Why does my company need DoD compliancy?
In December 2015, the U.S. Department of Defense (DoD) published a FAR (Federal Acquisition Regulations) supplement referred as the Defense Federal Acquisition Regulations (DFARS). The DFARS is intended to maintain cybersecurity standards according to requirements laid out by the National Institute of Standards and Technology (NIST), specifically NIST SP 800-171.
These standards were constructed to protect the confidentiality of CUI and had given DoD contractors until December 31, 2017 to meet the requirements necessary to be classified as DFARS compliant. Failure to meet these requirements could have resulted in the loss of current DoD contracts. With the deadline now past, all DoD contractors must meet the minimum requirements and show proof to the Department of Defense for all contracts moving forward.
What happens if we are not compliant?
DoD Contractors that are audited by the Department of Defense and are found to not be in compliance with DFARS NIST SP 800-171 are likely to face a stop-work order. This means that their work on behalf of DoD will be suspended until they implement suitable security measures to protect CUI. In addition, the Department of Defense may impose financial penalties, including seeking damages for breach of contract and false claims.
In the worst case scenario, DoD contractors could find that their contracts with the Department of Defense are terminated. They could even face suspension or debarment from working with the Department of Defense again.
For more information on the penalties for non-compliance, see section 252.204-7014 of DFARS.