Home | Our Services

Request a FREE Consultation here:



Why should Contractors care about DFARS Compliance?

Our increasingly digitized world has provided many avenues for innovation and creativity to flourish, but with it comes numerous risks and dangers. More frequently these days, we hear news about a new exploit or security compromise that has caused irrevocable damage to a company’s reputation, finances, or in some cases; its ability to function at all. With this growing concern, the government has begun requiring its contractors to maintain an effective and compliant security environment for doing business. Because of this, Information Security goes beyond just IT or legal concerns, but rather, encompasses an operational challenge required to conduct business at all. In this era, it has become increasingly important to consider the cyber security infrastructure of your company, and ensure it is adequately prepared for any trials the future possesses. For many government contractors, this preparation is combined with a business need, as the Department of Defense introduced an information security requirement through DFARS. 

The Department of Defense has mandated through DFARS 252.204-7012 that all contractors in possession of Controlled Unclassified Information (CUI) must meet the minimum-security requirements outlined in NIST SP 800.171. These controls must be implemented at both the contractor and subcontractor levels in order to be considered compliant with DFARS or risk losing contracts for failure to comply.

In order to maintain your organizations current contracts and ensure you are well prepared for future regulations and threats it is important to pay attention to and implement the controls outlined in the NIST SP 800.171 requirements. The future is uncertain and new threats are always hiding around the corner – be prepared to handle them so your organization can continue to prosper.

What are DFARS Requirements?

The main things to consider when striving for compliance with DFARS are the NIST SP 800.171 controls, the Cyber Incident Reporting requirements, and what to do when an incident occurs as as it pertains to record keeping of all information that may be required for a DoD investigation. 

NIST Standards – The security controls themselves are detailed in the NIST Special Publication 800.171 “Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations.” NIST SP 800.171 contains a wide variety of controls covering many different aspects of cybersecurity practice that can ensure your company is well protected against cyber threats and has the capability to handle them when they occur. With the publication of DFARS 252.204-7012, NIST SP 800.171 was made the core backbone of DFARS security control enforcement.

In addition to the security controls, DFARS has many requirements for how to properly report incidents when they occur. Covering everything from the required isolation of malware, to preserving images affecting information systems – all the way through network monitoring records and how to submit them to the DoD – these are just some of the essential practices needed to demonstrate compliance to the DFARS regulation..

In addition to requiring the implementation of NIST SP 800.171 there are many specific procedural requirements that need to be followed in order to properly report security incidents when they occur. These include the security incident report itself, as well as how to handle any malware or media preservation requirements to ensure they are available should the DoD need to investigate further. Some details about these requirements are included below.

Cyber Incident Report

  • Must conduct an evidence review of compromised covered defense info (identify compromised computers, servers, specific data, user accounts, etc. or anything that affects ability of contractor to provide support)
  • Rapidly report incidents to DoD at http://dibnet.dod.mil
  • Incident Report must be treated as info created by/for DoD and include at a minimum, requirements from http://dibnet.dod.mil
  • To report incidents a Medium Assurance Certificate is Required

Malicious Software – When Malware is discovered/isolated in connection with a security incident, it will need to be submitted to the DoD Cyber Crime Center in accordance with instructions provided by DC3 of the Contracting Officer. DO NOT send malicious software to the Contracting Officer.

Media Preservation and Protection – Upon discovery of the security Incident, preserve images of all known affected information systems (those identified in Incident Report) and all monitoring/packet capture data for at least 90 days following submission of the Cyber Incident Report to allow DoD to request media or decline interest.

To stay abreast of any cyber-attacks, security compliance requires continuous monitoring. At the response stage, we work with you to establish processes and tools to regularly monitor and update your security posture against any new potential threats – working always to keep your information safe!

Why Kreative?


Kreative is a small business in the heart of Northern Virginia, home to many of the largest government contractors in the country which handle incredibly sensitive information as a matter of course. With a highly skilled workforce knowledgeable in IT and the security industry, we are perfectly positioned to assist with your compliance needs. Our experience in working with our neighbors across the contracting industry has given us an intimate understanding of on-prem and cloud platforms, as well as MSO365 and Azure GCC high environments, allowing us to gain experience with security implementations in highly regulated environments. Over the years, Kreative has developed a wide collection of templates, covering all the policies and procedures required to be implemented into a compliant environment, which can also be tailored and packaged to perfectly fit the unique environment of your organization. This innovative approach lends itself to quick and proven compliant policy implementation that can assist with creating a culture of security awareness within your organization.


Information Security is an ongoing initiative for any organization as it is important to be prepared to adapt to dynamic situations. Kreative recommends the use of our kSAFE approach. This solution has been developed and continually improved in the Microsoft Office 365 environment to ensure organizational controls adhere to the various requirements outlined in the NIST 800 and DFARs regulations. Our solution utilizes innovation and leverages technology to ensure strongest adherence to IT security controls. Along with various automation tools, forms, workflows and templates, we are also extremely proficient in MS Azure that provides the back-end Information Security controls around:
  • Platform Security – The processes and infrastructure of MS datacenters to keep information safe
  • Secure Access and Sharing – The access management and share settings to ensure sensitive data is not inadvertently disclosed
  • Awareness and Insights – Complete visibility to make informed decisions, track, and account for all file activity to include full transparency with reporting and alerts
  • Information Governance – The ability to govern the lifecycle of data, including deletion and retention policies, eDiscovery, Mobile Device Management, Single Sign-On, Multi-Factor Authentication and Legal Holds
  • Compliance – A service that meets the latest security compliance standards in the industry