Dfars Compliance: Austria's Data Security Standards Examined

The Defense Federal Acquisition Regulation Supplement (DFARS) is a set of regulations that govern the acquisition of goods and services for the US Department of Defense (DoD). To be DFARS-compliant, countries must have a reciprocal defense procurement (RDP) memorandum of understanding or international agreement with the United States. This means that both countries agree to remove barriers to purchasing goods, materials, or services from sources in the other country. As of 2024, there are 28 DFARS-compliant countries, including Austria.

What is DFARS?

The Defense Federal Acquisition Regulation Supplement (DFARS) is a set of regulations aimed at prioritising the security of organisations and their customers. DFARS was published by the Department of Defense (DoD) in 2015 to protect the confidentiality of Controlled Unclassified Information (CUI). DFARS regulations apply to all DoD contractors.

DFARS is a supplement to the Federal Acquisition Regulation (FAR), which is administered by the DoD. The DFARS implements and supplements the FAR, containing requirements of law, DoD-wide policies, delegations of FAR authorities, deviations from FAR requirements, and policies/procedures that significantly impact the public. The DFARS should be read in conjunction with the FAR's primary set of rules.

DFARS compliance is crucial for companies with contracts with the DoD or any federal agency, as non-compliance can lead to penalties and even the cessation of business operations. To achieve compliance, contractors must adopt 79 fundamental security protocols, provide effective intrusion monitoring, disclose incidents, and implement cyber incident reporting and analysis. Additionally, they must ensure the proper handling of all information related to OpSec Information, Export-Controlled Information, Controlled Technical Information, and other contract-related data, regardless of location.

The DFARS assessment is part of the CMMC 2.0 Level 2 certification, a third-party certification system. While CMMC 2.0 Level 1 allows for self-certification, DFARS requires a third-party assessor for Level 2 certification. This certification is mandatory for contractors bidding on all requests, especially when handling CUI.

A "qualifying country" under DFARS is one that has a reciprocal defence procurement (RDP) memorandum of understanding or international agreement with the United States. Both countries must agree to remove barriers to purchasing goods, materials, or services from sources in the other country. Austria is listed as a qualifying country under DFARS.

Why is Austria's DFARS status important?

Austria's DFARS status is important because it allows Austrian companies to enter into contracts with the American military to supply equipment and materials. This is particularly significant as Austria is not a member of NATO and has a history of neutrality in armed conflicts.

DFARS, or Defense Federal Acquisition Regulation Supplement, is a set of regulations that govern the acquisition of goods and services for the US Department of Defense (DoD). It includes a list of compliant countries, which refers to nations that have a reciprocal defense procurement (RDP) memorandum of understanding or international agreement with the United States. These agreements remove barriers to purchasing goods, materials, or services from sources in the other country.

Austria's inclusion on the list of DFARS-compliant countries means that Austrian companies can compete for subcontracts under DoD contracts. This provides opportunities for Austrian businesses to work with the American military and contribute to US national defense.

Additionally, Austria's DFARS status helps to ensure cost-effectiveness and interoperability of defense equipment. By procuring equipment and services from Austria, the DoD can benefit from a wider field of competition and choice.

Furthermore, Austria's DFARS compliance demonstrates its commitment to information security and cybersecurity standards. DFARS-compliant countries must adhere to strict requirements, such as safeguarding Covered Defense Information (CDI) and reporting cyber incidents within 72 hours of discovery. This protects sensitive data and ensures that Austrian companies meet industry-accepted best practices for cybersecurity.

Overall, Austria's DFARS status is important as it facilitates collaboration between Austrian companies and the US DoD, enhances defense procurement efficiency, and reinforces information security measures.

How does a country qualify as DFARS-compliant?

To qualify as a DFARS-compliant country, a nation must have a reciprocal defence procurement (RDP) memorandum of understanding or international agreement with the United States. Both countries must agree to remove barriers to purchasing goods, materials, or services from sources in the other country. This means that the US government has agreed that it is in their interest to waive the requirements of the Buy American statute and the Balance of Payments Program for these countries.

The US also agrees to waive the requirements of the Buy American Act, passed in 1933, which precludes the federal government from purchasing supplies or finished goods from outside the US without a waiver.

The reciprocal defence procurement agreements began in the 1970s during the Cold War to increase the effectiveness of alliances. The idea was to reduce or eliminate barriers to defence-related equipment procurement across borders. By being able to procure defence equipment domestically or from allies, countries were able to exercise a greater degree of choice in the types of equipment they procured.

