The Defense Federal Acquisition Regulation Supplement (DFARS) governs the acquisition of goods and services for the Department of Defense (DoD). Both officials and contractors must comply with the requirements set forth in DFARS. As anyone who has looked at the requirements set forth in DFARS knows, DFARS itself is a complex regulatory body that is broad in scope and depth. Contractors and subcontractors that supply or work with the DoD are required to comply with DFARS or face penalties for non-compliance, making it essential to understand exactly what your DFARS compliance requirements are and how you can meet them.
One challenge that DFARS presents for contractors and subcontractors is a restriction on the countries that you can procure supplies from. Given the complexity of our global supply chain, organizations outside of the DoD procurement process often don’t know exactly where their goods and services originate from. This can pose potential compliance issues for DFARS, thus the need for restrictions. Within the DFARS regulation itself is a list of dfars compliant countries. This list is essential for all contractors to understand and abide by, meaning that all procurement of goods and services must go through these countries. This includes for components that consist of melted metals, which is a complex topic in its own right. According to DFARS requirements, only specific countries are permitted to melt metal outside of the United States if the end product is intended for DoD purposes.
There are also some important changes that were recently implemented into DFARS that affects many of the contractors and subcontractors that interact with the DoD. Namely, the addition of cybersecurity requirements to protect Controlled Unclassified Information (CUI). This impacts all DoD partners and has been the law of the land since late 2017. This additional requirement for DFARS mandated that all organizations in-scope for the regulation adopt the cybersecurity efforts outlined in the National Institute of Standards and Technology (NIST) SP 800-171 revision 1. These requirements are intended to protect CUI from unwarranted access or theft. In doing so, these requirements also protect the very contractors themselves by ensuring that their cybersecurity efforts are capable of matching today’s threat landscape.
Navigating DFARS requirements can be extremely challenging. The depth of information covered in the regulatory documents is extensive, and with numerous additional documents required to gain a full picture of the compliance advisory services and requirements organizations must abide by; most smaller and medium-sized contractors may have difficulty adhering to the requirements set forth in DFARS. This article will seek to distill down a comprehensive list of DFARS compliant countries. We’ll also look at what it means to be a compliant country, in order to provide greater context to the regulations themselves.
What Are Qualifying Countries?
At this point, you might be wondering what a qualifying country is. In terms of DFARS, the term “qualifying country” refers to a country that the United States government has a memorandum of understanding with or another international agreement with the designated country. Stemming from these agreements, the DoD determines that it isn’t in the public interest for qualifications of the requirements under the Buy American statute or the Balance of Payments Program to apply to these specific countries.
So, what exactly makes the relationship between the United States and a qualifying country special? Well, essentially the United States government signs reciprocal defense procurement agreements with each country that is on the list. These reciprocal defense agreements began during the 1970s within the context of the Cold War, with the intention to increase the effectiveness of alliances that existed at the time. The idea behind reciprocal defense agreements was that many countries had barriers that existed in regards to procuring defense-related equipment. These barriers often took the form of laws or norms that encouraged defense industries to procure from domestic sources, whether because it was financially incentivized or otherwise.
Due to the fact that defense procurement represents such a substantial portion of government procurement in general, seeking out agreements with allies whereby barriers to procurement across borders were reduced or eliminated made sense. By being able to procure defense equipment both domestically or from allies, countries were able to exercise a greater degree of choice in the types of equipment they procured. Expanding the procurement environment also ensured that a wider field of competition was embedded in defense procurement agreement and sourcing. The use of reciprocal defense procurement agreements ensures that defense procurements are more cost-effective. There are also strategic considerations embedded in these agreements, such as producing a wider range of interoperable equipment.
The important facet of reciprocal defense procurement agreements is the provision to waive requirements that many nations have for government entities to buy products that are produced domestically. In the United States, this takes the form of the Buy American Act, passed in 1933, which precludes the federal government from purchasing supplies or finished goods from outside of the United States without a waiver. Many other countries also have “buy national” laws. Reciprocal defense procurement agreements waive these laws, allowing both countries to trade defense equipment with one another. Or, at the very least, certain organizations in qualifying countries can enter the procurement process without fear of discriminatory buying practices. Nor will goods sold from qualifying countries have import duties levied against them, at least in most cases.
Which Countries are Qualifying Countries?
At this point, you probably want a list of which countries are considered qualifying countries under DFARS. As you will notice, many of the countries on the list are staunch allies of the United States. In total, there are currently 26 countries that are considered DFARS compliance countries. Here’s the DFARS compliant country list:
- Czech Republic
- Federal Republic of Germany
- United Kingdom of Great Britain and Northern Ireland
In addition to the 26 countries in the aforementioned list, contractors with the DoD may also procure products from Austria. These procurements are exempted from the Buy American Act on a case-by-case basis, rather than accepted whole cloth as in the case of the countries listed above. One thing to note about the list of compliant countries is that there is substantial overlap between these countries and countries that are part of the North Atlantic Treaty Organization (NATO). This association is logical given the historical context within which defense procurement agreements began to appear.
