What Is DFARS?
To stay competitive in the DoD acquisition process, you need to comply with DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, which requires contractors to implement National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Rev. 1, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”.
NIST 800-171 Rev. 1 details the fourteen families of security requirements (including basic and derived requirements) for protecting the confidentiality of Covered Defense Information (CDI).
The target audience for NIST 800-171 Rev. 1 is both public and private sectors including:
- Individuals with information system development life cycle responsibilities
- Individuals with acquisition or procurement responsibilities
- Individuals with information system, security, and/or risk management and oversight responsibilities
- Individuals with information security assessment and monitoring responsibilities
DFARS Compliance With CyberSheath
CyberSheath is uniquely positioned to enable your business to achieve compliance with NIST Special Publication 800-171 Rev. 1 Protecting Covered Defense Information in Nonfederal Systems and Organizations. CyberSheath has assessed and implemented the required NIST 800-171 Rev. 1 controls for every size organization in the defense industrial base supply chain. Our professional services team has unmatched experience interpreting the NIST 800-171 Rev. 1 requirements, solving operational issues, and implementing the controls required to protect covered defense information in a manner that demonstrably shows compliance.
- Our professional services team has been working with the emerging and now mandatory DFARS compliance requirements since 2008 as part of the Defense Industrial Base pilot program.
- CyberSheath was founded to solve this problem for our customers. Our CEO has testified before the House Armed Services Sub-Committee regarding the impact of implementing these controls on commercial network. We uniquely understand the challenges you face in achieving compliance.
- Our professional services team has truly walked a mile in your shoes having come from operational roles in the defense industry implementing the very controls required for DFARS compliance.
- We understand the practical realities of implementing controls like multi-factor authentication in an operational environment on a limited budget. Our professional services tailor control implementations to fit your reality and achieve compliance.
CyberSheath’s DFARS Services
Our services enable you to understand and take the required action to meet the basic and derived security requirements for protecting the confidentiality of CDI.
Compliance with NIST SP 800-171 Rev. 1 can be achieved in four steps, they aren’t simple steps and you should ignore vendors who are trying to sell you a product to achieve compliance- there isn’t one. Many of the 110 security requirements deal with process and how you implement the controls will be unique to your business.
CyberSheath enables you to stay competitive in the DoD acquisition process and comply with NIST SP 800-171 Rev. 1 by:
Assessing Current Operations for Compliance
CyberSheath’s proprietary gap assessment of your current people, process and technology against compliance with NIST SP 800-171 Rev. 1 will pay dividends in achieving compliance. Our assessment process links to the following compliance requirements of NIST SP 800-171 Rev. 1:
Security Requirement 3.12.1 – Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.
A CyberSheath led assessment satisfies requirement 3.12.1 giving you a clear view of current compliance with the NIST SP 800-171 Rev. 1 standard. Additionally our assessment will generate your System Security Plan (SSP) and associated Plans of Action & Milestones (POA&M’s), both of which are NIST SP 800-171 Rev. 1 requirements.
Writing your SSP & POA&M’s
NIST SP 800-171 was revised (Revision 1) in December 2016 to require a “system security plan” and associated “plans of action.” Specifically:
Security requirement 3.12.4 (System Security Plan, added by NIST SP 800-171, Revision 1), requires the contractor to develop, document, and periodically update, system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
Security Requirement 3.12.2 (Plans of Action), requires the contractor to develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in their systems.
Initially your SSP will be an aspirational document as you will find that many of the required 110 NIST SP 800-171 Rev. 1 requirements are not fully implemented in your environment. Your POA&M’s will detail your plans to remediate deficiencies and achieve compliance. These plans can be documented in a variety of formats but at a minimum they should detail:
- The deficiency identified
- The plan to correct the deficiency (people, process and or technology)
- Dates by which you intend to be compliant against the specific deficiency
Implementing the Required Controls
CyberSheath security engineers have implemented the NIST 800-171 Rev. 1 required controls for every size organization in the defense industrial base supply chain. We understand the unique challenges that come with manufacturing, lab and engineering environments. Our hands-on experience across the entire defense industrial base will be a force multiplier for your internal IT teams when implementing NIST 800-171 Rev. 1. We can lead the effort or augment your staff where required.
If you have made it this far congratulations! Now plan for ongoing compliance in a way that achieves the following:
- Documented and automated compliance reporting
- Support Request for Proposal (RFP) and other acquisition related business development activities
- Managing your subcontractors compliance
Don’t trust your compliance with NIST 800-171 to a consulting company, instead partner with CyberSheath. No other vendor has our depth of experience with the DFARS cyber security requirements.