Starting DFARS Compliance? How To Create A System Security Plan (SSP) & Plan of Action & Mitigation (POA&M)
The DFARS 252.204-7012 language states that businesses that qualify under DFARS must comply as soon as practical, but no later than December 31, 2017.
In September 2017, the Department of Defense in collaboration with the Defense Pricing and Procurement issued more guidance on how to meet the DFARS and NIST SP 800-171 requirements. Now in 2018, it's clear that making these documents is crucial to winning new businesses and keeping existing contracts even if you didn't make the December 2017 deadline.
The DoD and DPAP structured the guidance advising companies to create a System Security Plan, spoke on how to use it, how to appropriately document NIST SP 800-171 compliance, and the need for a Plan of Action and Milestones (POA&M) to leverage along with the SSP for the DFARS compliance process.
Why Use a POA&M and SSP?
As a core part of the CyberStrong features, the SSP and POA&M generation and output are important artifacts to demonstrate your compliance or path to compliance. They are highly recommended and included in the DoD’s statement mentioned earlier. The POA&M and SSP are documents that the DoD or your prime contractor will surely appreciate come December and at the very least in 2018. The actual NIST SP 800-171 document revision 1 calls this type of artifact “critical inputs to an overall risk management decision to process, store or transmit CUI (controlled unclassified information)”.
Keep in mind that the DoD also stated that if a contractor is not fully compliant with the total set of security controls by December 31, 2017, but has an SSP and POA&M proving each control status and plan for remediation, that company can report ‘compliance’ to DFARS requirement 3.1 and so on for all intents and purposes of clause 7012.
The additional guidance gives examples of POA&M and SSP use in these instances:
- Reporting compliance with DFARS 252.204-7012 for technical evaluation
- “Using proposal instructions and corresponding evaluation specifics” to determine processing, storing, and transmitting CDI/CUI and what risks are in or out of scope for the project
- Organizing and pin-pointing NIST SP 800-171 security requirements that are not implemented at the time of awards
- Identifying that the security requirements in NIST SP 800-171 must be implemented
Approaching Compliance With Your Documents
An SSP can be critical to fully documenting compliance. Revision 1 to NIST SP 800-171 added another control to the set that requires the creation an SSP to “describe[s] the boundary of [a contractor’s] information system; the operational environment for the system; how the security requirements are implemented; and the relationships with or connections to other systems.”
In the CyberStrong platform, once you input your data, the SSP and POA&M can both be exported, and a project that can take weeks or even months is simplified into a few hours. We know how difficult it is from a financial, time, and other resource perspective to fully comply, so we made it much easier for you to get ahead of the deadline with these documents.
In addition to a POA&M, according to the DoD, the SSP “describes how and when any unimplemented security requirements will be met, how any planned mitigations will be implemented, and how and when they will correct deficiencies and reduce or eliminate vulnerabilities in the systems”. That means that the documents must describe the requirements, how you plan to remediate for each of the controls, and a timeline for remediation in your organization. That is just the bare bones as there is much more information that we recommend be included for compliance - such as team members in charge of controls, deadlines and technology that will be adopted in remediation steps - all included in the CyberStrong export using your organization's data.
If you are a company that falls under the DFARS mandate and handles sensitive information, the DoD, and our experts at CyberSaint, highly recommend having a POA&M and SSP in place. You can either use the CyberStrong platform to streamline compliance and automatically format and export your data into these documents for review, or you can put the documents together on your own. Be aware, however, that the compliance deadline has technically passed, and you will have to allot full company resources into getting these documents ready to have if requested. Regardless of your method, these documents are key for saving your contracts if you aren't yet fully compliant, and will put you in good standing for your primes or contracts against the competition. In 2018, make sure that you are woking on becoming compliant using these documents, and that you demonstrate your competativeness and adherence to DoD regulations if your business relies on defense-related revenue.