Request Demo

DFARS

Department of Defense Launches First DFARS Compliance Audit

down-arrow

The Defense Federal Acquisition Regulation Supplement (DFARS) mandate, specifically Clause 252.204-7012 requiring all members of the Department of Defense’s supply chain to comply with NIST SP 800-171 is nothing new. For a year now, the DFARS mandate has been required of all members of the DoD supply chain. Until this point, while signing off on compliance has been necessary to winning DoD-related business, there has been no substantial moves by the DoD to ensure that their suppliers are truly compliant. Until now.

On January 21, 2019, Under Secretary for Defense Ellen M. Lord issued a memo to defense acquisition leaders her intent to audit the DoD supply chain for DFARS compliance. The memo states that she has called upon the Defense Contract Management Agency (DCMA) to audit all prime contractors for compliance and assess their processes for compliance with the primes’ tier one suppliers.

What This Means For Suppliers

As we wrote in November with the release of the National Cyber Strategy, this administration is clearly committed to improving and enforcing the cybersecurity regulations related to the Department of Defense and the federal government as a whole. This audit is the first step in ensuring that suppliers are, in fact, compliance with the DFARS mandate and NIST SP 800-171. While the DCMA will only be directly assessing the primes and possibly their tier-one suppliers, this will surely have a ripple effect through the entire supply chain. Regardless of where you sit in the supply chain, DFARS compliance is no longer a matter of winning business. We are now to the point where it is a matter of losing business, and not just for you but for your partners as well.

About The DFARS Mandate

The federal government is relying on external services to help carry out a wide range of federal missions as well as business functions. Many federal contractors and subcontractors “routinely process, store, and transmit sensitive federal information in their information systems to support the delivery of essential products and services to federal agencies.” With that being said, the contractor community has to provide assurance to DoD that their IT system can offer a high level of security to protect this sensitive information. If any contractor fails to do so, they can inevitably lose their contracts.

The document details requirements for protecting Controlled Unclassified Information (CUI) when:

  • The CUI is resident in nonfederal information systems and organizations
  • The information systems where the CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies
  • Where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category or subcategory listed in the CUI Registry

In practical terms, although companies that work with the DoD already apply rigorous controls over classified data, now the protection is extended to the unclassified systems that include covered defense information, which creates wider-reaching consequences for the contractors. Being compliant can determine the future of businesses.

Run a DFARS security assessment: this can help to have a clear vision of where your organization stands, and if you are in compliance with all the requirements.

Implementation: once you identified all the deficiencies in your IT system, you need to create a plan to help you complete the implementation. It should protect all the sensitive defense information as well as strengthen your system. Your POAM & SSP are crucial to documenting this step.

Partner with a third party: finding a trustworthy and experienced company to run your assessment, ease the process, and monitor and document continuing compliance. NIST SP 800-171 compliance is a dynamic process and there is only weeks left until the deadline. Reaching compliance, for now, is just the start, but maintaining the compliance is key.

Get a FREE Demo to learn how to get your assessment, compliance documents and policies in order to keep existing contracts, and certainly before you try and win contracts in the future. You'll be able to weigh the costs and impacts of complying to DFARS and will give you the most effective path to compliance and risk management success. CyberStrong exports your compliance documents for audit with the click of a button, and is the platform within which you'll prove continuous compliance for all your contracts in-house, while benefitting from increased risk visibility, communication, and measurement.

 

You may also like

The Cybersecurity Skills Gap: The ...
on February 7, 2019

The cybersecurity skills gap is nothing new to the seasoned cyber professional. It has been widely discussed in cyber and information security circles for some time. The main flag ...

George Wrenn
The Post-Digitization CISO
on February 5, 2019

Information leaders in digital businesses, whether focusing on optimization or a full transformation, are inherently altering their position among the executive leadership. As ...

Integrated Risk Management and ...
on January 31, 2019

With technology permeating every aspect of a business, one begins to wonder what technology is reserved for digital risk management rather than the other facets of integrated risk ...

Department of Defense Launches ...
on January 29, 2019

The Defense Federal Acquisition Regulation Supplement (DFARS) mandate, specifically Clause 252.204-7012 requiring all members of the Department of Defense’s supply chain to comply ...

Digital Risk Management Frameworks
on January 24, 2019

As organizations continue to embrace digitization, security teams are faced with the challenge of keeping the enterprise secure while empowering growth and innovation. Many CISO’s ...

The Cybersecurity Impact Of The ...
on January 23, 2019

There has been a great deal of speculation around the cybersecurity posture of the nation in light of the most recent (and longest documented) government shutdown. I’ve seen two ...

George Wrenn