New Cyber Rule Requires Critical Documents.
| Author | Wrenn, George |
| Position | Viewpoint |
* Contractors and their supply chain with active Defense Department contracts, or those that plan on doing business with it, must assure that any of their data systems that transmit, process or store controlled unclassified information are compliant with National Institute of Standards and Technology Special Publication 800-171 "Protecting Controlled Unclassified Information in Non-federal Information Systems and Organizations."
It's clear that meeting the Defense Federal Acquisition Regulation Supplement 252.204-7012 mandate to comply to the special publication is a required priority for defense contractors, subcontractors and suppliers.
Making a system security plan and plan of actions and mitigations is crucial to winning new business and keeping existing contracts this year and moving forward. Here are some tips on how to approach creating and utilizing these complex compliance documents.
First of all, DFARS compliance includes safeguarding all controlled unclassified information and "covered defense information." Contractors must report cyber-related incidents to the Defense Department and any deviations or gaps from NIST SP 800-171. They must show progress on a "plan of action with mitigations" and report and maintain a "system security plan."
The plan of action with mitigations and system security plan are important artifacts to use to demonstrate your adherence to the NIST 800-171 guidance. Defense contractor or suppliers will need to submit these compliance documents to the department or a prime contractor, preferably sooner rather than later. Defense Department documentation calls these type of artifacts "critical inputs to an overall risk management decision to process, store or transmit" controlled unclassified information.
Contractors processing, storing or transmitting controlled unclassified information must meet these security standards at a minimum that were laid out in the Defense Federal Acquisition Regulation Supplement. Those who decide to avoid it, unfortunately risk losing contracts this year and in years moving forward and even risk falling under the False Claims Act. Especially if a company has already received a questionnaire, it's important that it submit its compliance status truthfully, and prepare compliance documents now if it wants to keep its customers.
Identifying the scope and target of valuation is important here. There are approximately 120 controls included in NIST SP 800-171 and assessing each of these...
To continue reading
Request your trialCOPYRIGHT GALE, Cengage Learning. All rights reserved.
