<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

2019 DFARS Cyber Compliance for Small Defense Manufacturers

Are you a defense manufacturer or DoD supplier? As a member of the DoD supply chain you must be DFARS compliant. Learn about your requirements and how to speed up compliance here.

Your Responsibilities

What are the Defense Cyber Compliance Requirements?

Protecting controlled unclassified information (CUI) has had the spotlight for a while now, primarily as an extensive focus of the Department of Defense (DoD) for the past several years. As a member of the Defense Supply Chain, your company likely falls under the new defense cyber security regulation for this year and every year hereafter. Defense supplier SMBs / SMEs are scrambling to prove adequate compliance as to not lose their existing contracts and secure new. If you're a defense manufacturer or make products for  haven't researched DFAR

The NIST Special Publication 800-171 requirement was developed to ensure that those working in conjunction with Department of Defense would have methods in place to protect sensitive information. The regulatory document published by the National Institute of Standards and Technology and the Under Secretary for Defense Aquisition states that “protection of Controlled Unclassified Information (CUI) while residing in nonfederal information systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations.” It was published as a Defense Federal Aquisition Requlation Supplement, which is a defense-related version of a Federal Aquisition Regulation (or FAR) including the cyber DFARS clause 252.204-7012. 


In Translation... As a small manufacturer in the defense supply chain, you have to prove that you're DFARS compliant or at least following a plan for 800-171 compliance. 


More background on the DFARS cyber requirements:

NIST SP 800-171:  Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Information Security Magazine: Small Defense Contractors Get Ready to Meet New NIST Standards

Blog: DFARS Compliance and Why It Might Matter to You


Do You Fall Under the DFARS Regulation?

When DFARS was announced, Lockheed Martin publishedNew Guidelines for Adhering to Department of Defense (DoD) Cyber Security Requirements.

The guidance made it clear that anyone in the Lockheed supply chain fell subject to the DFARS requirements, 'due' December 31 of 2017 (AKA the DFARS deadline has passed but there's still a way for you to secure your business - read on...)Northrop Grumman published similar guidance.

According to NIST: "DoD contractors and suppliers (including small manufacturers) must adhere to two basic cybersecurity requirements:

(1) They must provide adequate security to safeguard covered defense information that resides in or transits through their internal unclassified information systems from unauthorized access and disclosure; and

(2) They must rapidly report cyber incidents and cooperate with DoD to respond to these security incidents, including access to affected media and submitting malicious software."

Key Takeaway: If you generate any DoD related revenue, or if you plan to sell to DoD-related companies in the future, you must address the nist 800-171 requirements.

Filling out and submitting the questionnaire you may have recieved doesn't count as compliance, and will not allow you to prove compliance either (read on to learn why)

Guidance From Prime Contractors

"I received a DFARS questionnaire from my Prime... How is filling out the cybersecurity questionnaire different than the actions required by cyber DFARS 252.204-7012?"

Lockheed says it right: "The cybersecurity questionnaire in Exostar is used as a tool to obtain a high-level understanding of a supplier’s ability to protect sensitive information and manage cyber security risk... Performing all activities outlined in the questionnaire does not satisfy the requirements associated with cyber DFARS clause 252.204-7012. Suppliers which store/process CDI are responsible for assessing their systems for compliance with the requirements outlined in cyber DFARS clause 252.204-7012."


Key Takeaway: If your Prime sent you an Exostar or other flow-down DFARS questionnaire, filling it out and sending it back doesn't meet the defense cybersecurity requirements for 2018. You must have proof that you've addressed all of the NIST 800-171 control requirements and you're working towards full compliance.

 DFARS Guide Cover_download

More on falling under defense cyber compliance:

Blog: Did You Recieve a DFARS Questionnaire? What it is, what it isn't and what you can do now.

Lexology: Small Defense Contractors, Are You Ready for NIST 800-171?

Blog: Subcontractors and Suppliers, the Risks of Non-Compliance

How to comply

Solutions for DFARS 800-171 Compliance

Echoing the words of Northrop Grumman, "to have implemented NIST 800-171, a company must have conducted a self-assessment against all 110 controls, and developed a system security plan (SSP) describing how the security requirements are met, and plans of action and milestones (POA&M) on how those controls (not implemented) will  be met.  DoD may consider how many controls are implemented in making award decisions and otherwise may require companies to implement all NIST SP 800-171 controls."


