NIST 800-171 and DFARS Compliance

We are here to help you to achieve DFARS Compliance by consulting and implementing the technical aspects of NIST 800-171 requirements through the following steps:

  • Locate and Identify CUI. The first step  is identifying which systems and solutions in your network store or transfer CUI.
  • Categorize CUI.
  • Implement Required Technical Controls.
  • Train Your Employees.
  • Monitor Your Data.
  • Assess Your Systems and Processes.

What is DFARS

The DFARS is a DoD (Department of Defense)-specific supplement to the FAR (Federal Acquisition Regulation). It provides acquisition regulations that are specific to the DoD. DoD government acquisition officials and contractors and subcontractors doing business with the DoD must adhere to the regulations in the DFARS.

The DFARS contains:

  • Requirements of law
  • DoD-wide policies
  • Delegations of FAR authorities
  • Deviations from FAR requirements
  • Policies and procedures that have a significant effect on the public

Who needs to be DFARS Complaint

The cybersecurity requirements under the DFARS mandate that DoD contractors and subcontractors must implement controls that are specified in the NIST SP (Special Publication) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” CUI (Controlled Unclassified Information) requires safeguarding in accordance with applicable laws, regulations, and policies.

All contractors and subcontractors processing, storing, or transmitting CUI need to meet minimum security standards specified in the DFARS. Failing to meet these standards can end up in the loss of contracts with the DoD.

How to achieve compliance with the DFARS

There are three ways contractors can comply with the DFARS (ranging from basic to intensive):

  • Contractors can self-assess their compliance, and make an attestation that they are complying with the DFARS and have implemented the NIST SP 800-171 security controls
  • A third-party organization can provide external auditing on the contractor or certification that the contractor has met the requirements for certification
  • A federal team can be dispatched to inspect the contractor’s security plan

The first level is the easiest to implement but lacks the credibility that the other two levels provide. The third level is only available to certain contractors.

The second level can be achieved through gaining certification by a third party such as ISO 27001 certification. ISO 27001 is the international standard that describes best practice for an ISMS (information security management system). An ISMS is a system of processes, documents, and technology that helps manage, monitor, audit, and improve your organization’s information security.