What is “Adequate Security” for DFARS/NIST 800-171 Compliance?

We work with the Department of Defense (DoD) Contractors all over the United States and help them navigate the complexities of DFARS and NIST 800-171 compliance. One of the most common questions we get asked is what is meant by “Adequate Security” in the compliance requirements. “Adequate Security” is extremely vague, so it’s no wonder DoD Contractors have trouble understanding whether their current information security is adequate or not. We seek to clear up this confusion in this article.

Making Sense of The Official Language

According to section 252.204-7012 of DFARS documentation, “Adequate security” means protective measures that are put in place to mitigate the consequences and probability of loss, misuse, or unauthorized access to, or modification of information. The documentation proceeds to list out two scenarios for DoD Contractors and then provides the guidelines on protective measures for adequate security.

These scenarios are:

1. Contractors that have information systems that are not part of an Information Technology (IT) service or system operated on behalf of the Government, and;
2. Contractors that have information systems that are part of an IT service or system operated on behalf of the government

Scenario 1: Contractors with IT Systems that are not a part of or operated on behalf of the Government

For Contractors with IT Systems that are not part of an IT service or system operated on behalf of the Government, the information system must adhere to the security requirements in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 (or NIST SP 800-171), at the time the contract solicitation is issued or as authorized by the Contracting Officer.

Complete documentation on NIST SP 800-171 controls is available here. If you need help implementing these controls, please see our NIST compliance services.

Scenario 2: Contractors with IT Systems a part of or operated on behalf of the Government

For Contractors with IT Systems that are part of an IT service or system operated on behalf of the Government, the requirements for adequate security are:

1. Cloud Computing Security
• If the Contractor indicated in its offer that it “does not anticipate the use of cloud computing services in the performance of a resultant contract,” in response to provision 252.239-7009, and after the award of this contract, the Contractor proposes to use cloud computing services in the performance of the contract, the Contractor shall obtain approval from the Contracting Officer prior to utilizing cloud computing services in performance of the contract.
• The Contractor shall implement and maintain administrative, technical, and physical safeguards and controls with the security level and services required in accordance with the Cloud Computing Security Requirements Guide (SRG), unless notified by the Contracting Officer that this requirement has been waived by the DoD Chief Information Officer.
• The Contractor shall maintain within the United States or outlying areas all Government data that is not physically located on DoD premises, unless the Contractor receives written notification from the Contracting Officer to use another location, in accordance with DFARS 239.7602-2(a).
2. Any other such IT service or system (other than cloud computing) shall be subject to the security requirements specified in scenario 1 above.

DFARS Consultants are Available to Help

If you are a DoD Contractor and have any questions about DFARS and NIST SP 800-171, feel free to give us a call at: (866) 583-6946. Our DFARS Compliance specialists are happy to assist you in navigating the challenges of DFARS, and help you implement the security controls detailed in NIST SP 800-171.