<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

Audit Management, DFARS, Corporate Compliance and Oversight, Cybersecurity Frameworks

Defense Federal Acquisition Regulation Supplement Overview for Companies with Defense-Related Revenue

down-arrow

If your company generates Department of Defense(DoD) related revenue, you likely fall under DFARS. Take a close look at the Defense Federal Acquisition Regulation Supplement (DFARS) clause 225.204-7012. The regulation gives all the government contractors a deadline of December 31, 2017 to implement NIST Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. The fastest, most thorough solution available that you can use to complete your assessment for the lowest cost (experts provided) is available here. Otherwise, keep reading on.

What Is The DFARS Mandate?

The federal government is relying on external goods and services to help carry out a wide range of federal missions as well as business functions. Many federal contractors and subcontractors “routinely process, store, and transmit sensitive federal information in their information systems to support the delivery of essential products and services to federal agencies.” With that being said, the contractor community has to provide assurance to DoD that their IT system can offer a high level of security to protect this sensitive information. If any contractor fails to do so, they can inevitably lose their contracts. 

The document details requirements for protecting Controlled Unclassified Information (CUI) when:

  • The CUI is resident in nonfederal information systems and organizations
  • The information systems where the CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies
  • Where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category or subcategory listed in the CUI Registry

In practical terms, although companies that work with the DoD already apply rigorous controls over classified data, now the protection is extended to the unclassified systems that include covered defense information security, which creates wider-reaching consequences for the contractors and contracting officers. Being compliant can determine the future of businesses.

Who Is Impacted By NIST 800-171?

The requirements apply to all components of nonfederal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components, which can be found in the CUI category list. The CUI requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations.

Get the Ultimate DFARS Guide

Making The Business Decision

While implementing those requirements might seem arduous, it is important to know that these NIST standards are best practice standards that your company could have already implemented as part of maintaining a good security system. Each requirement on the list can help your firm stay away from different cyber events and safeguard CUI.

Even though there are a lot of aspects a company needs to consider, such as budget and resources, keep in mind that achieving compliance is the only option you have if you to win future contracts, and the clock is ticking. DFARS Compliance has been top of mind for Prime contractors as well as Department of Defense suppliers for some time now. Over 87% of contracts written in 2017 had the DFARS 252.204-7012 clause written in them already, and DoD contractors large and small are reaping the award benefits of proving “adequate security” via NIST SP 800-171 implementation, as we see with our customer base.

Some companies have yet to implement an adequate cybersecurity program. Perhaps to put further pressure on these companies, the DoD now has issued guidance that demonstrates both its insistence on strong cybersecurity practices from its third-party providers and its intent to cut ties with those who do not. This guidance may serve as a model for other industries to place similar pressure on their vendors who have not implemented cybersecurity programs and to provide criteria to terminate business relationships with them.

Get On The Right Path:

  • Run a DFARS security assessment: this can help to have a clear vision of where your organization stands, and if you are in compliance with all the requirements.
  • Implementation: once you identified all the deficiencies in your IT system, you need to create a plan to help you complete the implementation. It should protect all the sensitive defense information as well as strengthen your system. Your POAM & SSP are crucial to documenting this step.
  • Partner with a third party: finding a trustworthy and experienced company to run your assessment, ease the process, and monitor and document continuing compliance. NIST SP 800-171 compliance is a dynamic process and there is only weeks left until the deadline. Reaching compliance, for now, is just the start, but maintaining the compliance is key. 

Get a FREE Demo to learn how to get your assessment, compliance documents and policies in order to keep existing contracts, and certainly before you try and win contracts in the future. You'll be able to weigh the costs and impacts of complying to DFARS and will give you the most effective path to compliance and risk management success. CyberStrong exports your compliance documents for audit with the click of a button, and is the platform within which you'll prove continuous compliance for all your contracts in-house, while benefitting from increased risk visibility, communication, and measurement.

 

You may also like

Achieving SOX Cybersecurity ...
on September 15, 2020

In 2002, massive developments in regulation among the financial industry were developed to set a standard for financial practices and corporate governance. This legislation was ...

Do's and Don'ts Of Conducting a ...
on August 31, 2020

The Financial Sector Cybersecurity Framework Profile was developed by the Financial Services Sector Coordinating Council (FSSCC) as a means to harmonize to the plethora of ...

The NYDFS Cybersecurity Regulation ...
on August 26, 2020

In 2017 the New York State Department of Financial Services created the NYDFS cybersecurity regulation 23 NYCRR 500, which held financial institutions accountable for maintaining ...

Leveraging FSSCC Cybersecurity ...
on August 24, 2020

2020 is a critical year for harmonizing financial services cybersecurity regulations and unifying them under the fsscc cybersecurity profile.  The Financial Services Sector ...

Alison Furneaux
Harmonize FinServ Cybersecurity ...
on August 21, 2020

The Financial Services Sector (FSSCC) Cyber Security Profile is one of the critical pieces of information used for proving compliance across a host of standards necessary of ...

FFIEC Cybersecurity Compliance ...
on August 17, 2020

The Federal Financial Institutions Examination Council (FFIEC) is the federal agency responsible for enforcing and regulating financial institutions’ standards and protections. ...