Is Your Organization DFARS Compliant?

August 27, 2018

The Defense Federal Acquisition Regulation Supplement (DFARS) guidance that has been published by the Federal Government requires all DoD contractors and organizations that deal with sensitive data related to government programs complete a NIST 800-171 assessment to become fully compliant with section 252.204-7012. If this assessment is not completed and compliant, your organization can risk current and future DoD contracts.

Many organizations believe that they are not required to adhere to this requirement, but if your organization works with the DoD and stores sensitive controlled unclassified information (CUI), such as technical information, contractual information, drawings, etc… on your corporate environment or in a government approved cloud then a DFARS audit must be conducted using NIST SP 800-171 as a guide. Newly awarded contracts are containing language stating that organization must be compliant and need to report back to the Federal Government with any deficiencies with the required controls.

The DFARS set of controls within NIST 800-171 Safeguarding Covered Defense Information and Cyber Incident Reporting contains thirty (30) basic requirements and seventy-nine (79) derived security requirements which map back to NIST 800-53 security controls. This could be viewed as a simplified FISMA Audit so if your organization has already conducted a FISMA Audit, chances are good that you will most likely pass the controls which are in selected in the DFARS Audit. The goal of the audit is to evaluate two core security families – 1) Adequate Security and 2) Incident Reporting. The Adequate Security family of controls is designed to ensure that all sensitive information is protected in a manner that has either mitigated or lowered the risk of exposure. The Incident Reporting family of controls is designed to ensure that your organization has the proper Incident Handling steps in place to make sure that the identification and handling of incidents occur, whether they are actual intrusions or even attempted intrusions against the environment.

Your obligation does not end at the audit and assessment phase of the DFARS process. If any control fails to be compliant, the organizations must report the deficiency within 30 days after the contract award with a plan of action for how the control will be mitigated or why it hasn’t been corrected. When a potential incident does occur, or an attempt has occurred, the organization must report within 72 hours after the identification of the incident. It has become clear that the federal and local governments are not taking a relaxed approach to vendors who are entrusted with sensitive information that could affect programs that are current along with programs that will deploy soon.