All Defense contractors and subcontractors, independent of size, that process, store, or transmit covered defense information must be compliant with DFARS. While there are several elements to which contractors must comply, there are two primary elements that seem to be the most dominant, demonstrating security and cyber incident reporting.
Adequate Security (through compliance with NIST 800-171): As defined in the DFARS, adequate security includes “protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information.” To help provide more context of what adequate security is regarding the protection of covered defense information, the Government stated that contractor information systems that process, store, or transmit CDI shall implement security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” The specific use of the word “shall” makes compliance with NIST 800-171 a requirement.
Our team analyzes regulatory prerequisites and assists you on requirements. We combine a deep understanding of required regulations, agency interpretation, and industry best practices. Organizations in heavily regulated industries are facing consistently tightening controls on how they conduct business.
With experience in assisting organizations complete Cyber Assessments, our team helps organizations understand the security requirements in a way that can be translated to an organization’s own operations as well as develop a holistic plan of action for protecting the confidentiality. Please contact us to discuss a plan of action for you to become compliant: (814) 455-6069