DFARS (NIST SP800-171)
DFARS is an acronym derived from Federal Acquisition Regulation Supplement. DFARS Part 252.204-7012 is also known as Safeguarding Covered Defense Information and Cyber Incident Reporting. The DFARS cybersecurity requirement is applicable to all DoD contractors and subcontractors who process Controlled Defense Information (CDI) in satisfaction of a military (sub)contract.
Not complying with the new DFARS regulation means a (sub)contractor cannot bid on DoD work. If a significant portion of your business is the satisfaction of DoD contract work, lack of compliance could mean loss of revenue and/or lost customers.
The DFARS requirement isn’t itself a cybersecurity framework, but a pointer to NIST SP800-171 which is a cybersecurity framework with the ultimate goal of protecting the confidentiality of CDI/CUI (Controlled Unclassified Information). NIST SP800-171 has 14 major requirements and several sub-requirements, none of which are earth-shattering. Partners in Regulatory Compliance (PIRC) is here to help companies make sense of the DFARS regulation and take actionable steps toward compliance.
PIRC aids companies with DFARS compliance requirements by offering a full package of cybersecurity services that maps directly to NIST SP800-171.
DFARS (NIST SP800-171) Requirement | Our Service |
---|---|
In general, companies need to know where they stand today and where their current gaps are before they can work towards remediating those gaps. | DFARS Cybersecurity Gap Analysis |
NIST SP 800-171 Requirement 3.2.1 | Security Awareness Training Program |
NIST SP 800-171 Requirement 3.6.1 | Incident Response Policy |
NIST SP 800-171 Requirement 3.11.1 | Risk Assessment |
NIST SP 800-171 Requirement 3.11.2 | Vulnerability Assessment |
NIST SP 800-171 Requirement 3.12.1 | Internal & External Combined Pen Test |
NIST SP 800-171 Various Sections | Policy Review & Development |
NIST SP 800-171 Requirements 3.1.13 & 3.1.17 | Include some kind of Exigent wireless config service here. |
NIST SP 800-171 Requirement 3.1.19 | Include some kind of per device per month MDM solution that includes encryption here. |
NIST SP 800-171 Requirement 3.8.6 | Include some kind of Windows/Mac encryption offering such as Sophos Safeguard under Exigent’s umbrella. |