DFARS & NIST 800-171 - A Compliance Overview
You might have landed on this page because you have or are bidding for a contract with the Department of Defense. You’re not alone! Many manufacturers and suppliers are aiming to win contracts with the DoD--one of the largest buyers in the world--as this all but guarantees a steady and reliable revenue stream. But becoming a part of a national supply chain that involves the DoD is not the most simple contract to win.
In this article, we answer the most common questions that we hear from our clients on how manufacturing firms can meet the requirements for acquiring a DoD contract, in the hope that it will help you do the same.
What is DFARS?
The Defense Federal Acquisition Regulation Supplement (DFARS 7012) is a standard set of regulations that require DoD contractors to put in place adequate cybersecurity practices for the careful handling of Controlled Unclassified Information (CUI). All DoD contractors must comply with DFARS requirements before they are even allowed to bid for a contract.
What is CUI?
CUI is an information classification created under Executive Order 13556. It is broadly applicable to many branches of the federal government and pertains to data that can be considered sensitive but not classified. Simply put, CUI is information that does not fall under the classified spectrum of government secrecy, but is still sensitive enough that standards must be met to keep it from being disseminated without controls.
DFARS specifically states that data that is “collected, developed, received, transmitted, used, or stored by or on behalf of the DoD largely falls under CUI.”
Who needs to be DFARS compliant and what happens if you fail to comply?
Every DoD contractor that handles CUI runs the risk of having their contracts terminated if they don’t meet the minimum security requirements of DFARS. This extends even to subcontractors that work with DoD contractors. If you sell something that ends up being sold to the Department of Defense, whether directly or indirectly, you’ll need to be DFARS compliant. The risk of being in violation of DFARS regulations is higher with manufacturers who directly deal with the DoD.
Failure to comply with DFARS can bring very severe penalties, ranging from contract suspension to an outright ban on contracting with the DoD (or even bidding to do so). If you are unsure whether you need to be DFARS compliant, you can check out NIST’s official self-assessment handbook.
How are DFARS and NIST 800-171 related?
In simple terms, DFARS is a set of requirements that contractors must meet in order to land or keep a contract with the DoD. It requires contractors to implement a set of cybersecurity practices to ensure the careful handling of information and resolution of cybersecurity incidents. The National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171) on the other hand is a set of guidelines that contractors must adhere to in order to be DFARS compliant. Essentially, NIST SP 800-171 defines how manufacturing firms should handle CUI.
What are the minimum requirements for DFARS and NIST 800-171 compliance?
In order to be compliant with DFARS and NIST 800-171 controls, you need to provide adequate security for covered defense information that you store on your own servers. You also need to quickly report any cyber incidents and cooperate with the DoD in mitigating and responding to these incidents by providing as much access and data as needed.
What does it mean to be DFARS and NIST 800-171 compliant?
In general, DFARS 7012 requires manufacturing firms to have adequate cybersecurity practices in three key areas: regularly assessing the environments that contain or process CUI, implementing multi-factor or two-factor authentication for all local and network access, and having coherent and rapid incident response capabilities.
To meet these minimum requirements, you’ll need to introduce security protocols for 14 different areas as laid out in the NIST SP 800-171:
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
For a comprehensive analysis of each of the above key areas, check out our guide to understanding the DFARS requirements.
How do I ensure DFARS and NIST 800-171 compliance?
There are a number of things to do to start your manufacturing firm’s journey towards DFARS 7012 compliance, here are five tips to help you get started. But to truly ensure compliance, you need to comb through the guidelines laid out in the NIST SP 800-171--there really is no other workaround except to learn the requirements by the letter. However, the DoD does not prevent contractors from seeking the assistance of an experienced third party expert, like Charles IT, who already knows these requirements by heart, which means there is no need to overwhelm your staff. But if you’re confident that you don’t need outside help, you can use our DFARS compliance checklist to help guide you through the process.
Dealing with DFARS compliance can be a daunting task--especially for manufacturing firms who are new to contracting with the DoD. While this article arms you with the basics, it's only the first step on a long (but very valuable) journey, and if you'd like to make that journey easier, contact our team of experts who can help you meet your data security benchmarks and secure your DoD contract, without the headache.