information (CUI), such as DFARS 252.204-7012. This clause mandates contractors to protect CUI when handling defense-related information. Additionally, contractors are required to implement specific security measures outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-171 when it comes to CUI.
Whether you’re a primary contractor, subcontractor, or somewhere else along the supply chain, staying compliant with DFARS is essential to both national security and the success of your company. Noncompliance can lead to the termination of contracts, financial penalties from the government, legal consequences, and damage to your company’s reputation.
There are a few ways to ensure your company is DFARS compliant, including completing a self-assessment, hiring a consultancy, or working with a supply-chain risk platform like Z2Data – hey, that’s us! Regardless of your industry, our flexible, integrated, and collaborative platform can help you meet your compliance objectives, as well as assist in other areas such as supply chain, risk management, supplier insights, and more.
If you’re not working with a platform or consultant and are hoping to complete a self-assessment on your own, it’s critical to reference NIST Special Publication 800-171A: Assessing Security Requirements for Controlled Unclassified Information. Although more affordable, we will warn you that this can be a lengthy and complicated process without the right resources, taking anywhere from six to eleven months to become fully compliant. You’ll also need to be extra meticulous about your plan to maintain compliance and how you will continuously monitor it.
Looking for additional resources and reads centered around supply chain, compliance or procurement? Explore the Z2Data Insights blog and catch up on some of our other content, featuring topics like regulation, obsolescence, semiconductor news, and more.
Z2Data’s integrated platform is a holistic data-driven supply chain risk management solution, bringing data intelligence for your engineering, sourcing, supply chain and compliance management, ESG strategist, and business leadership. Enabling intelligent business decisions so you can make rapid strategic decisions to manage and mitigate supply chain risk in a volatile global marketplace and build resiliency and sustainability into your operational DNA.
Our proprietary technology augmented with human and artificial Intelligence (Ai) fuels essential data, impactful analytics, and market insight in a flexible platform with built-in collaboration tools that integrates into your workflow.