Request Demo

DFARS

DFARS Compliance: The Clock is Ticking

down-arrow

If your company generates Department of Defense(DoD) related revenue, you likely fall under DFARS. If you want your DoD contracts to continue after the end of 2017, you need to take a close look at the Defense Federal Acquisition Regulation Supplement (DFARS) clause 225.204-7012. The regulation gives all the government contractors a deadline of December 31, 2017 to implement NIST Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.

What is the DFARS mandate and why it is important?

The federal government is relying on external services to help carry out a wide range of federal missions as well as business functions. Many federal contractors and subcontractors “routinely process, store, and transmit sensitive federal information in their information systems to support the delivery of essential products and services to federal agencies.” With that being said, the contractor community has to provide assurance to DoD that their IT system can offer a high level of security to protect this sensitive information. If any contractor fails to do so, they can inevitably lose their contracts.

 

The document details requirements for protecting Controlled Unclassified Information (CUI) when:

  • The CUI is resident in nonfederal information systems and organizations

  • The information systems where the CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies

  • Where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category or subcategory listed in the CUI Registry

In practical terms, although companies that work with the DoD already apply rigorous controls over classified data, now the protection is extended to the unclassified systems that include covered defense information, which creates wider-reaching consequences for the contractors.

Who is impacted by NIST 800-171?

 

The requirements apply to all components of nonfederal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components, which can be found in the CUI category list. The CUI requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations.

Here is a list of categories of CUI information has been made available by National Archives (NARA)

 

What are the 800-171 requirements?

 

There are fourteen families of security requirements that must be met in order to protect the confidentiality of CUI in nonfederal information:

 

  1. Access Control

  2. Audit and Accountability

  3. Awareness and Training

  4. Configuration Management

  5. Identification and Authentication

  6. Incident Response

  7. Maintenance

  8. Media Protection

  9. Physical Protection

  10. Personnel Security

  11. Risk Assessment

  12. Security Assessment

  13. System and Communications Protection

  14. System and Information Integrity

 

What should you do as a business?

 

While implementing those requirements might seem arduous, it is important to know that these NIST standards are best practice standards that your company could have already implemented as part of maintaining a good security system. Each requirement on the list can help your firm stay away from different cyber events and safeguard CUI.

Even though there are a lot of aspects a company needs to consider, such as budget and resources, keep in mind that achieving compliance is the only option you have and the clock is ticking.
 

There are few things your organization can do to get on the right path:

  • Run a Security Assessment: this can help to have a clear vision of where your organization stands, and if you are in compliance with all the requirements.
  • Implementation: once you identified all the deficiencies in your IT system, you need to create a plan to help you complete the implementation. It should protect all the sensitive defense information as well as strengthen your system. Your POAM & SSP are crucial to documenting this step.
  • Partner with a third party: finding a trustworthy and experienced company to run your assessment, ease the process, and monitor and document continuing compliance. NIST SP 800-171 compliance is a dynamic process and there is only weeks left until the deadline. Reaching compliance, for now, is just the start, but maintaining the compliance is key.

The government has made this change in regulation in order to improve the security of the U.S.. Future contracts are including DFARS in their terms, so if you want to win contracts in the future it is highly recommended that you comply before the deadline.

You may also like

Why GRC Needs IRM
on February 15, 2019

Today, every organization strives to optimize the speed with which they access information. Data is being stored, processed, transmitted and utilized in almost every day-to-day ...

Alison Furneaux
Government Shutdown Cybersecurity ...
on February 12, 2019

In January, CyberSaint CEO George Wrenn penned his thoughts on the impact of the government shutdown. In his post, George foresaw the outcome of the shutdown not being a future ...

The Cybersecurity Skills Gap: The ...
on February 7, 2019

The cybersecurity skills gap is nothing new to the seasoned cyber professional. It has been widely discussed in cyber and information security circles for some time. The main flag ...

George Wrenn
The Post-Digitization CISO
on February 5, 2019

Information leaders in digital businesses, whether focusing on optimization or a full transformation, are inherently altering their position among the executive leadership. As ...

Integrated Risk Management and ...
on January 31, 2019

With technology permeating every aspect of a business, one begins to wonder what technology is reserved for digital risk management rather than the other facets of integrated risk ...

Department of Defense Launches ...
on January 29, 2019

The Defense Federal Acquisition Regulation Supplement (DFARS) mandate, specifically Clause 252.204-7012 requiring all members of the Department of Defense’s supply chain to comply ...