aidarrow-end-inversearrow-endarrow-left-angulararrow-left-angularWhy choose AvectoAchieve complianceOperational efficiencycompliancedefendpoint-coloureddefendpoint-thin-2DesktopScaleResources.iconsAsset 21insider-threatsavecto-logo-smallquotation-marksransomwareArticleUse caseWebinarResources.iconssafePrevent attacksAsset 19social-engineeringTrustedtriangleStop insider attacksAsset 20Resources.iconsResources.iconszero-days


Achieving Defense Federal Acquisition Regulation Supplement (DFARS) compliance

Page 01 Download the article


Avecto has assisted many global clients to meet the requirements of DFARS NIST 800-171. Read on to find out how Avecto’s Defendpoint software secures your endpoints through integrated privilege management and application control technology.


Department of Defense (DoD) contractors and subcontractors must meet Defense Federal Acquisition Regulation Supplement (DFARS) compliance rules before the end of 2017.

Changes to DFARS requires contractors to meet the mandatory security standards outlined in National Institute of Standards and Technology (NIST) Special Publication 800-171: Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations.

The US government legislation intends to safeguard 'controlled unclassified information' (CUI) against the growing cyber security threats, requiring affected organizations will need to act to adequately protect their processes, systems and contracts.

CUI is classified as "information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies".

What will happen to those who fail to comply?

Those who fail to comply will likely lose government contracts, whereas organizations able to demonstrate compliance at an early stage may be in a better position to secure additional wins.

DFARS controls

Government contractors and subcontractors are required by DFARS 252.204-7008 to comply with the 14 control families of the NIST SP 800-171 by December 2017:

Access control*

Awareness and training

Audit and accountability*

Configuration management*

Identification and authentication

Incident response


Media protection

Personnel security

Physical protection

Risk assessment

Security assessment

System and communications protection

System and information integrity*