Government contractors deal with many compliance concerns during their work with Federal Government customers. Regulations such as NIST 800-171, called the Defense Federal Acquisition Regulation Supplement (DFARS), and NIST 800-53, part of the Federal Information Security Management Act (FISMA), may be part of the technology standards that a government contractor must follow during their work. To ensure full compliance with DFARS and FISMA requirements, contractors should understand what each regulation covers, the systems that they apply to, and whether overlap occurs between them.
Who Are the Regulations Meant For?
FISMA covers Federal institutions and the information systems that they use. It’s a comprehensive set of guidelines that government institutions must follow when they secure their infrastructure. In some cases, FISMA applies to government contractors if they operate federal systems, such as providing a cloud-based platform. DFARS solely refers to the internal systems of Department of Defense contractors.
How Are the Requirements Different?
FISMA is a massive 462-page document that covers the framework that government institutions use for appropriate levels of security and privacy in their systems. The primary focus of FISMA is assisting government organizations when they’re putting together IT security protocols and strategies. There are 212 controls total in this document, although organizations don’t have to implement all of them to be in compliance.
DFARS is much smaller, with only 125 pages of guidelines. It covers the proper protection of Controlled Unclassified Information (CUI) when a non-federal organization is using that data on their internal systems. Only 109 controls are listed in this document, and all of them are required for compliance.
Where Do DFARS and FISMA Overlap?
Some of the controls of DFARS and FISMA overlap, so government contractors that have to adhere to both regulations may have some areas already covered. These controls fall under the cybersecurity best practices that contractors should already be paying attention to in order to protect against data breaches.
- Access control: Ensure that users only have the permissions they need to do their work.
- Configuration management: Confirm that the configuration is set up to maximize security for CUI.
- Ongoing maintenance: Proactively addressing potential vulnerabilities limits the opportunities for attackers.
- Accountability: Gain access to a paper trail in the event of an audit or another type of review.
- Information integrity: Maintain the integrity of the CUI and other important information on these systems.
Why Were Both Regulations Enacted?
DFARS and FISMA were enacted to provide federal institutions and government contractors with the guidelines they needed to adopt a risk-based cybersecurity approach. With cyber attacks frequently happening across all public and private sectors, it was important to create a standard for government agencies and contractors to follow so an appropriate level of security was in place.
Without this type of regulation, government contractors and institutions would have a greater risk of data breaches and other IT security problems. The controls outlined in these documents act as a set of best practices for organizations to follow.
Keeping government systems and CUI secure and protected are essential tasks, but contractors should pay close attention to see which framework actually applies to the project. In some cases, government agencies will default to requiring contractors to comply with the much broader FISMA, even if DFARS is more suitable for the type of work that they’re doing.
If you are a DoD contractor and need assistance with DFARS or FISMA compliance, contact us about our consulting services: