Before determining whether your organization must comply with DFARS, it's important to understand what DFARS is. DFARS 252.204-7012 is a cyber clause that has been implemented alongside NIST 800-171 to aid in protecting private information within non-federal IT systems. If an organization bids on or accepts a contract from the Department of Defense (DoD) that involves the storage of controlled unclassified information (CUI) they will have to comply with DFARS and NIST 800-171 regulations. Additionally, with the publication of the CMMC final rule, organizations must be prepared to prove their compliance to a third-party. To further protect national and global supply lines all contractors will eventually be required to comply with DFARS in some capacity. Here are several steps an organization can take when beginning their journey into DoD compliance.
Start with NIST 800-171
The first step in determining how much work it will take to become DFARS compliant is to assess your current level of compliance through the lens of NIST 800-171. NIST 800-171 is the groundwork in which DFARS, CMMC, and other federal regulations are built on. NIST 800-171 is made up of 110 security requirements that are divided into 14 control families with requirements ranging from basic to more technical and advanced. When assessing your current level of compliance, it is important to make sure your organization is compliant with all 110 requirements as all contractors are required to conduct a basic assessment using NIST 800-171 as an outline (DFARS 252.204-7019). Once the assessment is completed, contractors must submit their results to the Supplier Performance Risk System (SPRS).
Create a System Security Plan
Under both DFARS 252.204-7012 and NIST SP 800-171, contractors are required to have a System Security Plan (SSP), that provides a detailed description of organizations IT systems and how they meet security requirements. The SSP is designed to act as a living document, remaining up to date as newer technology emerges and requirements change. This document will serve as a foundational artifact for audits, gap analysis, and ongoing compliance tracking. Your SSP should include:
- System boundaries
- Network diagrams
- System environment descriptions
- Implemented security controls
- roles and responsibilities
- Inventory of hardware and software
Your SSP demonstrates your organizations maturity, accountability, and transparency in handling CUI, making it a crucial document in your compliance process.
POAMs
A POAM, or plan of action and milestone is a document that outlines how an organization will remediate any deficiencies or vulnerabilities found during a self-assessment or audit. This document is required by NIST 800-171 (and by extension DFARS), and serves as proof that, while a control may not be implemented, a plan is in place to address it. It is important to note that having a POAM is not an excuse to remain non-compliant. Within the context of CMMC, a POAM must be resolved within 180 days to achieve certification. Additionally, some controls are not able to be included under a POAM.
Implementation of Security Controls
Once you've taken stock of what your organizations strength and weaknesses are, how compliant you already are, and where you need to go next, it's time to start implementing the required controls. Be warned, implementing these controls may be easier said than done. Implementation is more than ticking off a checklist, it requires understanding the intent of each control and how it contributes to a greater security posture. Contractors can expect to implement these types of controls:
- Technical Controls: Firewalls, Intrusion Detection Systems (IDS), multi-factor authentication (MFA), encryption
- Administrative Controls: Policies, security awareness training, access and authentication measures
- Physical Controls: secure facility access, visitor logs, surveillance
Continued Maintenance
Compliance isn't a one and done issue. Maintaining compliance and securing your organization is a process that requires continual attention whether that means implementing new controls or updating older ones. The unfortunate reality is that cyber-attacks are increasing in volume and expertise. In order to match the rapidly evolving cyber threat culture, your compliance must also evolve and implement new controls to combat bad actors.
CorpInfoTech, a Trusted DFARS Partner
CorpInfoTech is an MSP that offers IT, cybersecurity, and compliance solutions to SMBs working within the DIB. We are among the first MSPs to achieve CMMC L2 certification via a C3PAO meaning we are proven adept in implementing DFARS and NIST requirements. Through TAS for CMMC Compliance, contractors will inherit 200+ of the 320 objectives required by CMMC compliance, making achieving certification more cost effective and efficient. We understand the effort it takes to achieve compliance, which is why CorpInfoTech is uniquely situated to help you achieve your compliance goals!
Contact CorpInfoTech to learn more about TAS for CMMC Compliance
