What is DFARS Compliance (NIST 800-171) and how does it compare to NIST 800-53?

NIST SP 800-171 and NIST SP 800-53, both provide a set of security requirements for protection of information and systems used by the government. The purpose and applicability of the security requirements depends on;
1)    the information to be protected (controlled unclassified information (CUI) vs. classified information) and
2)    the kind of system on which the information is processed, stored, or transmitted (non-federal information system vs. federal information system).

Looking Forward:

Since December 31, 2017, as prescribed in DFARS clause 252.204-7008; contractors were required to attest that they provide adequate security to safeguard unclassified controlled information from compromise by self-certifying that they meet the NIST SP 800-171 security requirements. This is about to change with the Cybersecurity Maturity Model Certification (CMMC) initiative by DoD Cyber, Acquisitions office that will require a certified independent assessment.

The CMMC initiative is currently in development phase with implementation expected by mid to late 2020.

Are you prepared?

1.     Do you process store or transmit CUI?

Evaluate your contractual requirements to comply with NIST SP 800-171

2.     Do you have a document that explains how the controls have been implemented?

Document a System Security Plan (SSP)

3.     Do you document all identified deficiencies and have a plan to remediate based on risk level?

Document Plan of Actions and Milestones (POA&M)

4.     Do you have a plan that helps staff detect, respond to, and recover from incidents? Does it include a detailed communication plan?

Document and implement an Incident Response Plan (IRP)

5.     Do you have a process to detect attacks and to ensure the controls are operating as intended?

Implement a Continuous Monitoring Program (CMP)

Not sure how to get started or need assistance:

Contact us at support@secliance.com.