Department of Defense (DoD) contractors and subcontractors must comply with a cybersecurity program under the Defense Federal Acquisition Regulation Supplement (DFARS). To comply with DFARS, contractors must address the requirements listed in the following documents:
The deadline for compliance was December 31, 2017. If you have not implemented the regulations by now, you’re at risk for losing current and future DoD contracts.
NIST SP 800-171 is a U.S. standard for the protection of controlled unclassified information (CUI). CUI refers to information shared with non government entities by federal agencies.
NIST SP 800-171 is designed to address those instances where cybersecurity compliance is not explicitly addressed. Although it went into effect on December 31, 2017, many contractors are not in full compliance, even though noncompliance can result in a loss of all current and future contracts.
At GreyCastle Security, we understand the magnitude of NIST SP 800-171 compliance. There are 110 controls spread over 14 groups or categories of security. Putting together the necessary resources to ensure compliance can be overwhelming; however, failing to comply could be disastrous. We have assembled an experienced team that can help plan and oversee compliance efforts starting with identifying CUI through assessment to compliance.
Click here to read more about DFARS compliance
Before organizations can protect CUI, they must identify what sensitive data or information resides within each organization. Sensitive data may include financial routing numbers, identification numbers or codes, and personal or customer information. Each contractor or subcontractor is responsible for classifying information in accordance with government guidelines.
A least-privilege model is the best practice for accessing information. Many networks grow organically, meaning data is placed on the network based on available storage space. When data is spread throughout the network, companies end up granting an employee more comprehensive access to digital assets. Putting similar data in one location on the network limits the chances of unauthorized access to critical data.
System-wide auditing of all activity should be implemented according to NIST guidelines. The data should be in a format that allows for easy reporting. The information in log files should, at a minimum, record who or what is accessing the system's digital assets. Audit information is crucial for identifying infrastructure weaknesses and system vulnerabilities.
Successful NIST compliance requires more than checking off boxes. It requires an understanding of a cybersecurity landscape of increasing threats. NIST compliance is not a one-time event. It is an ongoing process of continuous improvement of security policies and procedures. That's why organizations need partners with experience in the areas of NIST compliance, such as:
GreyCastle Security's approach to DFARS compliance rests on partnering with our clients to develop a process of continuous improvement of their cybersecurity. Contact us to begin that partnership.