<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

If your company generates Department of Defense(DoD) related revenue, you likely fall under DFARS. If you want your DoD contracts to continue after the end of 2017, you need to look closely at the Defense Federal Acquisition Regulation Supplement (DFARS) clause 225.204-7012. The regulation gives all government contractors a deadline of December 31, 2017, to implement NIST Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.

What is the DFARS mandate?

The federal government relies on external services to help carry out various federal missions and business functions. Many federal contractors and subcontractors “routinely process, store, and transmit sensitive federal information in their information systems to support the delivery of essential products and services to federal agencies.” With that being said, the contractor community has to provide assurance to DoD that their IT system can offer a high level of security to protect this sensitive information. If contractors fail to do so, they can inevitably lose their contracts.

The document details requirements for protecting Controlled Unclassified Information (CUI) when:

  • The CUI is resident in nonfederal information systems and organizations

  • The information systems where the CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies

  • Where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category or subcategory listed in the CUI Registry

In practical terms, although companies that work with the DoD already apply rigorous controls over classified data, now the protection is extended to the unclassified systems that include covered defense information, which creates wider-reaching consequences for the contractors.

Who is impacted by NIST 800-171?

The requirements apply to all components of nonfederal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components, which can be found in the CUI category list. The CUI requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations/

What should you do?

While implementing those requirements might seem arduous, it is important to know that these NIST standards are best practices that your company could have already implemented to maintain a good security system. Each requirement on the list can help your firm stay away from different cyber events and safeguard CUI.

Even though a company needs to consider many aspects, such as budget and resources, keep in mind that achieving compliance is the only option you have, and the clock is ticking. Use our DFARS compliance checklist to guide your alignment with this crucial framework.
 

Get on the Right Path

DFARS Compliance Step Checklist
Run a Security Assessment This can help to have a clear vision of where your organization stands, and if you are in compliance with all the requirements.
Implementation
  • Once you have identified all the deficiencies in your IT system, you need to create a plan to help you complete the implementation. It should protect all the sensitive defense information and strengthen your system. Your POAM & SSP are crucial to documenting this step.
Partner with a Third Party Find a trustworthy and experienced company to run your assessment, ease the process, and monitor and document continuing compliance. NIST SP 800-171 compliance is a dynamic process; only weeks are left until the deadline. Reaching compliance, for now, is just the start, but maintaining compliance is key.

 

The government has made this change in regulation to improve the security of the U.S. Future contracts include DFARS in their terms, so if you want to win contracts in the future, it is highly recommended that you comply before the deadline.

You may also like

Benchmarking Your Cyber Risk ...
on September 25, 2023

Benchmarking your organization against the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is a valuable step towards improving cybersecurity ...

Security Posture Management: The ...
on September 27, 2023

Cybersecurity is a complex and dynamic field, and there are several elements that security teams must continuously monitor and manage to protect an organization's security ...

Stay One Step Ahead: A Guide to ...
on September 1, 2023

Cyber risk monitoring aims to proactively manage and mitigate cyber risk to protect an organization’s valuable assets and sensitive data. This process involves regularly ...

How to Create a Cybersecurity Risk ...
on August 22, 2023

For years, the discourse in IT has been centered around cybersecurity. Yet, with the volume of cyber attacks increasing, professionals have developed a more holistic approach to ...

How to Mitigate Cyber Risks in ...
on August 18, 2023

Supply chains are complex networks of organizations, people, processes, information, and resources, all collaborating to deliver goods and services to end consumers. Due to their ...

Conducting a Cyber Risk ...
on August 11, 2023

Cyber risk has become increasingly pervasive in almost every industry. From the new SEC cyber regulations to industry standards like the NIST CSF and HIPAA, regulatory bodies are ...