Request Demo

DFARS

Subcontractors & Supply Chains: The Risks of Non-Compliance

down-arrow

With the rise of cyber attacks on both public and private enterprises, companies are putting more energy into protecting our information from threats. 

Due to the DFARS flow-down clause, prime contractors have to be compliant throughout their supply chains.

Thus, prime contractors are beginning to send surveys to their supply chains and subs questioning their compliance.  

That’s exactly what the government proposed when announcing NIST SP 800-171 and the Defense Acquisition Federal Regulation Supplement as a regulation for any prime contractors or subcontractors that work with the Department of Defense. Prime contractors should not be risking the integrity of their supply chains. Efforts that contractors and their supply chains take to protect Covered Defense Information (CDI) or Controlled Unclassified Information (CUI), both physically and digitally, must be thorough. Thus, prime contractors are beginning to send surveys to their supply chains and subs asking if they are DFARS compliant, and if they have a plan of action around compliance. 

If you have received questions around the regulation from your prime contractor, you are not alone. Many manufacturers and subcontractors are scrambling to figure out how to report back and keep their contracts before the end of the year. Assessing the risk of not complying to DFARS & NIST 800-171 is critical to deciding if it makes sense to allot your organization’s capital and resources toward compliance. Some manufacturers may decide that not enough of their revenue is generated from government contracts, and others may decide that they have enough cash flow through prime contractors, or have an opportunity to do grow their business in that area, that the risk of losing them is too great.

What are the risks of non-compliance? For starters, contract termination. The flow-down clause mentioned earlier requires every manufacturer who works with a prime contractor to report compliance, and if you are a subcontractor who reports non-compliance when your prime asks, your contract will likely be terminated and your compliant competitors will fill that role. In short, sub contractor non-compliance causes prime contractor non-compliance as a whole, which is something primes are going to avoid to keep their contracts. Another risk to consider is the price of reporting compliance when your organization is, in fact, not compliant. The last cause you want to be is that of legal detriment to your prime contractor.

Two Ways to Approach DFARS Compliance

Taking the piecemeal approach may seem attractive at first, but that depends on your willingness to risk your business to the potential issues spoken about above. Piecemeal projects are almost always more expensive and time consuming. You could task out controls to your team one by one, and try to pull together a methodology from your own knowledge. However, the chance of missing a portion of a control or misinterpreting the control language in general is looming. Considering your team’s limited resources as they are responsible for other tasks within the organization, and the knowledge base required to understand and implement DFARS, relying on another entity could be your best option. The CyberStrong Solution can even pay for itself because it streamlines your compliance and allows you to access a strategic improvement roadmap to NIST 800-171 compliance. Translating the NIST language is a task that is hard to accomplish with limited time and energy, especially when you have to be meticulous enough not to miss a control or over-report your compliance when you could be protecting your information. Take the approach that will save you time, money, and resources and develop a systematized roadmap to compliance and a stronger cybersecurity posture.

Have more questions? Fill out our contact form or email us directly at info@cybersaint.io

You may also like

The Key To Turning Your Security ...
on December 11, 2018

It is often said, “if you don’t want something noticed, don’t talk about it”. This is true of a bad GPA, a stain on a carpet, or a project you might have missed a deadline for. ...

Solving The Cybersecurity Skills ...
on December 6, 2018

It is no shock to those in the cyber community that cybersecurity has become a board-level issue for many enterprises. A PwC survey showed a 20% increase in CEO’s concern over ...

The Next Wave Of Innovation For ...
on December 5, 2018

   The internet of things (IoT) is a force transforming the modern enterprise. Anything from robotics in warehouses to smart manufacturing to data center monitoring, the ...

The Corporate Compliance and ...
on December 4, 2018

Corporate compliance and oversight (CCO) is one of the main pillars to a strong integrated risk management (IRM) program and solution. Today, compliance leaders are faced with a ...

Securing the AI powered enterprise
on December 5, 2018

Machine learning and artificial intelligence (AI) has become the competitive differentiator of our time. By 2020, Gartner predicts that almost all new products to enter the market ...

4 Compliance And Risk Reports ...
on November 28, 2018

By 2020, 100% of large enterprises will be asked to report to their board of directors on cybersecurity and technology risk at least annually, which is an increase from today's ...

Alison Furneaux