Series Two: Compliance Isn't Just a Box to Check—It's a Strategic Necessity in Today's Cybersecurity Landscape

Bluestreak™

Reading Time: 7 minutes

Compliance isn't just a Box to Check—it's a Strategic Necessity in Today's Cybersecurity Landscape. In today's ever-evolving cybersecurity landscape, compliance is more than just a regulatory requirement—it's a strategic imperative.

Welcome to Part Two of our blog series, "A Practical Compliance Guide: NIST SP 800-171 Rev. 2 & CMMC 2.0."  In the first installment, we laid the groundwork by discussing the importance of compliance, identifying who needs to comply with DFARS, NIST SP 800-171 Rev. 2, and CMMC 2.0, and exploring key requirements and implementation strategies. In Part Two, we will explore the intricacies of DFARS compliance and its critical role in protecting Controlled Defense Information (CDI) and Controlled Unclassified Information (CUI). We will review the DFARS interim rule clauses, discuss the key security measures contractors must implement, and provide a roadmap for conducting gap analyses and developing action plans.

By the end of this blog, you’ll have a clearer understanding of how DFARS ties into your overall compliance journey and the essential steps you need to take to ensure your organization is prepared to meet the DoD’s cybersecurity requirements. Whether you're a contractor, a subcontractor, or a service provider handling sensitive defense information, this guide will help you navigate the complexities of DFARS and align your efforts with NIST SP 800-171 compliance. Stay with us as we break down these requirements and offer practical solutions to common challenges.

DFARS (Defense Federal Acquisition Regulation Supplement)

Definition and Purpose

DFARS is a set of regulations supplementing the Federal Acquisition Regulation (FAR) specifically tailored for the Department of Defense. It includes provisions aimed at protecting defense-related information and ensuring the cybersecurity of defense contractors.

Key Requirements • Safeguarding CDI: Implement security measures to protect Covered Defense Informa- tion (CDI).

o DoD Covered Defense Information (CDI)

• Cyber Incident Reporting: Report cyber incidents affecting CDI within 72 hours.

o DoD Cybersecurity Incident Reporting

• Flow Down Clauses: Ensure subcontractors comply with DFARS requirements.

o 52.244-6 Subcontracts for Commercial Products and Commercial Services

Applicability

DFARS applies to all contractors and subcontractors handling CDI/CUI as part of their DoD contracts (including downstream service providers), regardless of the organization's size or industry. A company with 10 employees has the same requirements as a company with 10,000 employees.

Implementation Steps

• Understand DFARS Requirements: Familiarize yourself with the relevant DFARS clauses.

a. 252.204-7008 DFARS 252.204-7008

b. 252.204-7012 DFARS 252.204-7012

c. 252.204-7019 DFARS 252.204-7019

d. 252.204-7020 DFARS 252.204-7020

e. 252.204-7021 DFARS 252.204-7021

• Conduct a Gap Analysis: Assess your current cybersecurity posture against DFARS requirements.

• Develop an Action Plan: Create a plan to address identified gaps.

• Implement Security Controls: Deploy necessary security measures.

• Monitor Compliance: Continuously monitor and update your security practices.

Common Pitfalls and Solutions

• Inadequate Understanding: Ensure comprehensive training on DFARS requirements.

• Insufficient Resources: Allocate appropriate budget and personnel for compliance.

• Lack of Documentation: Maintain thorough records activities

DFARS Interim Rule

Introduction and Purpose

The DoD released the DFARS Interim Rule in September 2020, which went into effect on November 30, 2020. Its primary objectives are to clarify that CMMC will be the new framework for DoD contracts and inform contractors they are responsible for reporting their compliance with NIST SP 800-171.

Interim DFARS Clauses

• 252.204-7019: DFARS clause 252.204-7019 notifies the contractor that they must maintain a record of their NIST SP 800-171 compliance within the Supplier Performance Risk System (SPRS). Each contractor must complete a Basic, Medium, or High assessment every three years and ensure it is properly reported to the SPRS.

• 252.204-7020: DFARS clause 252.204-7020 requires contractors to provide the Government access to its facilities, systems, and personnel whenever the DoD renews or conducts a Medium or High assessment.

• 252.204-7021: DFARS clause 252.204-7021 requires DoD contractors to maintain the appropriate CMMC level concerning each contract while also ensuring any subcontractors are compliant with the same CMMC level for the duration of the contract. (7021 is expected to be fully released by the end of 2024.)

NIST SP 800-171 Rev. 2 (National Institute of Standards and Technology Special Publication 800-171)

Background and Objective

NIST SP 800-171 Rev. 2 provides guidelines for protecting CUI in non-federal systems and organizations, helping to ensure that sensitive information shared with contractors remains secure. This table shows the 14 Control Families, the 110 Controls within those Families, and the 320 Control/Assessment Objectives associated with those Controls. All of these elements must be assessed and met to achieve compliance.

