In 2015, the Department of Defense (DoD) passed a set of safeguarding rules and clauses, under the existing Defense Federal Acquisition Regulation Supplement (DFARS). These standards specify security controls for contractor information systems that handle Controlled Defense Information (CDI) — at both the contractor and subcontractor levels.
These security controls are based on National Institute for Standards and Technology (NIST) standards, detailed in NIST publication 800-171.
DFARS requires non-federal organizations who render services to the DoD or host DoD applications to complete a CDI assessment and report findings to the DoD Chief Information Officer within 30 days of any DoD contract.
Guidance for Your Compliance Journey
Our experience with Federal security requirements spans almost two decades, with dedicated specialists available to help your organization comply with the NIST 800-171 framework and address DFARS compliance.
Additionally, our Joint Authorization Board-accredited FedRAMP Cloud is equipped with a Systems Security Plan (SSP) that addresses security for all control families across NIST 800-171 and DFARS.
We can help
Depending on the nature of your DoD contract, you will be expected to self-certify compliance with one or more of the following clauses. Our specialists are here to help.
- DFARS 252.204-7008: Compliance with Safeguarding Covered Defense Information Controls
- DFARS 252.204-7009: Limitations on the Use or Disclosure of Third-Party Contractor Reported Cyber Incident Information
- DFARS 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting
NIST publication 800-171 is a body of government requirements for protecting Controlled Unclassified Information (CUI). NIST 800-171 is applicable to organizations in the public and private sector, including: government contractors; manufacturers; state, local, and tribal governments; and colleges and universities. Effective as of 2015, NIST 800-171 is a sub-set of NIST 800-53, and covers 14 different control families:
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Personal Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communication Protection
- System and Information Integrity