If it’s been asked, you are either in the process of responding to an RFP or already have a contract with Department of Defense (DoD). All Defense contractors that process, store, or transmit Controlled Unclassified Information (CUI) must meet the Defense Federal Acquisition Regulation Supplement (DFARS) minimum security standards by December 31, 2017 or risk losing their DoD contracts or RFP opportunities.
The requirements are outlined by the National Institute of Standards and Technology (NIST). NIST is a non-regulatory government agency that is responsible for the production of standards and guidelines to help government agencies protect their information and information systems. To comply with DFARS, DoD contractors and their downstream suppliers must meet the applicable controls set out in the NIST Special Publication 800-171.
In the NIST Handbook 162, NIST explains the steps to take in order to become DFARS compliant. The NIST Handbook is 170 pages! For reference, here is a link to the handbook.
Bottomline: approaching NIST 800-171 compliance on a DIY basis, is like tackling a corporate tax return, without an accounting degree.
It is a lot of work to meet NIST 800-171 compliance—and, it can also be very expensive if you try to compete with big enterprises that have an entire department dedicated to DFARS cybersecurity compliance. Their investment is routinely hundreds of thousands of dollars on an annual basis.
If you are a small or medium-sized business (SMB), this approach is just not economically feasible. In fact, many SMB product and service providers are walking away from great Defense-related business opportunities because the risk and cost is just to great. And it’s not just a problem for small businesses. Larger businesses often have dozens (or hundreds) of downstream contractors that they’re responsible for, in regards to DFARS compliance.
Achieving DFARS compliance per NIST.SP.800-171 for your company can be daunting, because it has been a manual and complex process. SecurityGate has automated many industry-specific security regulation and compliance standards, including the NIST 800-171 requirement with the SecurityGate Security Risk and Compliance Management Platform. It not only automates your internal risk assessments and provides an actionable roadmap for NIST compliance, the SecurityGate Platform also automates the assessments for your downstream contractors. All data collected is presented in an easy-to-read, cloud-based dashboard where you can track progress and see where you need to focus next —anywhere and at anytime from a web-browser.