As the Department of Defense begins to crack down on the cybersecurity posture of its supply chain, ensuring compliance with the DFARS mandate and the National Institute of Standards and Technology (NIST) SP 800-171 specifically is becoming a top-of-mind concern for both technical and business side leaders. DoD contractors need to understand that 800-171 compliance is no longer about securing their own organization – but stopping infiltration of an entire node of federal agencies. Many manufacturers and contractors are faced with the challenge of allocating resources for these security requirements. While they may have achieved the necessary compliance standards in the time since the mandate went into effect, ensuring that the necessary audit trail and documentation is readily available is a completely different matter.
What is DFARS and NIST SP 800-171?
The federal government relies on external services to help carry out a wide range of federal missions as well as business functions. Many federal contractors and subcontractors “routinely process, store, and transmit sensitive federal information in their information systems to support the delivery of essential products and services to federal agencies.” With that being said, the contractor community has to provide assurance to DoD that their IT system can offer a high level of security to protect this sensitive information. If any contractor fails to do so, they can inevitably lose their contracts.
The document details requirements for protecting Controlled Unclassified Information (CUI) when:
- The CUI is resident in nonfederal information systems and organizations
- The information systems where the CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies
- Where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category or subcategory listed in the CUI Registry
- In practical terms, although companies that work with the DoD already apply rigorous controls over classified data, now the protection is extended to the unclassified systems that include covered defense information, which creates wider-reaching consequences for the contractors. Being compliant can determine the future of businesses.
There are fourteen families of security requirements to be SP 800-171 compliant to protect the confidentiality of CUI in nonfederal information:
- Access Control
- Audit and Accountability
- Awareness and Training
- Configuration Management
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Physical Protection
- Personnel Security
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
The Challenge Facing Many DFARS Contractors
Especially as the DoD moves out of a self-certification approach to ensuring 800-171 compliance, contractors need to ensure that they have resources consistently dedicated cyber. For many of these contractors that are not primes, the problem becomes resource constraints. Often, having an in-house compliance and risk team means creating an in-house compliance and risk team. Whether a contractor has an assigned information security team already in place or if they are exploring their options, DFARS compliance is too pertinent to wait. In many cases, outsourcing is a far more viable and economic option to achieve DFARS compliance and ensure that the SP 800-171 requirements are met.
Outsourcing DFARS Compliance
As we’ve said, meeting NIST 800-171 requirements is primarily about resource allocation – both time and money. For a majority of contractors, the most cost-efficient method to reaching and maintaining DFARS compliance is through a managed service provider. By supplementing your organization with a trusted outside security team, you can save your in-house resources for the necessary aspects of your business and spare months of training and a massive investment developing your own program.
By using a service provider that uses an AI backed solution like the CyberStrong platform, contractors also get the added benefit of scaling beyond the baseline of DFARS compliance. As more compliance requirements emerge and cyber risk becomes a greater concern for CEOs and the Board across all industries, having a solid foundation to build upon is a critical step. Augmenting your organization with a specialized information security team helps you scale faster and ensure that your business and revenue is secure.