Conducting a RegDOX® DFARS Assessment / CMMC Preparatory Audit
DFARS compliance has become a top priority for Department of Defense suppliers and companies working with Controlled Unclassified Information (CUI). Likewise, preparing for the upcoming Cybersecurity Maturity Model Certification (CMMC) audits and certification is now a prudent and soon to be a necessary, step for federal contractors and sub-contractors.
As early as 2017, over 87% of defense contracts have incorporated the DFARS cyber-security requirements to ensure that adequate security is established and maintained for CUI according to the 110 controls outlined in NIST SP 800-171. The importance of adhering to the DFARS cyber-security requirements in a timely and efficient manner now and eventually with the CMMC requirements are determinative factors in being considered for, and maintaining, a primary or secondary DoD contract award. As such, each defense contractor must have or conduct a current DFARS assessment and should prepare for a CMMC audit.
For those assessments and audits to be successful there must be company buy-in across all functions — compliance, facilities, finance, IT, legal, supply chain management, engineering, and manufacturing. So, with that commitment, what are the steps involved with conducting a RegDOX DFARS Assessment to ensure DFARS compliance today and CMMC compliance tomorrow?
Mitigating Risk with a RegDOX DFARS Assessment / CMMC Pre-audit
The benefits for following the steps required for a successful assessment to ensure DFARS compliance go beyond internally safeguarding your information through best standard practices.
Here is what should be done now to have a successful DFARS assessment and prepare for a CMMC audit. These are the steps that RegDOX’s Audit and Assessment team can work with your company to implement:
1. Preliminary Review
Ultimately, the purpose of a DFARS/CMMC review is to identify the current security posture of the federal contractor’s business. This is done through a thorough analysis of IT systems and, more generally, an internal flow of CUI-related operations through the business. During the preliminary assessment, it is helpful to prepare and use a DFARS/CMMC questionnaire is that can be the basis of the gap analysis. The initial interview with business stakeholders is carried out following the completion of the questionnaire.
2. Determining the Scope
The results of the interview and questionnaire are used to create a specific assessment document. In that assessment document, each control should be clearly defined in accordance with current DFARS requirements, as well as those anticipated for the CMMC. The Audit and Assessment team needs to work closely with the relevant line personnel to provide clarification on what each of the 110 NIST (SP) 800-171 controls mandate, how these controls apply to the contractor’s business, and how they mature over time, particularly as the CMMC is implemented.
3. Research and Gap Analysis
The Audit and Assessment team then records the results of each stage into the RegDOX audit tools to generate a percentage of compliance. At this point, either the controls are determined to be met by the contractor, and the basis of that determination are recorded and verified, or the controls that are not met are likewise recorded. At this stage, recommendations to satisfy unmet control are provided to the contractor. The result is a gap analysis specific to that contractor.
4. Agreed Remediation
The Audit and Assessment team presents the gap analysis to the contractor’s stakeholders. The gap analysis will spell out in detail the deficiencies identified, as well as recommendations for remediation. The gap analysis enables the contractor to develop a roadmap, which includes specific goals tied to dates. Following this roadmap will allow the contractor to reach compliance. This roadmap, reflecting the requirements of NIST (SP) 800-171 and the DFARS, as well as the contractors’ priorities, also will become the contractor’s Plan of Action and Milestones (POA&M).
5. Progress Reviews
The Audit and Assessment team needs to remain in place to drive the timeline to remedy identified deficiencies. The team will continue to track progress towards full compliance as each deficiency is resolved. The POA&M is a ‘living and breathing’ document that is used to track implementation of the recommendations and may be amended as circumstances and available solutions change. Ideally, the Audit and Assessment team will follow up weekly to track and verify implementation progress until full compliance.
How Long Does It Take to Complete a RegDOX DFARS Assessment / CMMC Pre-audit?
While this number can certainly be relative, the perspective of RegDOX in providing security technology assessments for contractors can vary greatly based on the size of the organization. The average for SMEs is about two weeks, and larger companies can take several months. Variable factors include the number of: unique “information systems” that must be assessed, employees and their computing devices sites that must be visited during the assessment, federal contracts that must be reviewed for specific requirements, definitions of information systems, and the computing systems in place. While all these tasks may seem daunting at first, a company can avoid project drift by setting and meeting routine milestones for each of the phases completed.