Before understanding if you need to be DFARS compliant, let’s understand what DFARS is: DFARS 252.204-7012 is a cyber clause that has been implemented alongside NIST 800-171 to aid in protecting private information within non-federal IT systems. If an organization bids or accepts a contract from the Department of Defense (DoD) that involves the storage of controlled classified information (CUI) then more than likely it will have to comply with DFARS and NIST 800-171 regulations. While the enforcement of these regulations has proven inconsistent it is becoming more important than ever to comply with the security controls laid out in these frameworks. To further protect national and global supply lines all contractors will eventually be required to comply with DFARS in some capacity. Here are a few beginners steps for starting your compliance journey.
Start with NIST 800-171
The first step in determining how much work it will take to become DFARS compliant is to assess your current level of compliance through the lens of NIST 800-171. NIST 800-171 is the groundwork in which DFARS, CMMC, and other federal regulations are built on. NIST 800-171 is made up of 110 security requirements that are divided into 14 control families. These controls range from the most basic to more advanced tactics to increasing your security posture. When assessing your current level of compliance it is important to make sure your organization is compliant with all 110 requirements as all contractors are required to conduct a basic assessment using NIST 800-171 as an outline.
Create a System Security Plan
NIST requires that all contractors develop and maintain an up to date system security plan (SSP) that outlines the organizations system details including its boundaries, environments of operation, and how the organization has implemented security controls. When being audited a SSP is integral and required for making sure your are compliant. Make sure that your SSP is up to date, honest, and all encompassing to provide the most accurate information possible.
POAMs
A POAM, or plans of action and milestones, are documents that outline a plan for your organization to resolve any security issues or vulnerabilities that would otherwise keep you from being compliant. Often times at the time of audit an organization may not have all 110 NIST controls implemented, a POAM helps identify what your known issues are and how you plan to fix it.
Implementation of Security Controls
Once you've taken stock of what your organizations strength and weaknesses are, how compliant your already are, and where you need to go next it's time to start implementing the required controls. Be warned, implementing these controls may be easier said than done. CorpInfoTech is fully capable of providing aid in implementing and maintaining required security controls for NIST 800-171. We have a close relationships with NIST, CIS controls and other regulating bodies and are experts in helping SMBs become compliant.
Continued Maintenance
Compliance isn't a one and done issue. Maintaining compliance and securing your organization is a process that requires continual attention whether than means implementing new controls or updating older ones. The unfortunate reality is that cyber attacks are increasing in volume and expertise. In order to match the rapidly evolving cyber threat culture, our compliance must also evolve and and implement new controls to combat bad actors.
CorpInfoTech provides compliance to small-medium sized businesses in multiple industries. Not only does they provide DFARS compliance but also NIST 800-1717 and CMMC. While many MSPs outsource their security controls and NIST compliance, CorpInfoTech does all their work in house with an expert support team with years of experience in security. Contact CorpInfoTech today if you feel your compliance is lacking.