What are the consequences of not complying with DFARS and CMMC?

For the past few years, private organizations and public enterprises have experienced an increase in cyber-attacks and data breach incidents. Companies are focusing their resources and time on protecting the information and data from threats. If you are a federal government contractor, you might be aware of DFARS cybersecurity regulation. DFARS or Defense Federal Acquisition Regulation Supplement enacted NIST 800-171 compliance designed to safeguard controlled unclassified information and covered defense information from cyber incidents and hackers.

DFARS comprises 14 categories and several sets of rules. To be considered compliant, organizations will have to follow each of the regulations in the given order. The DFARS flow-down clause has made it mandatory for the prime contractors to become compliant with the code throughout the supply chain. While IT for DFARS compliance is not a complex process, many contractors still have not complied with the rules yet. One possible reason could be because the document isn’t clear about the consequence of DFARS non-compliance.

Let’s find out some of the consequences of DFARS non-compliance.

1.            Proposal Exclusion

The competition in the government contracting domain is fierce. Many contractors bid for the same job. Small contractors often have to be up against giant competitors. Organizations that are not consistent with DFARS compliance are at risk of not being considered by contracting jobs. Without enough work, your organization may financially suffer.

No agency will prefer working with an organization that lacks security measures. Being DFARS compliant means you have the best quality security program in place, and you are updated with the latest cybersecurity norms. You will have a better chance at grabbing the contract.

2.            Adverse Performance Reviews

 If you have managed to get a federal contract despite not being a DFARS complaint, you may be at risk of getting poor performance reviews. Getting poor performance reviews is worse than not getting a contract at all. Once your clients realize that your standard security levels are not according to the DFARS regulations, they may give you negative performance reviews if you don’t remediate them soon. Bad performance reviews by your clients can affect your ability to bid on the next job or acquire a contract.

3.            Termination for Default

 The federal and state governments have the right to terminate anyone fully or partially from their services for default. The government can exercise termination for default if you are found breaching contractual obligations like DFARS NIST compliance.

Since 2017, every government contractor and vendor should acknowledge NIST compliance in their agreements. If you have acquired a government contract, but you don’t comply with the latest security regulations, you should take the necessary steps to remedy it.

  • Criminal Fraud

If you are a government contractor, the last thing you want to hear is criminal fraud. However, if your contract says that you are DFARS NIST compliant when in reality you are not, the government agency can charge in a criminal fraud case. Criminal fraud cases can attract jail time from up to ten years. The jail time will depend upon the seriousness of the issue and the discretion of the judge. The best way to avoid such a situation is to become compliant with DFARS.


Never in the field of human conflict was so much owed by so many to so few.

-Winston Churchill

more Quotes
December 2021