NIST 800-171 / DFARS

Many current cybersecurity plans and models follow an older set of priorities that hinge upon the importance of strong perimeter defense. To use a physical analogy many cybersecurity architectures focus on building up the walls and moats protecting the very outside of your castle from attack. But inherent in these schemes is an implicit trust of everyone already inside.

Department of Defense contractors and subcontractors have a big change to cybersecurity governance regulations. Current cybersecurity standards (NIST 800-171) are being updated into a new framework called CMMC.

Over the last two decades, the role of IT departments has undergone dramatic change due to the growing percentage of Americans who rely upon their tablets, smartphones, or similar mobile devices to accomplish their daily work activities. As is so often the case, this progress has been a boon in some ways and a mounting problem in others, especially for IT; on one hand, the Internet of Things [IoT] has made it so employees are more efficient, on the other, it has opened up a new Pandora’s box of potential cybersecurity threats.

Security controls rarely keep pace with the security risks posed by new tech. And in the case of mobile, security threats arise from both bring your own device [BYOD] policies as well as corporately owned and personally enabled [COPE] mobile policies. In response to this looming threat, the National Institute of Security Technology [NIST] released its “Guidance on Mobile Security Report,” which we’ll outline below. Armed with these security recommendations, your business can ensure that your mobile security practices are up to date and robust.   

Years ago, governments defended themselves through espionage and military engagement. Today, there are still plenty of both. However, the form they’ve taken has changed drastically. Physical spies have given way to higher levels of digital reconnaissance. To defend against these threats, the U.S government created the Defense Federal Acquisition Regulation Supplement (DFARS) in 2017.

Without getting too deep into how DFARS functions as an organization, and what countries need to be aware of DFARS compliance, here we’ll cover go through a complete step by step breakdown of how to become DFARS compliant.

Naturally, a government mandate tasked with protecting sensitive information is going to be extremely comprehensive and (at times) exhausting. The NIST SP 800-171 is essentially all the inputs, outputs, regulations and requirements for any businesses looking to complete their DFARS compliant statement.

If you are a client or a business that supports clients that serve the Department of Defense (DoD) as a contractor or subcontractor you’ve likely heard of Defense Federal Acquisition Regulation Supplement (DFARS).  Protecting sensitive national defense information shared with and created and maintained by private organizations that support federal government contracts is vital to our national security. DoD contractors that process, disseminate, store or transmit Controlled Unclassified Information (CUI) are required to meet DFARS minimum security standards or risk losing existing DoD contracts and eligibility for future contracts.

What is the DFARS Checklist?

DFARS stands for Defense Federal Acquisition Regulation Supplement. Despite its best intentions, the acronym doesn’t give the layman much of a hint to its actual purpose. In simpler terms, the DFARS checklist is a security standard set forth by the Department of Defense (DoD).

Any business or entity that holds Controlled Unclassified Information (CUI) is required to meet the DFARS minimum security standards or runs the risk of losing all of their DoD contracts. This supplemental regulation summary comes from NIST Handbook 162. A complete breakdown of cybersecurity requirements and a step-by-step guide is available for your perusal. Be forewarned that the NIST handbook 162 is not the easiest read. However, it is very useful.

Companies with defense contracts may be interested to know that within NIST Handbook 162 is also information regarding NIST SP 800-171. NIST SP 800-171 and DFARS compliance are closely related but have separate requirements that all must be met in order to maintain DoD contracts.

The most recent DFARS compliance update deadline was the last day of 2017. Due to the nature of digital security, continual updates of DFARS are to be expected every few years.

DFARS are complicated security requirements that involve following some confusing instructions. RSI Security has been helping businesses of all sizes with all types of security obligations. Read on to learn how you can cross off the DFARS checklist or contact us today for more personal help.