Companies that contract with the U.S. Department of Defense (DoD) have to comply with all of the requirements in the Federal Acquisition Regulations (FAR). Back in December 2015, FAR was amended to include the Defense Acquisition Federal Regulation Supplement (DFARS). Now published in the Code of Federal Regulations (CFR) at Title 48, Chapter 2, DFARS imposes significant cybersecurity obligations on DoD contractors in order to protect the sanctity of Controlled Unclassified Information (CUI).
Becoming compliant with DFARS is just the first step. You have to stay in compliance, as well. One of the most useful ways of ensuring that your company is still in compliance with the regulations is to conduct an internal DFARS cybersecurity audit and see how your company performs.
The cybersecurity and DFARS compliance professionals at Corporate Investigation Consulting have conducted numerous DFARS audits in the past for federal contractors, helping them understand what they need to do to pass a real audit by the DoD, avoid serious legal liability, and protect the company’s future in contracting with the government.
Put our highly experienced team on your side
The Importance of Conducting DFARS Audits
There are two critical reasons for taking DFARS compliance seriously and conducting internal audits to ensure you are not violating cybersecurity requirements:
- If the DoD conducts an audit and finds your company in violation of DFARS regulations, it can impose financial penalties, sue your business for breach of contract and filing false claims, and terminate your government contract
- If your company is falling below the minimum cybersecurity requirements, it becomes a risk for a data breach or hack that obtains sensitive information about American national security
Avoiding these outcomes is critical.
The first step towards preventing them is to reach DFARS compliance. Cybersecurity professionals like those at Corporate Investigation Consulting often do this in four steps:
- Determine what cybersecurity measures your company will have to take in order to reach DFARS compliance
- Conduct a gap analysis to find any gaps or shortcomings between your current cybersecurity measures and those that are required under DFARS
- Create a remediation plan that would bring your company into DFARS compliance without breaking the bank or creating any undue hassle
- Implement that remediation plan and reach compliance
But reaching DFARS compliance is still only the first step. You will also have to:
- Keep your compliance protocols up-to-date with ever-changing DFARS requirements
- Ensure that your company’s daily business activities are following through on your cybersecurity plans
Creating cybersecurity defense strategies that, in theory, comply with DFARS requirements but then never checking to see if they are working in reality is a huge risk for a federal contractor to take. Conducting internal audits to ensure you are actually complying with the requirements is critical.
How to Conduct DFARS Audits
Broadly speaking, there are two ways of performing a cybersecurity audit:
- Program audits
- Penetration tests
A program audit is a close review of your cybersecurity protocols. These types of audit can uncover theoretical shortcomings in your DFARS compliance mechanisms. Given how broad and nuanced DFARS requirements can be, a program audit is an important aspect of all internal audits. Different DFARS compliance experts can disagree on what steps are necessary to achieve adequate cybersecurity and what changes are likely to be made to the protocols in the future. Having an independent DFARS compliance contractor conduct a program audit of another contractor’s initial DFARS strategy can unearth potential weaknesses in your company’s cybersecurity systems.
Penetrations tests, however, are where most DFARS audits focus. In a penetration test, DFARS compliance officers arrange for a hacker to try to break into your company’s information system and gain access to any Controlled Unclassified Information that he or she can find. During the test, the hacker will record all of their steps during the process so there is a paper trail that shows where the initial weaknesses were found in your cybersecurity measures and how someone can utilize them to breach your system.
Not all penetration tests are the same, though. DFARS regulations require you, as a federal DoD contractor, to take very specific cybersecurity measures. Arranging for a penetration test from a cybersecurity professional who has little understanding or awareness of DFARS regulations can end up being useless. The findings of the test may be irrelevant for your legal cybersecurity obligations to the DoD.
Good penetration tests will challenge as many DFARS requirements as possible, up to and including your notification requirements to the Department of Defense. This ensures not only that you receive as much value for your investment as possible, but also that you earn the peace of mind that comes with knowing that a large portion of your DFARS compliance strategy has been challenged and either came out successful or that it is being fixed.
