Time Is Running Out To Get Compliant With New DFARS/NIST Requirements | Edge Networks Cybersecurity & Managed IT Services
  • Mark Tishenko
  • Thursday, July 26, 2018

Do you do business with the Department of Defense (DoD)?

The DoD relies on external contractors and suppliers like you to carry out a wide range of tasks. Sensitive data that is shared with you must be protected. The fact is that inadequate safeguards for this sensitive data may threaten America’s National Security and put our military members at risk.

So, if you do business with the DoD, then we’ve got some bad news for you – you have less than a year to become compliant with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 standard.

The Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204.7012 mandates that U.S. Department of Defense (DOD) contractors and subcontractors must have achieved NIST 800-171 compliance. This requirement intends to protect the government’s controlled unclassified information (CUI).

NIST 800-171 is made up of 110 technical controls, which reach across an entire organization in terms of their security policies and procedures. The largest DOD contractors – the likes of Lockheed, Raytheon, BAE, and others – have taken this regulatory requirement extremely seriously and are preparing appropriately.

What Are Your Requirements?

The DFARS 252.204-7012 | NIST SP 800-171 requirement for CUI includes any information related to a DoD performance contract, as well as anything that supports the contract. This is a very broad requirement and could have a dramatic impact on the number of systems that must be covered. The four categories include:

  1. Controlled Technical Information: Any and all technical information as defined by DoD, including those with space or military applications.
  2. Operations Security Information: Any intentions, capabilities, or activities that an attacker could use to guarantee failure or unacceptable consequences.
  3. Export-Controlled Information: Such as biochemical or nuclear data.
  4. Any additional information specified in the contract.

Not A “One-Time Deal” – Compliance Is Ongoing

Keep in mind, complying with DFARS and NIST requirements isn’t easy. You and your subcontractors must meet DFARS cybersecurity standards and NIST Guidelines, or you can’t apply for DoD contracts.

To do this requires a complete scoping and readiness assessment to measure your compliance. You must then remediate any identified gaps in security.

That’s why you need the right help – not just to come in one time and get you compliant in the moment, but rather, to help you long term.

Your partner in IT should periodically assess the security controls in your company’s systems to determine if the controls are effective in their application. They should develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in systems. They must monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls that are in place.

And, they should develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with connections to other systems.

Finding The Right Partner For DFARS/NIST Compliance

Ensuring that you’re compliant is easier if you have the right support. Your IT support provider should do the following:

  • Identify Information Security Gaps in your system design, architecture, policies, and planning exercises.
  • Utilize Advanced Security Engineering for remediation and enhancements so there are no interruptions in IT service.
  • Deploy Cyber Operations Support with proven methods to maximize your operational security.
  • Conduct Continuous Risk Management with a proactive rather than reactive approach.
  • Use Advanced Cyber Security Testing to identify vulnerabilities in your IT assets that are at risk for cyber attacks.

Easier said than done, right?

It’s important to understand that providing NIST 800-171 compliance isn’t like other traditional services MSPs provide. It requires specialized technology, but most of all it takes specific involvement and understanding of each individual client.

Applying a cookie cutter approach in a hands-off manner simply won’t get the job done. A typical MSP might provide network security monitoring, anti-virus protection, cloud backup of essential files, and phone-based technical support.

In comparison, NIST 800-171 compliance goes much further and requires device-level encryption, two-factor authentication, employee training, 24/7/365 network security monitoring, compliant cloud and local backup, policy generation, onsite support, technical secure engineering, patch management and testing, and complex network-level configurations.

Edge Networks is not your typical MSP – we have the expertise to help you stay compliant.

Allow Edge Networks to help – we can provide the expert IT guidance you need to achieve and maintain compliance with NIST 800-171. Our team of DFARS compliance experts will assess your business, identify key areas for improvement, and help you execute those changes to ensure you’re confidently compliant. Furthermore, we will help you continue to stay compliant as both the business world and technology continues to change. No matter what the next round of new regulations mean for your business, Edge Networks will be there to help.

For more information, get in touch with our team of compliance experts at (866) 700-1777 or info@edgenetworks.us.

About the author