There are less than 100 days left until the mandatory compliance deadline for implementing the DFARS required controls of NIST 800-171. Is your organization ready?
If you have been focusing on other strategic business initiatives and have not yet dedicated resources to NIST 800-171 compliance, you still have time. It will take a lot of work, but your organization can have a documented plan in place to guide your efforts and make material gains towards compliance this quarter.
Month-by-Month DFARS Compliance Guide
To remain competitive in your pursuit of new contracts with the Department of Defense, you should:
- Assess your current state and create an implementation plan for your needed controls.
- Formulate a DFARS-required System Security Plan (SSP).
- Achieve DFARS compliance.
Here’s how to accomplish that by the end of 2017.
October
- Conduct security assessment – You might be tempted to save time and skip this step – but don’t assume that you already know what work needs to be done. Execute an internally or externally-led gap assessment against the fourteen families of controls in NIST 800-171. Document your compliance with each family of controls. Be sure to record the people, processes, technologies, and related artifacts involved and demonstrate that your security program is implementing the required controls as a part of your day-to-day operations.
- Unsure of how to proceed? Work with a vendor – If you are struggling with the interpretation of the controls, enlist the help of a skilled outside party to execute the gap assessment.
- Find a vendor – Look for a services provider with specific NIST 800-171 experience, both assessing compliance and implementing remediation programs to achieve compliance. Get references and make the vendor provide proof of past success in helping defense contractors achieve compliance. Query the vendor about the deliverable from the assessment and be clear that you are looking for more than best practice recommendations – you require information specific to your internal operations.
- Leverage the third-party vendor to engage your executive team – Have your vendor work with your executives and get answers to the inevitable questions around DFARS compliance. You probably have already had a talented team that has been briefing NIST 800-171 internally for some time. Often the same message from a trusted third party with past experience can jumpstart the conversation at the executive level and secure the support your team needs.
November and December
- Create a project plan and start implementing controls – Using the results of your gap assessment, create a project plan and start implementing controls that don’t currently exist in your organization and remediating the ones that fall short of meeting the requirements.
- Be proactive in engaging procurement – If you have to purchase tools or engage a third party to assist in remediation, make sure that your purchasing is streamlined. With less than 100 days left there is little time for delays related to procurement processing. Ideally, you will have already spent time to get executive buy-in on this effort and have created the required sense of urgency around meeting the December compliance deadline.
- Start writing your SSP – In parallel to your remediation efforts, start writing your SSP. It’s a requirement of compliance – and it will force you to be strategic about long-term compliance and not get lost in the tactical details of getting specific controls implemented before December. Your SSP should be a true reflection of your NIST 800-171 compliance program. You should plan to review and update this document annually.
CyberSheath is skilled at performing security assessments, creating remediation plans, writing SSPs, and most importantly actually implementing the required controls. If you need assistance achieving DFARS compliance before the deadline, Contact Us today.