Acquisitions and procurement for the federal governments are overseen by the Federal Acquisition Regulation (FAR) which covers a wide range of stipulations for both government departments and contractors.
The Department of Defense adheres to the FAR, although with its own deviations and procedures due to the classified nature of some of its contracting activities. A DoD contractor is expected to abide by the DFARS, Defense Federal Acquisition Regulation Supplement together with the Procedures, Guidance, and Information document (PGI).
As a result of this extremely regimented regulation, DFARS compliance is complex. Defense contractors must demonstrate that they not only meet requirements but also have implemented programs to maintain compliance throughout their supply chains.
Two key areas of defense procurement are particularly guarded so as to protect sensitive information best not exposed to prying eyes and ill-intentioned people or nations: specialty metals and cybersecurity.
With frequent changes, updates, and amendments to FAR and DFARS, maintaining compliance when fulfilling DoD contracts can be a complex process in which internal resources are likely to be insufficient unless supplemented with robust third-party expertise. - Click To Tweet
Scope of the Federal Acquisition Regulation at a Glance
Every possible aspect of procurement is subject to codes of conduct and standards, including some issues that do not usually need consideration when dealing in the private sector.
The procurement-award process is explained in a manner that eliminates ambiguity and prevents disputes.
Compliance requirements are clearly laid out, including how contractors should implement them internally and along the supply chain.
Federal contractors are obligated to meet certain performance standards that go beyond the quality of products and include cost accounting principles, adherence to schedules, and overall cooperation.
DFARS Compliance on Specialty Metals
The US is cautious about excessive dependence on foreign sources of critical materials as it poses a risk to its supply chain and capability to bring projects and missions to completion. For that reason, DFARS includes specific sourcing requirements for specialty metals, defined as:
- Steel with a maximum alloy content exceeding one or more of the following limits:
- Manganese, 1.65%
- Silicon, 0.60%, or
- Copper, 0.60%
- Steel containing more than 0.25% of any of the following elements:
- Aluminum
- Chromium
- Cobalt
- Columbium
- Molybdenum
- Nickel
- Titanium
- Tungsten
- Vanadium
- Or metal alloys consisting of:
- Nickel, iron-nickel, and
- Cobalt base alloys containing a total of other alloying metals except for iron in excess of ten percent, or titanium and titanium alloys
- Zirconium and zirconium base alloys
The sourcing requirements for specialty metals stipulate the metals must be melted in the US or originate from a qualifying country (subsection 225.872-1 of DFARS).
Some exceptions apply and metals may be sourced from other countries provided their content makes up less than 2% of the finished product.
Complying with specialty metals requirements necessitates full transparency in the supply chain and requires optimal supplier engagement: is the material present in the product part? In what concentration? Where has it been sourced (if not directly)?
One way to simplify the compliance process is to exclusively work with vetted suppliers having a track record of government or defense-related procurement. This doesn’t mean you can abstain from doing your due diligence and maintain an updated repository of documentation, but at least it eliminates a lot of legwork.
Even better if your compliance system is already fitted to track product components, demonstrate proof of origin, and if your suppliers and their suppliers receive adequate training to reach compliance themselves.
DFARS Compliance on Cybersecurity
Not surprisingly, security is a big item when contracting with the DoD. Data will be exchanged and stored. Classified documents will travel through cyberspace and meet the eyes of approved personnel. Sensitive communication will take place.
Per DFARS, contractors storing, processing, or transmitting Controlled Unclassified Information (CUI) fall in the scope of the NIST (National Institute of Standards and Technology) framework of cybersecurity. They must have adequate security in place along with incident reporting processes. Protective measures shall cover the probability of loss, misuse, unauthorized access, or modification of information.
NIST Framework
The safeguarding framework published by NIST takes a risk-based approach, targeting issues that may pose a threat to national security, economy, public safety, and health.
DoD contractors should have a plan to identify, protect from, detect, respond to and recover from those risks.
1. Identify
- Asset management
- Business environment
- Governance
- Risk assessment
- Risk management strategy
- Supply chain risk management
2. Protect
- Identify management and access control
- Awareness and training
- Data security
- Information protection processes and procedures
- Maintenance
- Protective technology
3. Detect
- Anomalies and events
- Security continuous monitoring
- Detection processes
4. Respond
- Response planning
- Communications
- Analysis
- Mitigation
- Improvements
5. Recover
- Recovery planning
- Improvements
- Communication
A new standard separate from NIST is the Cybersecurity Maturity Model Certification (CMMC). This entirely new set of requirements is superseding NIST requirements for DoD cybersecurity compliance.
Learn More About CMMC Requirements In Our Blog: “Why Supply Chain Cybersecurity is More Important Now Than Ever”
Final Words on DFARS Compliance
The DoD is the largest contracting department by value. Its budget request for 2021 was $243 billion, a third of it for acquisition only.
Being a defense contractor can be a very profitable business, but non-compliance comes at a cost: lost contracts, breach damages, reputational damage; not to mention violation fines which, from 1995 to date, amounted to $10 billion for the top ten contractors.
In concrete terms, compliance with DFARS regulation is only possible if, as a direct contractor, you involve your subcontractors and their suppliers. They too must be compliant with sourcing requirements, security, the federal code of ethics, etc.
If you wish to enter the federal procurement arena and hope to secure a DoD contract, your first step before you even consider an application is to iron out the compliance details:
- Is your supply chain transparent? If not, what is lacking? What roadblocks get in the way?
- Do you have any automated compliance scheme currently in place or do you start from scratch?
- Can your existing systems build upon defense-specific regulations?
Companies that have already started work on building a resilient and transparent supply chain hold a significant competitive advantage to become a defense supplier of choice. Once on the A-list, continuous vigilance is necessary to maintain compliance.
The good news is, being a partner with government agencies is not exclusive to mammoth companies. The other good news is, it doesn’t take a village, only compliance experts familiar with the drill and equipped to see your contract long-lived.
At Source Intelligence, our DFARs solution provides the technology you need to automate compliance. Our solution:
- Maps out your entire supply chain
- Creates and send custom supplier surveys
- Collects supplier data
- Uses AI to verify and validate compliance documents
This in conjunction with a 24/7 multi-lingual supplier support team provides you the information you need to easily meet DFARs requirements.
Request a demo of our DFARs program to see what our solution can do for you.
