The Defense Federal Acquisition Regulation Supplement (DFARS) mandate, specifically Clause 252.204-7012, requiring all members of the Department of Defense (DoD)’s supply chain to comply with NIST SP 800-171, is nothing new. For a year now, the DFARS mandate has been required of all members of the DoD supply chain. Until this point, while signing off on DoD compliance has been necessary to winning DoD-related business, there have been no substantial moves by the DoD to ensure that their suppliers are truly compliant. Until now.
On January 21, 2019, Under Secretary for Defense Ellen M. Lord issued a memo to defense acquisition leaders about her intent to audit the DoD supply chain for DFARS compliance. The memo states that she has called upon the Defense Contract Management Agency (DCMA) to audit all prime government contractors for compliance and assess their processes for compliance with the prime’s tier-one suppliers. This organization will deliver quality audits to organizations in the Defense Industrial Base (DIB), and in anticipation, the Board of Directors and internal audit management programs within aerospace, defense, and manufacturing companies, among others, are beginning to prepare. These information technology audits require enhanced data security, internal control, and data integrity on the part of the DoD supply chain. Enterprise audit management software is a tool that DoD suppliers could use to track compliance and report to internal and external auditors when they come knocking.
What This Means For Suppliers
As we wrote in November with the release of the National Cyber Strategy, this administration is committed to improving and enforcing the cybersecurity regulations related to the Department of Defense and the federal government. This DFARS audit is the first step in ensuring that suppliers are, in fact, compliant with the DFARS mandate and NIST SP 800-171. While the DCMA will only be directly assessing the primes and possibly their tier-one suppliers, the Department of Defense audit will surely have a ripple effect through the entire supply chain and will require suppliers to engage in audit planning and other internal audit management activities to support air-tight information security in accordance with DFARS 800-171. Regardless of where you sit in the supply chain, DFARS compliance is no longer a matter of winning business, and having proper audit reports on hand is critical, a functionality that audit management software can automate for teams. We are now to the point where DFARS compliance is a matter of losing business, not just for you but for your partners as well.
About The DFARS Mandate
The federal government relies on external services to help carry out a wide range of federal missions and business functions. Many federal contractors and subcontractors “routinely process, store, and transmit sensitive federal information in their information systems to support the delivery of essential products and services to federal agencies.” With that being said, the contractor community has to provide assurance to DoD that their IT system can offer a high level of security to protect this sensitive information. If contractors fail to do so, they can inevitably lose their contracts.
The document details requirements for protecting Controlled Unclassified Information (CUI) when:
- The CUI is resident in nonfederal information systems and organizations
- The information systems where the CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies
- Where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category or subcategory listed in the CUI Registry
In practical terms, although companies that work with the DoD already apply rigorous controls over classified data, now the protection is extended to the unclassified systems that include covered defense information, which creates wider-reaching consequences for the DoD contractors. Compliance can determine the future of businesses, so many organizations are turning to integrated risk management solutions with audit management software use cases.
Run a DFARS security assessment: This can help you have a clear vision of where your organization stands and if you are in compliance with all the requirements. Download the guide to DFARS compliance here.
Implementation: Once you identified all the deficiencies in your IT system, you must create a plan to help you complete the implementation. It should protect all the sensitive defense information and strengthen your system. Your POAM & SSP are crucial to documenting this step.
Partner with a third party: Find a trustworthy and experienced company to run your assessment, ease the process, and monitor and document continuing compliance. NIST SP 800-171 compliance is dynamic, and the ongoing compliance process can be taxing for contractors. Outsourcing overall cybersecurity risk, compliance, and internal audit management is viable. Reaching compliance is just the start, but maintaining compliance is key.
Get a Demo of CyberStrong’s audit management software capabilities to learn how to get your assessment, compliance documents, and policies to keep existing contracts, and certainly before you try to win contracts in the future. You can weigh the costs and impacts of complying with DFARS, giving you the most effective path to compliance and risk management success. CyberStrong exports your compliance documents for audit with the click of a button and is the platform within which you'll prove continuous compliance for all your contracts in-house while benefiting from increased risk visibility, communication, and measurement from within an audit management software solution.