How are contractors being evaluated on their DFARS cybersecurity measures?

The deadline for complying with the Defense Federal Acquisition Regulation Supplement (DFARS) was December 31, 2017. However, contractors struggled to understand what the information security requirements actually meant.  In response, the Department of Defense (DoD) provided guidance for “procurements requiring implementation of National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171”. Contractors continue to seek clarity on the DFARS cybersecurity clause.

Key takeaways from the DoD guidance

  • Contractors must implement NIST SP 800-171
  • Contractors need to demonstrate that they have implemented or are going to implement the DFARS requirements
  • If not yet implemented, contractors must develop a plan of actions to demonstrate that they will do this

How contractors can demonstrate compliance with NIST SP 800-171

Currently, contractors can comply in a few ways. There are three levels of compliance that range from basic to intensive:

  1. Contractors can self-assess their compliance, and make an attestation that they are complying with the DFARS and have implemented the NIST SP 800-171 security controls
  2. A third-party organization can provide external auditing on the contractor or certification that the contractor has met the requirements for certification
  3. A federal team can be dispatched to inspect the contractor’s security plan

The first level of assessment is the easiest to implement but lacks the credibility that the other two levels would provide. The third level of having an inspection conducted by a federal team is only available to certain contractors.

The second level of compliance with a third-party organization is achievable in various ways.

Achieving compliance through ISO 27001 certification

One way for contractors to get started on their compliance journey is by achieving ISO 27001 certification. ISO 27001 is the international standard that describes best practice for an information security management system (ISMS). An ISMS is a system of processes, documents, and technology that helps manage, monitor, audit, and improve your organization’s information security.

Achieving accredited certification to ISO 27001 demonstrates that your organization is following information security best practice, and delivers an independent, expert assessment of whether your data is adequately protected.

Achieving such certification can be challenging, which is why IT Governance offers its ISO27001 Certified ISMS Lead Implementer Online training course. This three-day course will provide you with the skills to implement an ISMS aligned to ISO 27001.

Register for the ISO27001 Certified ISMS Lead Implementer Online course >>


Download our free green paper to learn more about the NIST Cybersecurity Framework and ISO 27001, and how to get started on compliance.

The NIST Cybersecurity Framework (CSF) is a voluntary framework for organizations to manage and mitigate cybersecurity risk based on existing standards, guidelines, and practices.

Our green paper discusses how the Framework can work in conjunction with ISO 27001, helping you comply with the NIST SP 800-171 requirements mandated by the DFARS cybersecurity rules.