What are Some Other Important DFARS Requirements
As we have mentioned DFARS itself is a massive regulatory body that governs the procurement of defense equipment. There are many facets to DFARS that apply to specific organizations, and there are too many individual requirements to go into. However, it is worth spending time getting to know a bit more information about a recent requirement that was added to DFARS. This requirement governs the protection of Controlled Unclassified Information (CUI). There are strict penalties for non-compliance, including the loss of the government contract an organization holds, so it is worthwhile to understand how this requirement affects you.
If you are part of the DoD procurement process and handle CUI, then you are required by law to comply with the cybersecurity requirements outlined in DFARS 204.73 Safeguarding Covered Defense Information and Cyber Incident Reporting. As the name suggests, this requirement concerns protecting sensitive data that isn’t classified but the release of which could still be damaging. In order to accomplish this, entities that are in-scope for this requirement must adhere to NIST 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.
The clause governing cybersecurity in DFARS was added only recently and went into effect on December 31, 2017. So, while this requirement has been in effect for over a year at this point, there may still be small and medium-size businesses that have yet to achieve compliance. Achieving compliance with the DFARS cybersecurity requirements can be tricky to be sure. Organizations must identify the true scope of how CUI is transmitted and stored across their network assets and systems. Then, organizations must implement the safeguards outlined in NIST 800-171 to ensure the protection of that CUI.
You might be wondering what “Controlled Unclassified Information” refers to, as this appears from the outside to be a broad term. Essentially, CUI is data generated by the government that needs safeguarding. This can also include information or data that is generated by a third-party entity on behalf of the government. The definition of CUI itself is complex, with a full definition found here provided by the National Archives. For entities in-scope for DFARS security requirements, gaining a full understanding of exactly what constitutes CUI serves as a basic starting point for identifying where CUI is stored on your systems, how it is transmitted, and how you are protecting it. Some examples of CUI include emails, blueprints, or contractor information, but there are many different types of information that can be considered CUI. One of the most challenging aspects for attaining NIST 800-171 compliance is properly identifying CUI when you interact with it.
The NIST 800-171 outlines a framework that organizations can use to protect CUI on their network and systems. In total, NIST 800-171 outlines 14 different requirements that organizations must meet in order to be considered compliant. These requirements can be broken down into controls, security measures, management and monitoring, and end-user practices. Like other security requirements provided by NIST, the cybersecurity requirements outlined in NIST 800-171 represent industry accepted best practices. While there are specific requirements, organizations can choose the best way for them to meet those requirements given their operational needs, level of risk, and the resources available to them.
Meeting the requirements outlined in NIST 800-171 can be challenging, particularly for small to medium-sized manufacturers or DoD suppliers that don’t have the resources to conduct the assessment and monitoring requirements mandated by NIST. Organizations hoping to achieve NIST 800-171 compliance must review their business processes and CUI scope, and then analyze their controls gap. Once this is done they can create a roadmap for moving forward. Organizations will then need to implement controls, along with segmentation of their network, traffic, or assets if necessary to reduce CUI scope. Lastly, organizations will need to create processes for ensuring ongoing compliance, including security audits and validations. In order to do all of this, organizations must be capable of performing a comprehensive assessment of their IT infrastructure and have access to the expertise necessary to perform vulnerability assessments.
It is also important to keep in mind that compliance with the requirements set forth in NIST 800-171 isn’t just a singular event, but is rather an ongoing process. This means that organizations must regularly conduct vulnerability assessments, as well as stage ongoing penetration tests to ensure that any vulnerabilities in your network, systems, or web applications are quickly identified and remediated prior to a harmful event occurring. Learn about the top 5 penetration testing tools for web applications in our related article.
Maintaining compliance with DFARS requirements can take a staggering amount of time and coordination. Understanding exactly what your compliance requirements are is essential to maintaining your government contract on an ongoing basis. It isn’t enough to simply know whether or not a country you are working with is considered qualifying. If you are an organization that is a subcontractor or primary contractor supplying the DoD, you’ll need to ensure your organization protects CUI and is NIST 800-171 compliance. A failure to do so could result in non-compliance and a revocation of your government contract, along with the financial and reputational harm that can accompany a data breach. Avoiding non-compliance with DFARS, in particular, requires working with other organizations that have an in-depth understanding of both DFARS and NIST 800-171 requirements. Due to the fact that these two go hand-in-hand, in-scope organizations must ensure that they maintain compliance with both at all times. If you are curious to learn more about DFARS and NIST 800-171 compliance or cybersecurity solutions, please contact RSI Security today.