By Heather Engel, Sera-Brynn, Executive Vice President
This article is the second in a series.
Cybersecurity requirements for Department of Defense (DoD) contractors and subcontractors are here and getting compliant under Defense Federal Acquisitions Regulations Supplement (DFARS) can feel daunting.
It doesn’t have to be.
In this second part of our blog series on DFARS, we will look at the compliance process and the Sera-Brynn three-phased approach.
Background on DFARS
In review from Part I of our DFARS series – Navigating DFARS – it’s incumbent upon government contractors and subcontractors to comply with federal acquisition regulations (FAR). If you do business with the DoD, you must comply with the DFARS Clause 252.204-7012 to safeguard covered defense information and report cyber incidents.
So what does the compliance process look like?
Sera-Brynn has taken more than 20 years of DoD and federal government experience and created a path to reduce cyber risk while addressing compliance with NIST 800-171.
Sera-Brynn employs a phased process to DFARS 252.204-7012 compliance that analyzes a contractor’s or subcontractor’s compliance percentage, assesses risk and provides a strategic plan to show continuous improvement and cyber risk management. Our clients rely on us to navigate the process while providing third-party validation from experienced information assurance assessors.
Before undertaking the assessment process, we have a list of recommended steps:
—Identify where Covered Defense Information resides — or transits through — contractor and subcontractor information systems and determine a scope of compliance. Not all business systems may handle CDI; but it may be more cost-effective to include all systems. Don’t forget to include cloud-based systems;
—Determine any additional cybersecurity requirements in your awarded contracts. In some cases, specific contract language may require a FIPS 199 assessment, use of Secure Technical Implementation Guidance (STIGs), or other requirements above and beyond 800-171 guidelines;
—Evaluate your risk. Risk tolerance is an important factor in determining budget, timeline and vulnerability;
—Perform a Gap Analysis using NIST 800-171;
—Make sure your Incident Response Plans reflect the required steps for reporting and that the plan has been tested.
The necessity of DFARS assessment pre-planning
It’s important to keep in mind that a DFARS assessment is not just a compliance drill — it’s essential to strategic plans and long-term risk management of your DoD contracts. December 2017 is the deadline for organizations doing business with DoD to show full compliance. By starting now, your organization has time to budget for technology improvements and phase in changes to enhance security maturity.
If you have questions or seek additional information, feel free to reach out to us via phone or email: 757-243-1257 or firstname.lastname@example.org.
About Heather Engel
Heather Engel is a Fully Qualified Navy Validator, which requires credentials that include: Advanced certifications in Information Assurance; A minimum of five years performing Certification and Accreditation on Navy Systems; Additional training in Systems Management; Systems Certification and Risk Analysis; Demonstrated knowledge of Navy IA policies and the responsibilities of a Navy Validator. Engel provides risk management and business intelligence to Sera-Brynn clients across a wide variety of industries, carrying more than 15 years of experience in risk and compliance system integration, disaster recovery, security policy and security testing and evaluation.