What are DFARS and NIST SP 800-171?
The protection of Controlled Unclassified Information (CUI) is of high concern to the Department of Defense of the United States (DoD). This data, which is often sensitive information that touches on privacy and security concerns, contains classified business interests, or is relevant to law enforcement investigations, is intended to be protected by the guidelines and requirements of the Defense Federal Acquisition Regulation Supplement (DFARS). This data security standard is also known as DFARS Cyber Clause 252.204-7012.
The DFARS is based on NIST Special Publication 800-171, a set of regulations issued by the National Institute of Standards and Technology and the Under Secretary for Defense Acquisition designed to ensure that those working with the Department of Defense have methods to meet requirements to protect sensitive information. This eliminated the patchwork of policies, procedures, and labels that had previously prevailed to protect and control CUI.
DFARS compliance is mandatory for all companies that generate DoD-related revenue to protect the sensitive data that resides within their supply chain from being compromised. However, companies that aspire to generate DoD-related revenue in the future must also be DFARS-compliant.
If a contractor fails to comply with cybersecurity controls, it must provide notice of the areas of noncompliance within 30 days of contract award. Failure to comply with the DFARS can result in the suspension of the contract, financial penalties, termination of the contract, or even debarment from working with the Department of Defense.
This article deals with:
Evidence that matters under DFARS compliance
To provide evidence that an organization is in compliance with NIST 800-171, it must conduct a self-assessment for all 110 control points and develop a System Security Plan (SSP) that describes how the security requirements are met. Also, a Plan of Actions and Mitigations (POA&M) to show when controls are in place and security gaps are closed.
Implementing these security controls is the first step to compliance and can be quite an extensive undertaking, especially for organizations with scarce or limited resources. However, it is possible for a company to hire a third party to perform the DFARS assessment. A cost-effective alternative is to use a digital solution that can perform the security assessment quickly and automate documents as they go through. DFARS compliance documents can be managed internally using checklists, which can be done digitally over the Internet, depending on the company and its knowledge of NIST language and technical capabilities.
DFARS accordingly means conducting an assessment and compiling comprehensive compliance documents that are updated live and ready for submission at any time. The U.S. Department of Defense requires full compliance with all NIST SP 800-171 controls. Accordingly, companies should not worry about spending time and effort to fully remediate controls. The Plan of Action and Remediation (POA&M) and the System Security Plan (SSP) are both important documents companies can use to demonstrate that they have implemented the controls and assessed their organization.
Compliance with NIST 800-171 ultimately gives a company the upper hand among competitors. If a supplier fails to comply with the NIST cybersecurity controls described in DFARS clause 252.204-7012, it must notify the Department of Defense within 30 days of contract award of the areas where it cannot comply.
The DFARS Compliance Checklist as a Tool
Using a DFARS compliance checklist is an efficient and time-saving way to regularly monitor the 110 checkpoints to consistently comply with contract requirements. The following 14 control families should be covered by a DFARS compliance checklist by completing appropriate checks:
- Access Control – Restrict system access to authorized individuals.
- Awareness and Training – Creating awareness of the security risk associated with user* activities. Conduct training on applicable policies, standards, and procedures; and Ensure that all users are adequately trained in the performance of their duties.
- Audit and Accountability – Create, protect, retain, and review system logs.
- Conflict Management – Creation of baseline configurations and deployment of robust change management processes.
- Identification and Authentication – Identification and authentication of information system users and devices.
- Incident Response – Developing procedures to prepare for, detect, analyze, mitigate, recover from, and respond to incidents.
- Maintenance – Timely maintenance of organizational information systems.
- Media Safeguarding – Protection, cleaning, and destruction of media pertaining to CUI.
- Personnel Security – Screening individuals prior to authorizing their access to information systems and ensuring that such systems remain secure after individuals have been terminated or transferred.
- Physical Protection – Restricting physical access to facilities and protecting and monitoring the physical facility and supporting infrastructure for information systems.
- Hazard Assessment – Assessment of operational risk associated with processing, storage, and transmission from the CUI.
- Security Assessment – Assessing, monitoring, and correcting deficiencies and reducing or eliminating vulnerabilities in organizational information systems.
- System and Communications Protection – Monitor, control, and protect data at system boundaries and apply architectural designs, software development techniques, and systems engineering principles that promote effective information security.
- System and Data Integrity – Identify, report, and correct errors in information and information systems in a timely manner, protect the information system from malicious code at appropriate points, monitor information security warnings and advisories, and take appropriate action.
A digital application for DFARS compliance
Testing compliance with DFARS standards with a checklist is essential for DoD contractors. Applying DFARS standards not only protects the organization from security breaches, but also ensures the integrity of its security measures.Conducting regular audits through a DFARS compliance self-assessment helps provide organizations with data they can use to improve their information systems.
A digital compliance software and app like Lumiform helps organizations perform this DFARS compliance assessment using checklists. The collecting, documenting, and evaluating of data and information is made easier with a DFARS compliance checklist by allowing the results to be recorded and prepared in a structured manner. Take advantage of Lumiform’s compliance software to improve your information systems:
- Conduct assessments and audits anytime, anywhere using any mobile device – online and offline.
- Use one of the numerous templates from Lumiform’s library for your DFARS compliance self-assessment and other reviews.
- Analyze the data collected and uncover areas for improvement and derive corrective actions.
- Keep track of reviews, audits, and corrective actions with the app and desktop software.
- Generate automatic reports on your assessments, audits, and reviews and share them with responsible parties and contractors.
- All data and reports are securely stored in the cloud.
Try Lumiform for free