Your Top Five Cyber Risks in Five Clicks with the Free Cyber Risk Analysis

FREE RISK ANALYSIS
Request Demo

If your company generates Department of Defense(DoD) related revenue, you likely fall under DFARS. If you want your DoD contracts to continue after the end of 2017, you need to look closely at the Defense Federal Acquisition Regulation Supplement (DFARS) clause 225.204-7012. The regulation gives all government contractors a deadline of December 31, 2017, to implement NIST Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.

What is the DFARS mandate?

The federal government relies on external services to help carry out various federal missions and business functions. Many federal contractors and subcontractors “routinely process, store, and transmit sensitive federal information in their information systems to support the delivery of essential products and services to federal agencies.” The contractor community has to provide assurance to DoD that their IT system can offer a high level of security to protect this sensitive information.

The document details requirements for protecting Controlled Unclassified Information (CUI) when:

  • The CUI is resident in nonfederal information systems and organizations

  • The information systems where the CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies.

  • Where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category or subcategory listed in the CUI Registry

In practical terms, although companies that work with the DoD already apply rigorous controls over classified data, the protection is now extended to the unclassified systems that include covered defense information, which creates wider-reaching consequences for the contractors and subcontractors. 

Read more about compliance for subcontractors related to DFARS.

Who is impacted by NIST 800-171?

The requirements apply to all components of nonfederal information systems and organizations that process, store, or transmit CUI or provide security protection for such components, which can be found in the CUI category list. The CUI requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations/

What should you do?

While implementing those requirements might seem arduous, knowing that these NIST standards are best practices that your company could have already implemented to maintain a good security system is important. Each requirement on the list can help your firm avoid different cyber events and safeguard CUI.

Even though a company needs to consider many aspects, such as budget and resources, keep in mind that achieving compliance is your only option, and the clock is ticking. 
 

Review your DFARS Compliance Checklist

DFARS Compliance Step Checklist
Run a Cybersecurity Assessment This can help you have a clear vision of your organization's position and whether it is in compliance with all the requirements.
Implementation
  • Once you have identified all the deficiencies in your IT system, you need to create a plan to help you complete the implementation. This plan should protect all sensitive defense information and strengthen your system. Your POAM and SSP are crucial to documenting this step.
Partner with a Third Party Find a trustworthy and experienced company to run your assessment, ease the process, and monitor and document continuing compliance. NIST SP 800-171 compliance is dynamic; only weeks are left until the deadline. Reaching compliance, for now, is just the start, but maintaining compliance is key.

 

The government has made this change in regulation to improve the security of the U.S. Future contracts include DFARS in their terms, so it is highly recommended that you comply before the deadline if you want to win contracts in the future.

With a CyberStrong demo, discover how you can make your cyber risk assessment, compliance documents, and policies DFARS compliant to retain existing contracts.

CyberStrong streamlines your audit process with the click of a button and is the all-in-one cyber risk management platform with which you can prove continuous control compliance and benefit from increased risk visibility, communication, and measurement.

You may also like

How to Leverage the FAIR Model ...
on December 19, 2024

In light of the Colonial Pipeline cyberattack, measuring risk is on everyone’s minds. However, quantifying risk is often not easy. So many factors go into determining and ...

Kyndall Elliott
How to Effectively Communicate Top ...
on December 9, 2024

Effective cybersecurity reporting is more important than ever for CISOs, CIOs, and other security leaders in today's complex threat landscape. Reporting isn’t just about sharing ...

November Product Update
on November 27, 2024

The CyberSaint team has been working hard to deliver the latest updates to streamline and improve our customers’ user experience and address their top-of-mind challenges. We’re ...

Putting the “R” back in GRC - ...
on December 5, 2024

Cyber GRC (Governance, Risk, and Compliance) tools help organizations manage and streamline their cybersecurity, risk management, and compliance processes. These tools integrate ...

October Product Update
on October 17, 2024

The team at CyberSaint is thrilled to announce the latest additions and updates to the CyberStrong solution. To start off, we’ve made it easier to create an assessment and risk ...

Transforming Cyber Risk ...
on October 12, 2024

In today’s complex cyber landscape, managing risks effectively isn’t just about identifying threats—it’s about understanding their impact and knowing how to prioritize ...