There are two primary requirements for DFARS-compliant countries:

• Restriction on the acquisition of special metals: Alloys must contain 50% of the named metals, and steel must be an iron alloy with between 0.02% and 2% carbon. Special metals under contract must be melted or produced within the United States for missile and space systems and tanks or automotive items.
• Safeguarding Covered Defense Information: Manufacturing and handling must abide by the protections for safeguarding Covered Defense Information (CDI) and reporting any incidents impacting its security. Contractors and subcontractors must protect CDI stored on or transiting through covered contractor information systems and report all cyber incidents within 72 hours of discovery.

What are the benefits of being a DFARS-compliant country?

Austria is a DFARS-compliant country. DFARS-compliant countries are those that have a reciprocal defence procurement (RDP) memorandum of understanding or international agreement with the United States.

Now, what are the benefits of being a DFARS-compliant country?

Benefits of Being a DFARS-Compliant Country:

Access to Lucrative US Department of Defense (DoD) Contracts:

DFARS compliance is crucial for contractors and subcontractors seeking to engage with the US DoD. In 2020, the DoD spent a substantial amount ($439.4 billion) on contracts for products and services. Compliance with DFARS regulations is essential to tap into this lucrative market and secure lucrative contracts.

Enhanced International Relations and Trade:

The RDP agreements that underpin DFARS compliance are designed to strengthen international relations and alliances. By removing barriers to trade in defence-related equipment and technology, these agreements foster a more diverse and competitive procurement environment. This can lead to cost-effectiveness, increased interoperability, and strategic benefits for all participating countries.

Waivers on Certain Trade Restrictions:

DFARS-compliant countries enjoy waivers on specific trade restrictions. Their end products are exempt from price differentials mandated by the Buy American statute and the Balance of Payments Program. Additionally, chemical warfare protection clothing and special metal restrictions do not apply to products originating from these countries.

Duty-Free Trade with the United States:

Qualifying country end products and defence procurement components are typically exempt from customs, taxes, or duties when traded with the United States. This further enhances the attractiveness of doing business with US defence contractors.

Cybersecurity Standardisation and Data Protection:

DFARS compliance includes adherence to stringent cybersecurity standards, such as those outlined in NIST 800-171. While challenging to implement, these standards protect sensitive Controlled Unclassified Information (CUI) and enhance the overall cybersecurity posture of organisations involved in defence procurement.

Interoperability and Standardisation:

DFARS-compliant countries benefit from increased standardisation and interoperability of defence equipment. This facilitates collaboration and joint operations between militaries, enhances alliance capabilities, and ensures a wider range of equipment options.

In summary, DFARS compliance offers countries like Austria significant advantages in terms of economic opportunities, enhanced international relations, and improved cybersecurity standards. It streamlines defence trade with the United States and strengthens the strategic partnership between compliant nations and the US.

What are the requirements for DFARS compliance?

DFARS, or Defense Federal Acquisition Regulation Supplement, is a set of cybersecurity regulations that the Department of Defense (DoD) imposes on external contractors and suppliers. DFARS was published by the DoD in 2015 to protect the confidentiality of Controlled Unclassified Information (CUI) and regulations apply to all DoD contractors.

The basic conditions to comply with DFARS include:

• Adopting 79 fundamental security protocols
• Providing effective intrusion monitoring as well as disclosing incidents
• Introducing cyber incident reporting and analysis
• Ensuring the proper handling of all information relating to OpSec Information, Export-Controlled Information, and Controlled Technical Information, as well as all other data related to contracts, regardless of the location

The minimum requirements of DFARS regulations are relatively straightforward, despite the increasing complexity of cybersecurity requirements. DoD contractors must provide adequate security for CUI that resides in or moves through their information systems. The purpose of these measures is to prevent unauthorized personnel from accessing and disclosing CUI. DoD contractors must also promptly report security incidents and cooperate with the DoD in responding to those incidents. This process includes allowing DoD personnel to access the affected media.

NIST SP 800-171 guidelines group DFARS requirements into 14 categories, which affect many aspects of information security. This document also provides complete details on each requirement for safeguarding CUI. The 14 categories are:

• Awareness and Training
• Audit and Accountability
• Configuration Management
• Identification and Authentication
• System and Communications Protection
• System and Information Integrity

DFARS compliance requires organizations to pass a readiness assessment as specified in NIST Special Publication 800-171. Organizations typically require six to ten months to become compliant, depending on their current security posture and available resources.

The following four steps will help ensure your organization is DFARS-compliant:

• Calculate your organization's applicability
• Build a remedial plan
• Implement your remedial plan
• Continuously monitor your compliance

Frequently asked questions