DFARS Compliance

What is DFARS?

In December 2015, the U.S. Department of Defense (DoD) published a FAR (Federal Acquisition Regulations) supplement referred to as the Defense Acquisition Federal Regulation Supplement (DFARS). The DFARS is intended to maintain cybersecurity standards according to requirements laid out by the National Institute of Standards and Technology (NIST), specifically NIST SP 800-171. These standards were constructed to protect the confidentiality of CUI and currently, all DoD contractors must meet the minimum requirements and show proof to the Department of Defense for all contracts moving forward.

Who does DFARS directly affect?

These new standards must be met by anyone who processes, stores or transmits this type of potentially sensitive information (CUI) for the DoD, GSA or NASA and other federal or state agencies. This includes contractual agency relationships. Achieving NIST 800-171 compliance may require diving deep into your networks and procedures to make sure appropriate security procedures are properly addressed. Failure to comply could affect any dealings with these agencies, including severances of contracts. If you missed the deadline, you could be at risk of losing contracts or damaging relationships.

What is the difference between DFARS or NIST 800-171 and CMMC?

Under NIST 800-171 (A.K.A. DFARS) rules, contractors were able to self-attest their level of achieved compliance. Under CMMC rules, contractors must be assessed and certified by CMMC assessors. CMMC requires DoD Contractors to be audited every 1 to 3 years depending on the level of compliance they achieve. This ensures continuous compliance. Contractors must be certified prior to being awarded new contracts. Both Prime contractors and Subcontractors will need to be CMMC Compliant.

Ways Hoop5 Can help you prepare:

  • Initial GAP Analysis to assess the organization’s current level of cyber hygiene and what is required to reach the desired certification level

  • System Security Plan Creation and drafting

  • Bringing IT infrastructure to compliance standards

  • Compliance Documentation (Policies and Standards, Operating Procedures)

  • Cybersecurity Training, Simulated email phishing campaigns, Network penetration testing

  • Ongoing Maintenance and Maturity of Cyber Hygiene

The Benefits of Professional Guidance

Due to data sensitivity and the seriousness of a potential breach, it's wise to work alongside a partner with expertise in NIST 800-171 compliance. Achieving and maintaining NIST compliance is an ongoing process, Hoop5 will be able to guide you through both the implementation of the standards and continued compliance.

Implementing Compliance

  • Assessing your current environment

  • Generating your initial SSP and POA&M

  • Designing the required system and policy changes

  • Deploying required changes

Continuing Compliance

  • Using Security Incident and Event Management (SIEM)

  • Updating the SSP and POA&M

  • Enforcing new policies

  • Conducting regular system audits

Consult with us to protect your employees, your business, and the sensitive DoD data you work with every day

Benefits of NIST 800-171

Some of the benefits of implementing the NIST 800-171 controls include:

  • Risk management

    • Reduced risk of data breaches

    • Reduced risk from insider threats

  • Best practices for data access policies

  • A common framework and methodology for managing risk

  • Scalable security approach to protecting sensitive data