The Countdown to DFARS Compliance with NIST 800-171 is On

There’s a lot at stake right now with your company’s DFARS / NIST 800-171 compliance. What you do – or don’t do – in the next six months could impact your ability to secure and execute DOD contracts.

Is your company compliant with all 110 security controls in NIST 800-171?

As a supplier, chances are you’ve received a letter from one of your Prime’s asking if you are compliant with the DFARS mandate and reminding you of the compliance deadline of December 31, 2017. If your Prime uses Exostar as their sourcing and collaboration tool as the major Defense Contractors do, you will have to fill out a DFARS questionnaire before a PO can be issued for your part of the contract.

There are three ways to handle the situation:

Misrepresent the truth about your organization’s infrastructure security and answer the questionnaire in a knowingly untruthful way and claim compliance in the hopes that the truth is never discovered and that your firm is never flagged for a security audit.
Determine where you are non-compliant and develop a plan to become compliant by year’s end.
Write a letter to the DOD explaining where you are not compliant, and why.

Of these options, I think we can agree that the first is ill-advised, and the third is not a way to build trust and foster confidence in your firm. That leaves the second option – becoming compliant. How do you proceed?

What exactly is the DFARS mandate and why it’s important?

NIST Special Publication 800-171 Protecting Covered Defense Information in Nonfederal Systems and Organizations, otherwise known as DFARS (Defense Federal Acquisition Regulation Supplement), details the fourteen families of security requirements for protecting the confidentiality of Covered Defense Information (CDI). This document outlines each of the controls your firm needs to meet in order to be able to continue providing services and products to your Prime and ultimately to the DOD.

The fact is, the controls outlined in DFARS are security measures that your firm should already be implementing as part of maintaining good security hygiene. Each item on the checklist helps your firm safeguard important information and, ultimately, helps your firm protect the confidentiality of CDI.

What should you do to keep your current contracts?

Right now your firm is probably compliant with about half of the 110 controls within NIST 800-171. Chances are the areas your company is deficient in include:

SIEM (security information and event management)
Multi-factor authentication
Applied encryption, both at rest and in-transit
Policies and written authentication for your security procedures and protocol

While addressing these deficiencies may seem onerous, it’s important to remember that becoming compliant is good for your company – and good for your bottom line. Perhaps you think you don’t have the resources, budget, or buy-in needed to move forward. Keep in mind that the path to compliance is the only viable option you have. Here is a plan on how to address and achieve DFARS compliance:

Get a security assessment to help you interpret what is required and if your company is in compliance with each of the 110 controls.
Create a plan to achieve compliance on all the items identified as deficient in your security assessment. Your remediation plan should solve for operational issues as well as protect covered defense information in a manner that demonstrably shows compliance. Note that remediation typically takes about 6 months – so you need to get started now.
Partner with a trusted, experienced company that:
- Has truly walked a mile in your shoes and has experience implementing the controls required for DFARS compliance.
- Tailors the control implementations to fit your reality and achieve compliance.
- Understands the practical realities of implementing controls like multi-factor authentication in an operational environment on a limited budget.

CyberSheath uniquely understands the DFARS security requirements and can assist you with assessing compliance with these DOD mandated security requirements and creating a road map of how you can become compliant by December 31, 2017.

The clock is ticking. Get started on your DFARS compliance today.

Don’t scramble to do research to address your security shortcomings. Get your current security state assessed now and formulate a plan to become compliant – before your Primes come to hold you accountable to this new mandate.