Understanding Compliance with FAR and DFARS

For federal contractors, ensuring compliance with both the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS) is a critical aspect of operations. This comprehensive guide explores the essentials of FAR and DFARS, shedding light on the intricate world of government contracts and cybersecurity measures.


Federal Acquisition Regulation (FAR)

At its core, FAR revolves around the concept of allowability, defining permissible charges in government contracts. Serving as the primary regulation for all Federal Executive agencies, FAR guides the acquisition of supplies and services with appropriated funds, as highlighted by GSA.gov.

What is FAR?

Issued over 40 years ago through the Office of Federal Procurement Policy Act of 1974, FAR remains a living standard jointly issued and maintained by the Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA), shaping the landscape of government acquisitions.

Addressing FAR Compliance Challenges

Untangling FAR and Cost Accounting Standards (CAS), this section provides clarity on compliance, demystifying exemptions, standards, and disclosures to simplify what may seem like a complex puzzle.

Vision and Objectives

The primary goal of FAR is to establish a published standard set of policies and procedures for federal agencies during the procurement process. Rooted in Section 1.102, the Federal Acquisition System aims to satisfy customers in terms of cost, quality, and timeliness, emphasizing objectives like maximizing the use of commercial products, promoting competition, and conducting business with integrity and fairness.

Key Components of FAR Compliance

FAR compliance is a vital process for federal government contractors providing goods or services to federal agencies. It distinguishes the contracting landscape with the Executive branch from dealings with commercial entities. Addressing a common query – “Does FAR apply to all government agencies?” – the answer is no. FAR governs contracts exclusively with the Executive branch, with separate regulations overseeing contracts with the Legislative and judicial branches.

Governance of Contracts

Contracts with the Legislative branch (Congress) fall under the purview of the Congressional Budget Office (CBO), while those with the judicial branch adhere to Judiciary Policy – Volume 14 (Procurement). Most contracts with the federal government, however, are governed by FAR, with each contract containing specific FAR clauses applicable to the agreement.

Applicability of FAR

FAR applies to solicitations (IFB, RFP, RFQ, RFI), federal prime contracts, and subcontracts under federal prime contracts. Contractors bear the responsibility of meticulously reading and understanding each FAR clause referenced in the contract before signing any binding agreement.


Defense Federal Acquisition Regulation Supplement (DFARS)

In response to escalating cyber threats, the U.S. Department of Defense mandates rigorous cybersecurity measures for external contractors and suppliers. This comprehensive guide breaks down DFARS regulations, elucidates minimum requirements, and provides tailored solutions to ensure your compliance journey is seamless.

What is DFARS?

Responding to cyber threats, the U.S. Department of Defense introduced DFARS in December 2015, aligning with National Institute of Standards and Technology (NIST) SP 800-171 standards. This regulatory framework compels DoD contractors to safeguard Controlled Unclassified Information (CUI), with a compliance deadline set on December 31, 2017.

DFARS Minimum Requirements Decoded

Securing DoD contracts demands adherence to minimum requirements, emphasizing:

  1. Implementation of adequate security measures for defense information.
  2. Rapid reporting of cyber incidents, collaborating with the DoD for resolution.

While seemingly straightforward, achieving “adequate security” encompasses fourteen security requirement groups, impacting various aspects of IT information security. Non-federal entities must undergo a readiness assessment based on NIST SP 800-171 guidelines for DFARS compliance.

Navigating DFARS: Challenges 

For DoD contractors operating beyond technical realms, meeting evolving security standards poses challenges. The DFARS compliance process necessitates ongoing dedication of man-hours and resources, prompting many to seek expert assistance.

Termination and Penalties for Non-Compliance

Non-compliance risks stop-work orders, financial penalties, and contract termination. Section 252.204-7014 of DFARS outlines penalties, emphasizing the need for proactive compliance.


What is the difference between DFARS and CMMC?

DFARS (Defense Federal Acquisition Regulation Supplement) and CMMC (Cybersecurity Maturity Model Certification) are both related to cybersecurity requirements for contractors working with the United States Department of Defense (DoD), but they serve different purposes and have distinct features. Here are the key differences between DFARS and CMMC:

1. Purpose and Scope:

  • DFARS: DFARS primarily focuses on safeguarding unclassified controlled technical information (CTI) within the defense industrial base (DIB). It includes specific clauses that contractors must comply with to protect sensitive information.
  • CMMC: CMMC is a more comprehensive framework that builds upon DFARS. It introduces a tiered certification model to ensure that contractors implement a specific level of cybersecurity maturity based on the sensitivity of the information they handle

2. Certification Levels:

  • DFARS: Contractors under DFARS are required to conduct self-assessments and document their compliance with the specified cybersecurity controls.
  • CMMC: At Levels 2 and 3, CMMC requires third-party assessments performed by certified assessors. Contractors need to undergo an independent evaluation to determine their adherence to the cybersecurity practices outlined in the CMMC framework.

3. Self-Assessment vs. Third-Party Assessment:

  • DFARS: FARS has been in place for several years, and its cybersecurity requirements have been gradually updated. It has been the baseline for cybersecurity compliance in the defense industrial base.
  • CMMC: CMMC was introduced as a response to shortcomings in the self-attestation model of DFARS. The rollout of CMMC is currently in process.


In conclusion, understanding and ensuring compliance with both the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS) are crucial for federal contractors. See how Coalfire Federal can help your business with their government contracts today.