Learn from Mistakes and Implement Changes
No internal DFARS audit is complete without a debriefing and a close analysis of what went wrong. Letting the problems go unfixed will completely undermine the value provided by the audit and leaves your company open to liability for the shortcoming. In fact, if the DoD conducts its own audit and learns that the cybersecurity problems that it has found had already been discovered in an internal audit but went uncorrected, you can count on them taking more aggressive action against your business than they would have, otherwise.
Frequently Asked Questions About DFARS Cybersecurity Audits
Is the DoD Auditing its Contractors for Cybersecurity Compliance?
Yes. The Department of Defense is increasingly taking action against its contractors to ensure that they are implementing at least the minimum steps necessary to protect the agency’s Controlled Unclassified Information. In years past, these audits were few and far between. However, recent years have highlighted just how many foreign entities and governments are willing to use cyberattacks to influence their friends and frustrate their enemies. Because contractors can be used to gain access to sensitive data, which can then be used to access still more sensitive data from other sources, the DoD has taken its auditing responsibilities far more seriously of late.
What Can Happen if a DoD Audit Finds that My Company is Out of Compliance With DFARS?
The penalties for being out of DFARS compliance are significant, both for the financial health and the future of your company and potentially also for the country’s national security.
If the DoD conducts an audit and finds that your cybersecurity is not up to the minimum standards set by DFARS, it has the discretion to take numerous actions against your company.
In the best case scenarios where the cybersecurity shortcoming was small and easily fixable, and your company provides integral services for the agency and has for a long time, the DoD may choose to let the transgression slide on the good faith promise that you improve your cybersecurity efforts and come into DFARS compliance in the near future. The DoD may impose a stop-work order in the meantime.
In the worst case scenarios, though, the DoD may issue the stop-work order and file a breach of contract lawsuit against you for violating your contractual obligations with the agency. This lawsuit will demand that you pay back all of the proceeds your company received during its time of non-compliance with DFARS – an amount that can become quite substantial if the Department of Defense can show that you were out of compliance for a long time.
In addition to the breach of contract lawsuit, the DoD can also pursue a civil enforcement action against your company under the False Claims Act. This act forbids improperly requesting reimbursement from a government program. Importantly, the penalties for a civil claim under the False Claims Act includes a substantial civil penalty for each violation, as well as treble damages – three times the amount that was improperly paid to your company during your time of non-compliance.
This is to say nothing of the negative repercussions of the sensitive information being illegally obtained. Not only can this put your company in an extremely bad light, it can threaten America’s security.
Where Can I Find the DFARS Regulations and Requirements?
The DFARS regulations are found in Title 48, Chapter 2 of the CFR. However, they incorporate cybersecurity standards that are crafted by the National Institute of Standards and Technology (NIST). The NIST publishes these specific cybersecurity requirements in NIST Special Publication 800-171, generally referred to as NIST SP 800-171. Because computer hacking is a constantly evolving field, cybersecurity has to race to keep up to speed and the minimum standards set by the NIST have to change, as well. Before researching your current DFARS and NIST requirements, it is important to make sure that you are looking at the current NIST Special Publication.
DFARS Auditing by the Cybersecurity Professionals at Corporate Investigation Consulting
The best internal DFARS audits that you can do will mimic, as closely as possible, the real audit process that the DoD would use. The lawyers and investigators at Corporate Investigation Consulting have decades of prior experience conducting these audits for the DoD and similar audits for the Federal Bureau of Investigation (FBI), the Department of Justice (DOJ), and the Internal Revenue Service (IRS). Now they use that experience to help federal contractors uphold their legal obligations to the Department of Defense and protect some of America’s most prized information.
Contact them online or call them at (866) 352-9324 to get the skilled and experienced help that you need to conduct an informative cybersecurity audit.