DFARS Compliance: Target Identified

The Top 5 Things You Can Do To Achieve DFARS Compliance

Before you set out to achieve DFARS compliance there are things you do within your organization to prepare.

What Does A DFARS Engagement From OCD Tech Entail?

Learn More About Our Targeted DFARS 3-Step Engagement

Our DFARS engagement approach is composed of three phases spanning the length of the project.  Learn more about each phase and the approximate time it takes for completion.

About DFARS

Since 2010 the Department of Defense (DoD) has made a concerted effort to protect the Controlled Unclassified Information (CUI)being handled by government contractors and subcontractors. In 2010 President Obama issued Executive Order 13556 (Titled: Controlled Unclassified Information) establishing a universally accepted framework DoD contractors could use as a guide while handling CUI. Unfortunately, Executive Order 13556 did not motivate DoD contractors to improve their security postures, at least not to a degree that was deemed acceptable. In response the DoD, NASA, and the GSA (General Services Administration) together published a new set of rules that required government contractors to implement cybersecurity controls that would sufficiently protect their information systems and the CUI stored within. The DoD, NASA, and GSA collaboration concluded with the creation of Defense Federal Acquisition Regulation Supplement (DFARS) clauses 252.204-7008, 7009, and 7012, instructing all DoD contractors that process, store or transmit Covered Defense Information (CDI) including CUI to protect their information systems by implementing the security controls included within NIST SP 800-171 as well as implement a cyber incident response and reporting capability.

About NIST SP 800-171 Revision 1

The National Institute of Standards & Technology (NIST)is a non-regulatory agency of the U.S. Department of Commerce whose mission is to promote innovation and industrial competitiveness. Special Publication 800-171: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations is one of several security frameworks developed and maintained by NIST in recent years. DoD contractors were required to implement NIST SP 800-171 security controls no later than December 31, 2017.The 125-page publication (Revision 1 updated on June 7, 2018) contains a total of 110 controls that are broken into 14 different families of controls.  Copied within the table below is an overview of those 14 families along with an example of the sub-controls as well: Limit information systems access to the types of transactions and functions that authorized users are permitted to execute Provide security awarness training on recognizing and reporting potential indicators of insider threat Ensure that the actions of individual information system users can be uniquley traced to those users so they can be held accountable for their actions

4. Configuration Management Track, review, approve/disapprove, and audit changes to information systems

5. Identification & Authentication Verify the identity of users, process, or devices as a prerequisite to allowing access

6. Incident Response Test the organizational incident response capability

7. Maintenance Verify the identity of users, process, or devices as a prerequisite to allowing access

8. Media Protection Physically control and securely store system media containing CUI, both paper and digital

9. Personnel Security Screen individuals prior to authorizing access to organizational systems containing CUI

10. Physical Protection Maintain audit logs of physical access

11. Risk Assessment Periodically assess the risk to organizational operations, assets, and individuals, resulting from the processing, storage, or transmission of CUI.

12. Security Assessment Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.

13. System & Communication Protection Separate user functionality from system management functionality

14. System & Information Integrity Identify, report, and correct system flaws in a timely manner

DFARS Clauses Pertaining to NIST SP 800-171 Revision 1

DFARS clauses 252.204-7008 titled “Compliance with Safeguarding Covered Defense Information Controls” and 252.204-7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting” require organizations that process, store, or transmit Covered Defense Information to implement the 110 security requirements in NIST Special Publication 800-171r1. It’s also worth noting clause 252.204-7009 features a “flowdown” provision requiring DoD subcontractors to incorporate these DFARS clauses in their contract as well where the use of CDI is required.

Cybersecurity Clauses of DFARS

Contact Us Today with any and all of your DFARS Related Quesitons

Customized Cybersecurity Solutions For Your Business

Contact Us

Audit. Security. Assurance.

IT Audit | Cybersecurity | IT Assurance | IT Security Consultants – OCD Tech is a technology consulting firm serving the IT security and consulting needs of businesses in Boston (MA), Braintree (MA) and across New England. We primarily serve Fortune 500 companies including auto dealers, financial institutions, higher education, government contractors, and not-for-profit organizations with SOC 2 reporting, CMMC readiness, IT Security Audits, Penetration Testing and Vulnerability Assessments. We also provide dark web monitoring, DFARS compliance, and IT general controls review.

Contact Info

OCD Tech

25 BHOP, Suite 407, Braintree MA, 02184

844-623-8324

https://ocd-tech.com

Follow Us

Videos

Check Out the Latest Videos From OCD Tech!

Services

SOC Reporting Services
SOC 2 ® Readiness Assessment
SOC 2 ®
SOC 3 ®
SOC for Cybersecurity ®
IT Advisory Services
IT Vulnerability Assessment
Penetration Testing
Privileged Access Management
Social Engineering
WISP
General IT Controls Review
IT Government Compliance Services
CMMC
DFARS Compliance
FTC Safeguards vCISO

Industries

Financial Services
Government
Enterprise
Auto Dealerships