In Translation... You need to run a DFARS Assessment and put together your SSP and POAM compliance documents ASAP. The Department of Defense is requiring total compliance to all the NIST SP 800-171 Controls in the future, so be advised that that Plan of Actions and Mitigations (POAM) and System Security Plan (SSP) are both important to prove you're moving towards being DFARS compliant. 


Implementing these security controls is a first step to becoming compliant and can be quite a substantial undertaking, especially for those organizations with stretched or limited resources. You can engage a third party to run your DFARS assessment, or you can go for a lower cost alternative likeCyberStrong to quickly perform the assessment and automate your documents as you go through it. You can also manage a spreadsheet in-house, which can be doable depending on your organization and how savvy you are with NIST language and cyber technicalities.


More on your required DFARS compliance documents:

National Defense Magazine: New Cyber Rule Requires Critical Documents

Blog: Starting DFARS Compliance? How to Create Your System Security Plan (SSP) and Plan of Action and Milestones (POAM)

Press Release: CyberSaint Grows Adoption by 500% Supporting DFARS Cybersecurity Requirements For Defense and Supply Chain

DFARS explained

Key Requirements in Detail

DFARS 3.12.1 and DFARS 3.12.3: Security Assessment 

You must assess the environments containing CUI or CDI at some identified cadence. If you can, implement a continuous compliance platform or methodology. Include upper level management and employees at every level who take part in processes or environments that store, transmit, or process CUI or CDI - each should know their part. The NIST SP 800-171 controls don't say how frequently to run an assessment, but we'd recommend at a minimum twice a year or every quarter.


DFARS 3.5.3: Identification and Authentication

If you don't have multifactor authentication enabled already, it's pressing that you do so either via multifactor authentication or two-factor authentication (MFA or 2FA) for all local andnetwork access. You need to invest time to research, and usually a small amount of capital (there are many inexpensive options) to implement MFA. All systems that transmit, process, or store CUI or CDI must have MFA/2FA enabled. Simple solutions includeGoogle Authenticator among others.


DFARS 3.6.1: Incident Response

Ensure that you can prepare, identify, contain, eradicate, recover and learn from an incident. You must to use technical skills and operational know-how to get an incident response plan in place. Make sure that you're always updating and practicing your incident response plan, especially as you adopt new technologies and as the make-up of your team changes.

DFARS Compliance: Some Key Requirements in Detail




The NIST Control Families Included in NIST SP 800-171

1. Access Control— limits system access to authorized users

2. Awareness and Training—provides awareness of the security risks associated with user’s activities; training them on applicable policies, standards and procedures; and making sure they are trained appropriately to carry out their duties. This tends to be an easy and re

3. Audit and Accountability— creation, protection, retention, and review of system logs.

4. Configuration Management— creation of baseline configurations and use of robust change management processes.

5. Identification and Authentication—identifying and authenticating the information system users and devices.

6. Incident Response— developing operations to prepare for, detect, analyze, contain, recover from, and respond to incidents.

7. Maintenance—performing timely maintenance on organizational information systems.

8. Media Protection—protection, sanitation and destruction of media containing CUI.

9. Personnel Security—screening individuals prior to authorizing their access to information systems and ensuring such systems remain secure upon the termination or transfer of individuals.

10. Physical Protection—limiting physical access to and protecting and monitoring the physical facility and support infrastructure for the information systems.

11. Risk Assessment— assessing the operational risk associated with processing, storage, and transmission of CUI

12. Security Assessment—assessing, monitor and correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems.

13. System and Communications Protection—monitor, control and protect data at the boundaries of the system, and employ architectural designs, software development techniques and system engineering principles that promote effective information security.

14. System and Information Integrity—identify, report and correct information and information system flaws in a timely manner, protect the information system from malicious code at appropriate locations, and monitor information security alerts and advisories and take appropriate actions. 

The Best Option

CyberStrong Provides Rapid DFARS Compliance

Automated System Security Plan (SSP) and Plan of Action and Mitigations (POAM), Continuous Risk Assessment, Every DFARS NIST Sp 800-171 Control Requirement Listed, over 20% of the requirements covered just by using the platform. Learn how you can automate compliance by seeing CyberStrong in action.