DFARS vs FAR and Other Acronyms for Government Contractors

“Everybody Hurts” … and everybody needs a cyber risk management plan
January 13, 2017
NIST 800-171 vs NIST 800-53: Big Differences
January 23, 2017

DFARS vs FAR and Other Acronyms for Government Contractors

If you are considering or in the midst of a Sera-Brynn cyber audit involving DFARS, the provision of cloud services, or incident reporting, you know there are many key terms. Here are some high-frequency acronyms including DFARS vs FAR and their meanings to help you on the road to compliance.

CDI stands for covered defense information. It is the class of information that triggers compliance with Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012.

CUI is controlled unclassified information. It is one type of covered defense information (CDI).

DFARS means Defense Federal Acquisition Regulation Supplement. The DFARS supplements the Federal Acquisition Regulation (FAR) and is administered by the Department of Defense.

DFARS clause 252.204-7012 is the regulation titled, “Safeguarding Covered Defense Information and Cyber Incident Reporting.” It requires government contractors to comply with two key information security requirements: (1) adequate security and (2) incident reporting. This clause, unlike the FAR Final Rule 52.204-21, provides for detailed implementation and reporting standards based on NIST guidelines.

DIBNet is the DoD’s online portal for incident reporting. DIB stands for Defense Industrial Base.

DoD CIO refers to the United States Department of Defense (DoD) Chief Information Officer. The DoD CIO is a reporting authority under the DFARS clause 252.204-7012.

FAR stands for Federal Acquisition Regulation and is the set of regulations governing all acquisitions and contracting procedures in the Federal government.

FAR Final Rule 52.204-21 is the regulation titled “Basic Safeguarding of Contractor Information Systems.” It addresses fifteen provisions that mandate minimum controls. This clause does not reference any NIST standard.

FedRAMP stands for the Federal Risk and Authorization Management Program. It is a U.S. Government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. The provision of cloud services to the Federal Government may be evaluated under the FedRAMP program.

NARA stands for National Archives and Records Administration. It is the agency that implements the Federal Government-wide CUI Program. Identifying CDI involves an analysis of the information and how it is classified by NARA.

NIST stands for The National Institute of Standards and Technology. NIST is part of the U.S. Department of Commerce.

NIST 800 is the series of documents that sets forth the U.S. Government’s computer security policies, procedures and guidelines.

NIST SP 800-171 is the NIST Special Publication titled, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” It is the publication that contains the final version of its guidance for federal agencies to ensure that sensitive federal information remains confidential when stored in nonfederal information systems and organizations. DFARS clause 252.204-7012 maps to NIST SP 800-171.

NIST SP 800-53 is the NIST Special Publication titled “Security and Privacy Controls for Federal Information Systems and Organizations.” It is the guidance for securing Federal information systems.

Click here to contact Sera-Brynn

About Sera-Brynn:

Sera-Brynn is a Global Top 10 Cybersecurity firm headquartered in Hampton Roads, Virginia. We are a team of certified compliance auditors, security engineers, computer forensics examiners, security consultants, security researchers, and trainers with in-depth expertise and decades of experience. Many of us come from the national intelligence and military information security community where we designed, protected, and countered threats to the most complex and sensitive network infrastructures in the world. We apply those skills, tactics and techniques to the benefit of our global private sector clientele.

Sera-Brynn’s clients include Fortune 500 companies, global technology enterprises, DoD contractors, state and local governments, transnational financial services institutions, large healthcare organizations, law firms, Captives and Risk Retention Groups, higher education, international joint ventures, insurance carriers and re-insurers, national-level non-profits, and mid-market retail merchants, all of whom rely on Sera-Brynn as a trusted advisor and extension of their information technology team.