DFARS compliance has become a top priority for Department of Defense suppliers and companies working with Unclassified Controlled Information (CUI) as defined in the DFARS. Starting with 2017, over 87% of defense contracts have incorporated the DFARS cyber-security requirements to ensure that adequate security is established and maintained for CUI according to the 110 controls outlined in NIST SP 800-171. The importance of adhering to the DFARS cyber-security requirements in a timely and efficient manner is a very significant factor in being considered for, and maintaining, a primary or secondary DoD contract award. As such, each defense contractor must conduct a DFARS assessment. For that assessment to be successful there must be company buy-in across all functions — compliance, facilities, finance, IT, legal, supply chain management, engineering and manufacturing.
So, what are the steps involved with conducting an assessment to ensure DFARS compliance?
William O’Brien, Chief Operating Officer and President of RegDOX recently shared some great insights on DFARS compliance, DFARS assessments, and significant DFARS requirements in a webinar conducted by the Pennsylvania Procurement Technical Assistance Center (PTAC), which is partially funded by the federal Defense Logistics Agency. Here is a summary of some of his observations:
1. Preliminary Review
Ultimately, the purpose of a DFARS review is to identify the current security posture of the DoD contractor’s business. This is done through a thorough analysis of IT systems and, more generally, an internal flow of DoD-related operations through the business. During the preliminary assessment, it is helpful to prepare and use a DFARS questionnaire is that can be the basis of the gap analysis. The initial interview with business stakeholders is carried out following the completion of the questionnaire.
2. Determining the Scope
The results of the interview and questionnaire are used to create a specific assessment document. In that assessment document, each control should be clearly defined in accordance with DFARS requirements. The audit team needs to work closely with the relevant line personnel to provide clarification on what each of the 110 NIST (SP) 800-171 controls mandate and how these controls apply to the contractor’s business.
3. Research and Gap Analysis
The audit team then records the results of each stage into one of the available audit tools. The better of these tools generate a percentage of compliance. At this point, either the controls are determined to be met by the contractor, and the basis of that determination are recorded and verified, or the controls that are not met are likewise recorded. At this stage, recommendations to satisfy the control are provided to the contractor. The result is a gap analysis specific to that contractor.
4. Agreed Remediation
The audit team presents the gap analysis to the contractor’s stakeholders. The gap analysis will spell out in detail the deficiencies identified, as well as recommendations for remediation. The gap analysis enables the contractor to develop a roadmap, which includes specific goals tied to dates, that will allow the contractor to reach compliance. This roadmap, reflecting the requirements of NIST (SP) 800-171 and the DFARS, as well as the contractors’ priorities, will be the contractor’s Plan of Action and Milestones (POA&M). The POA&M includes document storage, control management, training and an audit solution.
5. Progress Reviews
The contractor’s audit team needs to remain in place to drive the timeline to remedy identified deficiencies. The audit team will continue to track progress towards full compliance as each deficiency is resolved. The POA&M is a ‘living and breathing’ document that is used to track implementation of the recommendations and may be amended as circumstances and available solutions change. Ideally, the audit team will follow up weekly to track and verify implementation progress until full compliance.
Mitigating Risk through Reward
The benefits for following the steps required for a successful assessment to ensure DFARS compliance go beyond internally safe-guarding your information through best standard practices. By using a POA&M and DFARS assessment tool, a company is authorized to be provided a NIST 800-171/DFARS 252.204-7012 Compliance Certificate.
How Long Does It Take to Complete a DFARS Assessment?
While this number can certainly be relative, the perspective of RegDOX in provide security technology for CUI for contractors can provide some insight. The average for SMEs is about two weeks, and larger companies can take several months. Variable factors include the number of: unique “information systems” that must be assessed, employees and their computing devices sites that must be visited during the assessment, DoD contracts that must be reviewed for specific requirements, definitions of systems, and the computing systems in place. While all these tasks may seem daunting at first, a company can avoid project drift by setting routine milestones for each of the phases completed.
About RegDOX Solutions Inc.
Operating since 2007, RegDOX Solutions Inc. is a market-leading provider of highly intuitive SaaS solutions enabling customers to securely manage and collaborate on confidential documents and information, whether inside or outside of their IT environments. RegDOX® offers compliance options for the transference and storage of ITAR, DFARS, EAR, HIPAA, and Corporate technical data within the cloud through highly intuitive, feature-rich virtual data room solutions. In addition, RegDOX offers DFARS assessment services for contractors and subcontractors of the DoD.