With the escalating cyber threats that affect the U.S. Government, the U.S. Department of Commerce issued a Defense Federal Acquisition Regulation Supplement (DFARS) to safeguard the U.S. Department of Defense’s (DoD) unclassified information. The regulation now requires all aerospace and defense companies to be compliant.
Roadmap to DFARS Compliance
In order to be considered DFARS compliant, organizations need to pass a readiness assessment according to the NIST SP 800-171 guidelines.
On average, it will take an organization about six to ten months to become compliant, depending on the organization’s current security status and the available resources they have at their disposal.
Planning is the key to ensure success in your DFARS compliance expedition. It is essential to treat this as a major project, with the mindset of having the needed resources and funding set ahead of time. Many companies hire specialists and consultants and this can really expedite the process, plus it can help an organization to avoid common errors.
Let’s look at an action plan or roadmap to guarantee your cloud environment is safe and compliant according to the DFARS mandate.
Step 1: Calculate Your Organization’s Applicability
Key Question: How can your organization stay relevant?
Using the controls listed in NIST SP 800-171, document the gaps between your current position and the expected end goal.
To ensure your organization is applicable, check off these essentials for Step 1:
- Review all contracts to pinpoint important DFARS clauses and provisions.
- Review DFARS to determine the type of CDI or CUI (see Clause 252.204-7012) that applies.
- Check your applicability with the Contracting Officer as needed.
- Define what systems, processes, programs, applications, hardware, software, people, etc. fall under the scope of your NIST 800-171 compliance.
Step 2: Build a Remedial Plan to Safeguard against Non-Compliance
Key Question: What is your current Security Status?
In order to stay NIST SP 800-171 compliant, make sure you can put a check next to these measures:
- Conduct a control gap analysis against NIST SP 800-171.
- Develop solutions for the identified defects that you find.
- Meet with your subcontractors and other business partners to make sure you are both on track and in step for compliance.
Step 3: Implement Your Remediation Plan to Ensure Compliance
Key Question: Have you developed a plan of action to track your progress?
Developing a system security plan will give you the peace of mind in knowing that you are going to be compliant. You won’t have to worry about fines and penalties.
- Develop or revise controls as needed to remedy the control gaps with NIST SP 800-171.
- Organize your validation testing after remediation is completed to confirm controls are designed and operating effectively (You then need to make sure you have the agreement of your Contracting Officer).
Step 4: Continuously Monitor and Follow-Up
Key Question: How do you maintain constant monitoring to ensure compliance?
Establishing a plan to effectively monitor your compliance can be achieved by doing the following:
- Use tools, templates, reports, and metrics to develop an ever-flowing monitoring program.
- For accountability, organize monitoring activities and provide status updates to significant investors on your performance and progress.
To Be DFARS Compliant, it is important to remember to set controls in place for current systems and data, while remembering the need to cover new systems and data as they are created. If you fail to keep this in mind, you will assuredly find yourself falling short of compliance.
There is a propensity within organizations to place an emphasis on the controls during the implementation phase, but once the system is up and running, they tend to take their foot off the gas and eyes off the road. Sustaining constant compliance is a never-ending process. You must continuously make sure that new data and systems are effectively classified and that the correct controls are applied. Once DFARS is running and business returns to normal, a high level of attentiveness must be maintained to guarantee the safety and compliance of your organization.