Key Security Requirements

The publication outlines 14 control families of security requirements, including:

• Access Control:

o Establish system access requirements.

o Control internal and remote system access.

o Limit data access to authorized users and processes.

• Awareness and Training:

o Conduct regular security awareness and training activities for employees.

o Educate users on how to identify and report emerging threats.

• Audit and Accountability:

o Define audit requirements.

o Perform audits.

o Identify and protect audit information.

o Review and manage audit logs.

• Configuration Management:

o Establish configuration baselines.

o Perform configuration and change management.

• Identification and Authentication:

o Grant access to authenticated entities only.

o Implement multi-factor authentication (MFA) to verify user identity.

• Incident Response:

o Monitor devices and systems to detect and remediate incidents.

o Develop and implement a response plan.

o Practice using the response plan.

o Perform post-incident reviews.

o Test incident response procedures.

• Maintenance:

o Manage physical and infrastructure maintenance.

o Coordinate with external partners for maintenance activities.

• Media Protection:

o Identify, protect, and control media.

o Sanitize media.

o Protect media during transport.

o Regularly back up data and store it remotely.

o Practice retrieving backups.

• Personnel Security:

o Perform appropriate background checks during hiring.

o Revoke credentials when employees leave.

o Protect CUI during personnel actions.

• Physical Protection:

o Limit physical access to servers and devices.

o Ensure employees lock devices when not in use.

o Implement mobile device Mgmt for remote access, monitoring, and secure Mgmt.

• Risk Assessment:

o Identify, evaluate, and manage risk using tools like penetration tests and

vulnerability scans.

o Manage supply chain risk.

• Security Assessment:

o Develop and manage a system security plan.

o Define and manage controls.

o Perform code reviews.

o Regularly evaluate and update processes.

• System and Communications Protection:

o Define security requirements for systems and communications.

o Protect sensitive information behind multiple layers of firewalls.

o Implement spam filtering and email protections.

• System and Information Integrity:

o Install software updates and patches quickly.

o Identify and manage information system flaws.

o Identify malicious content.

o Perform network and system monitoring.

o Implement advanced email protections.

o Use anti-malware tools to defend against and remediate attacks.

These requirements are essential to maintaining a robust cybersecurity posture and ensuring NIST SP 800-171 compliance.

Implementation Steps

• Map Existing Controls:

o Identify and map your security controls to NIST SP 800-171 requirements.

• Develop Action Plans:

o Create detailed action plans to address any gaps.

• Implement Controls:

o Deploy the necessary controls to meet the requirements.

• Document Compliance:

o Keep detailed documentation of your compliance efforts.

Assessing and Maintaining Compliance

• Regular Assessments: Conduct regular assessments, whether internal or by a third party, to ensure ongoing compliance.

• Routine Reviews: Establish a routine for periodic reviews and updates to your security measures.

Conclusion As we conclude this segment of our series, it's clear that achieving compliance with DFARS, NIST SP 800-171 Rev. 2, and CMMC 2.0 is not just about meeting regulatory requirements—it's about safeguarding critical defense information and ensuring the cybersecurity of the entire supply chain. The steps outlined here are designed to help your organization navigate these complexities, assess its current standing, and implement the necessary controls to stay secure and compliant.

In the upcoming parts of this series, we'll continue to explore these topics in more depth, providing you with the tools and insights needed to integrate these requirements into a cohesive and effective compliance strategy. Whether you’re just beginning your compliance journey or refining your processes, staying informed and proactive is key to long-term success. Stay tuned for more actionable advice in the next installment.

About the Author

Joe Coleman is the Cyber Security Officer for Bluestreak Compliance™, a division of Throughput | Bluestreak | Bright AM™. Joe is a Certified CMMC-RPA (Registered Practitioner Advanced).

About Bluestreak™:

Bluestreak™ is a fully integrated Quality Management System (QMS), a powerful Manufacturing Execution System (MES) designed for the manufacturing environment and service-based manufacturing companies ( metal-treating/powder-coating, plating, heat-treating, forging, and metal-finishing), businesses that receive customers’ parts, perform a process (service) on them, and send those parts back to the customer). Companies need MES software tailored to specific functionality and workflow needs, such as industry-specific specifications management, intuitive scheduling control for staff and machinery maintenance, and the ability to manage work orders and track real-time data. If different work centers on the production floor aren’t “speaking” to each other via the MES, the data loses value and becomes disjointed or lost in disparate silos.

Bluestreak | Bright AM™ is an MES + QMS software solution specifically designed to manage and optimize the unique requirements of Additive Manufacturing’s production of parts and powder inventory usage.