What are DFARS and NIST SP800-171?

What are DFARS and NIST SP800-171?

Cyberthreats are constantly evolving. Hackers are out in full force to exploit any opportunity they can to steal sensitive data. Although every organization is a potential target, government agencies and their suppliers are favorites, particularly for state-sponsored attacks conducting cyberwarfare. Unsurprisingly, the US Federal Government is a proverbial data gold mine with a wealth of sensitive information, such as a national database of social security numbers.

The Defense Acquisition Regulations System (DFARS) was mandated in November 2010 to regulate the use and dissemination of controlled unclassified information (CUI). This type of information is a step below top-secret, it still needs adequate protection.

DFARS provides a set of standards that apply to civilian and defense agencies across the US, as well as any organization that handles this data on their behalf. The DFARS regulation follows the rules and guidelines laid out by the National Institute of Standards and Technology (NIST) or, specifically, its special publication 800-171.

What is NIST SP800-171?

NIST guidelines were written to protect the privacy, integrity, and availability of federal data when stored in nonfederal facilities and organizations. These guidelines are enforced directly by the Department of Defense (DoD) and cover any entity that works with federal agencies. The purpose of NIST SP800-171 is to assist organizations with setting up IT security protocols and strategies.

Which organizations need to be DFARS-compliant?

Any organization that does work for the DoD must be DFARS-compliant. Aside from major defense contractors, which account for the bulk of DoD contracts, the law also applies to smaller organizations that handle CUI. This includes IT service providers, suppliers, and agencies in the aerospace sector to name a few. Even if your business doesn’t currently do any work for the DoD, becoming DFARS-compliant can open up new opportunities and boost trust with federal agencies.

Download our free eBook!

Our free eBook, 3 Types of Cyber Security Solutions Every Business Needs Today gives an insight on what fully supported cyber security solutions look like in practice.

Download now!


What are the key requirements of becoming compliant?

Achieving compliance starts with a thorough security assessment to determine precisely where sensitive information is kept. You also need to assemble a compliance team and include every staff member who processes CUI. While the regulations don’t specifically state how often you should run a security assessment, it’s best to implement a continuous compliance strategy and run assessments at least twice per year or whenever you make any significant changes to your operational infrastructure.

Another key requirement is to limit access controls according to the standards laid out in NIST SP800-171. This is especially important now that many systems are cloud-based, and almost all data breaches usually begin with stolen login credentials. To mitigate the risks and become compliant, it’s best to follow the principle of least privilege, whereby employees only have access to the data they need to do their jobs. To add an extra level of protection, you should enforce a secondary authentication method too, rather than relying on passwords alone.

Given the increasing popularity of social engineering attacks like phishing, staff awareness and training are key to achieving compliance. Most data leaks and breaches occur because of human error, which is why everyone on your team must be aware of the risks facing the organization and how to mitigate them. Auditing and accountability is another area of compliance, which is all about ensuring that the proper controls are in place to secure CUI.

How to prove compliance

You’ll need to be able to prove compliance with DFARS if your business is ever investigated following a data breach or you’re negotiating a contract with the DoD. To demonstrate proof of compliance, you need an ongoing and fully documented governance program and strategy for data classification and protection. This applies to both in-house and outsourced cloud-hosted systems.

Though there’s a lot of information to absorb, this entry merely provides a broad perspective into DFARS and NIST SP800-171 compliance. Tune in to our future blog entries to understand more about what it takes to protect federal data. Charles IT also helps businesses meet the demands of DFARS without requiring you to go through reams of legal language and complicated requirements. If you have trouble understanding your compliance requirements, call our experts today.

Like This Article?

Sign up below and once a month we'll send you a roundup of our most popular posts