What is the difference between DFARS and NIST SP 800-171?


Protecting controlled unclassified information (CUI) has been in the limelight for some time, mainly as a major emphasis of the Department of Defense (DoD) in recent years. The White House released Executive Order (EO) 13556 in November 2010. This order created an open and standard programme for handling information that requires safeguarding or dissemination restrictions in accordance with and compatible with law, regulation, and Government-wide policy across Civilian and Defense agencies.

The Executive Order attempted to address the problem of departments and agencies using ad hoc, agency-specific rules, procedures, and marks to preserve and regulate CUI against any information and cyber event.

This wasteful and perplexing patchwork resulted in uneven, ambiguous, or overly restricted dissemination regulations, as well as hurdles to approved information sharing. Inefficiency is a disgrace in and of itself.

This is especially true in this situation, because CUI is sensitive material that frequently affects privacy and security concerns, involves proprietary corporate interests, and is vital in law enforcement investigations.

Who is required to file a DFARS complaint?

Lockheed Martin issued New Guidelines for Adhering to Department of Defense (DoD) Requirements in response to the announcement of DFARS 252.204-7012. The guideline stated unequivocally that everyone in the Lockheed supply chain was subject to the DFARS obligations, which were “due” on December 31, 2017. Northrop Grumman issued similar guidelines.

Key Thing to take away: If your firm earns any DoD-related income, regardless of size, or if you wish to create revenue in the future by selling to DoD-related enterprises, you MUST be DFARS compliant in order to obtain or retain such contracts.

Complying with nist 800-171 implementation eventually provides your firm an advantage over the competition since the sooner you do it, the better. If a supplier is not in compliance with the NIST cybersecurity procedures established in the cyber DFARS clause 252.204-7012, the supplier shall notify the DoD CIOs office of the areas of non-compliance within 30 days of contract award. Filling out and completing the questionnaire you may have received does not constitute compliance, nor will it allow you to demonstrate compliance.

DoD may evaluate the number of controls installed when making award choices, and corporations may be required to apply all NIST SP 800-171 controls otherwise. To be DFARS compliant, you must conduct an evaluation and create comprehensive compliance documentation that is updated in real time and available to be submitted at any time. 

The Department of Defense will require total compliance to all NIST SP 800-171 Controls in the future, so don’t worry about spending time and effort to remediate FULLY now… however, keep in mind that the Plan of Actions and Mitigations (POA&M) and System Security Plan (SSP) are both important documents for you to prove that you’ve implemented the controls and assessed your organization. This will help your Primes feel more at ease with retaining you.