Developing a 5-Month Plan for Achieving DFARS NIST 800-171 Compliance

By Casey Lang • August 11, 2017

In less than five months your organization needs to be DFARS NIST 800-171 compliant. If you have already formulated a remediation plan to help you address your deficiencies, continue working through your prioritized roadmap to meet the compliance deadline. If you haven’t yet begun planning, get started today. Don’t jeopardize your ability to secure and execute DoD contracts by being non-compliant.

Three Areas to Focus on as You Craft Your Compliance Roadmap

After you’ve assessed your organization against the 110 security controls in NIST 800-171, you’ll need to build a plan to address your compliance gaps. An effective plan will have components that address these three areas.

  1. Multi-Factor authentication
    • What it is: Multi-Factor authentication (MFA) is a security measure where more than one method of authentication from independent categories of credentials is required to verify the user’s identity for a login or other transaction. It is an important component of any security plan as increasing authentication from a single factor greatly improves the security of your systems.
    • What you need to do: Procure an identification and authentication service that complies with the DFARS security requirements. Make sure the MFA solution is scoped and implemented to address the unique requirements of your environment. Also, work with stakeholders and end-users to conduct use-case and validity testing. Integrate with your authentication management processes to administer the user lifecycle. Make sure you have access to training, maintenance, and support of your solution.
  1. Privileged Account Management
    • What it is: Privileged account management (PAM) is managing and auditing account and data access by privileged users, who are individuals with administrative access to critical systems. Better managing access to privileged accounts can help prevent cyber adversaries and rogue insiders from going after privileged credentials as a way to gain broad and undetected access to your information systems.
    • What you need to do: Ensure your PAM solution provides automated, monitored, and controlled privileged access. Elevate administrative access to avoid granting excessive access to privileged accounts. Require the verification of a ticket or an approval to ensure administrative access is only granted when it is required for a specific activity. Work with engineers who are well versed in fine-tuning the configuration of the PAM suite and who can provide technical expertise and customization for your unique project.
  1. Vulnerability Management
    • What it is: Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities in your security infrastructure. It is important that your organization continually be monitoring for vulnerabilities to ensure you stay ahead of potential threats.
    • What you need to do: A DFARS compliant vulnerability management program will continuously assess your environment for vulnerabilities and patch compliance. Make sure your solution performs monthly vulnerability scans, as well as scans after any significant changes are made, of all your internal and public-facing systems. Also, ensure you receive a monthly report detailing new findings and findings from the previous month(s) which have yet to be remediated. Verify implementation of patches or workarounds for each fix with follow-up scans as needed.

Plan, Provision, and Outsource if Needed to Meet the December 31, 2017 Deadline

Determine what you can reasonably accomplish with your internal resources and what you need to outsource to meet the December deadline. Also, as part of your roadmap, make sure you plan for a post-compliance world where you need to maintain the controls you’ve implemented.

Regardless of where you are in your DFARS compliance process, time is of the essence. Continue your efforts or get started now – five months is not much time to affect the change mandated by NIST 800-171 compliance.

If you need support, contact us for a FREE consultation.

CyberSheath Blog

How to Safeguard Your Company from Phishing

Email is so ubiquitous in our everyday lives that it can be a challenge to always be on guard when receiving messages. Each day it’s not unheard of for each member of your team to have hundreds of messages land in their inbox. How do you make sure that none…

3 Tools to Help Defend Your IT Infrastructure from Threats

With the continually evolving threat landscape and the prevalence of team members working from home, it is more important than ever to be proactive with how your company is protecting itself from cyberattacks.  CyberSheath can help. We offer services to build on all the great work you have already done…

DNS Filtering for Additional Protection of IT Systems

Phase one of securing your IT infrastructure should include protecting your endpoints and safeguarding your employees from phishing attempts. After you have implemented these controls, the next logical step is to launch a DNS filtering solution.   What is DNS filtering and why do you need it? Domain name server…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO