Every business that works with the US Department of Defense needs to be compliant with the Defense Federal Acquisition Regulation Supplement (DFARS). This includes both contractors who work directly with the DoD and any subcontractors that in turn work with them.
Specifically, the DFARS 252.204-7012 clause demands that contractors and subcontractors making up the Defense Industrial Base (DIB) adhere to the NIST Special Publication 800 171 framework. This is published by the National Institute of Standards and Technology.
NIST SP 800 171 is a globally recognized cybersecurity framework that is updated every few years to counter the latest cyberthreats and security standards. In total, it defines 110 security controls across 14 domains that defense contractors need to implement.
When do you need to achieve compliance?
The DFARS clause exists to mandate adequate security standards governing the protection of controlled unclassified information (CUI). This is not the same thing as corporate intellectual property, although it may be as well. Rather, it refers to information pertaining to the DoD that has not formally been classified, yet is considered potentially sensitive enough that it must be protected against unauthorized dissemination.
DFARS compliance concerns the governance of CUI residents in nonfederal systems, such as those belonging to private contractors and subcontractors. By contrast, classified information is only stored on federal systems as is strictly controlled in the interest of national security. If you do business with the DoD, then you almost certainly handle CUI, in which case contracts with the DoD will require compliance.
While it might still be possible to win a proposal with the DoD even if you have not undergone a formal security audit, doing so would be extremely risky. For example, DFARS requires that you report data breaches within 72 hours of their discovery, as well as provide evidence of your efforts to achieve compliance. If you are not compliant, however, then you will not have access to that evidence. This could result in immediate cancellation of the contract at best or, in the worst case scenarios, costly fines and litigation.
For many businesses, the 200,000-strong DIB is a highly lucrative market. Being able to win requests for proposals (RFPs) with the DoD can be very valuable to your organization. If that is the case, then you should start the journey towards DFARS compliance as soon as possible. Once you have achieved compliance by implementing all of the controls outlined by NIST SP 800 171, you will be able to bid on (and hopefully win) RFPs with the DoD.
What do you need to do to become compliant?
Achieving DFARS compliance requires meeting the demands of the 14 control families set out by the NIST SP 800-171. The framework is very similar to many others, but it has far fewer controls than the far more comprehensive NIST 800-53 framework. Even if you are not planning to bid on RFPs from the DoD in the foreseeable future, adherence to NIST SP 800 171 sets the bar high for digital security, which is something every organization needs.
The first and most important step to take when starting your DFARS compliance journey is to establish where you currently stand. In other words, you should carry out an assessment that will give you a complete understanding of your data and computing infrastructure as well as any threats and vulnerabilities it faces. This will also answer the question of whether or not you already meet the minimum DFARS requirements. If you have achieved a reasonable level of cybersecurity maturity, then this should not be a problem.
Despite this, it is important to treat compliance with any regulations as a journey. Due to the constantly evolving nature of technology and cybersecurity, you need to adopt a strategy of continuous improvement and innovation. This involves regularly assessing your network for potential vulnerabilities and new and emerging threats. These assessments may uncover key issues, such as lax access and authentication controls, inadequate training processes, error-prone data storage systems, and physical security issues.
Fortunately, meeting the demands of DFARS is very similar to meeting any other compliance mandate. It sets high standards of security, which is very much in the interest of your business and its customers and stakeholders. As such, the time to start implementing the requirements is now, beginning with a complete assessment of your current information environment.
Charles IT will help you meet your obligations as a prospective defense contractor with a full assessment of your existing environment. Our services will then help take your security to the next level so that you can win contracts critical to your business. Call us today to schedule an assessment!