Are You Compliant with The New DFARS/NIST Requirements?

Don’t Worry – Neuron IT Services Provides DFARS/NIST Compliance and Simplified IT Support For You

Today, more than ever, the Department of Defense (DOD) relies on external contractors and suppliers to carry out a wide range of missions. Sensitive data is shared with these companies and must be protected. Inadequate safeguards for sensitive data may threaten America’s National Security and put our military members at risk.

As a veteran who supported our nation’s security, our CEO Jason Vivier provides his expertise and what you need to know in a published article in MSP Insights. Highlights are presented below.

The Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204.7012 mandates that U.S. Department of Defense (DOD) contractors and subcontractors must have achieved NIST 800-171 compliance. This requirement intends to protect the government’s controlled unclassified information (CUI).

NIST 800-171 is comprised of 110 technical controls, which reach across an entire organization in terms of their security policies and procedures. The largest DOD contractors – the likes of Lockheed, Raytheon, BAE, and others – have taken this regulatory requirement extremely seriously and are preparing appropriately. However, many (and likely most) DOD subcontractors only began acknowledging their duties under the law when they received letters from their contractors asking if they would be compliant by the end of 2017.

The contractors are using those letters for two purposes: first, to get formal statements from subcontractors confirming their compliance (in order to absolve themselves of risk), and second, to determine which suppliers they’ll continue to rely on. (Now that the requirements are in effect). Contractors are now in the process of sorting their current subcontractors into two categories – those that will be compliant and those that won’t – and then figuring out which compliant companies to grant the business that used to go to the non-compliant ones.

All of this makes NIST 800-171 compliance an unmistakably huge opportunity for these subcontractors, who stand to increase their business by making the necessary investments for meeting the regulations. It’s also a clear opportunity for MSPs (Managed Service Providers like Neuron IT Services) who are capable of assisting with this compliance, or willing to acquire the specific wherewithal to do so.

The stakes for subcontractors are sky high, especially those that aren’t truly compliant. If a breach of government information occurs at an organization, audits, fines, and even criminal penalties are likely to follow – and that company is unlikely to last. As unprepared organizations bow out, this regulatory enforcement is bound to create a shortfall in compliant suppliers able to fulfill government contracts. Over time, the totality of these contracts and government dollars involved will go to companies that are compliant – and, in turn, to the MSPs (like Neuron IT Services) that help them get there.

However, it’s important to understand that providing NIST 800-171 compliance isn’t like other traditional services MSPs provide. It requires specialized technology, but most of all it takes specific involvement and understanding of each individual client. Applying a cookie cutter approach in a hands-off manner simply won’t get the job done.

A typical MSP might provide network security monitoring, anti-virus protection, cloud backup of essential files, and phone-based technical support. In comparison, NIST 800-171 compliance goes much further and requires device-level encryption, two-factor authentication, employee training, 24/7/365 network security monitoring, compliant cloud and local backup, policy generation, onsite support, technical secure engineering, patch management and testing, and complex network-level configurations.

Neuron IT Services provides all of this and more.

Because NIST 800-171 has such strict controls on any change to a network, the MSP more or less needs to take over IT management for the client and act as an internal resource. When any environmental change or upgrade occurs, it’s necessary to test all updates, patches or new equipment, perform a risk assessment, and assure that the network is secure going forward. To achieve all of this, an MSP needs security managers, engineers, and analysts able to provide these services. At the same time, the client benefits from this investment because they possess the rare and sought-after compliance that enables their business to thrive.

Solutions can be implemented to provide two-factor authentication and similar needs – for example, we use a specific solution that provides encryption and device-level security because it also offers the ability to remotely quarantine or delete data from compromised devices (thus allowing us to bypass whole sections of the incident response plan and reduce costs to the client in the process).

Arguably the bigger challenge is in managing the policies and procedures, and the ongoing training required to maintain compliance. NIST requires that employees and those tasked with securing the network all receive ongoing security awareness training in line with their given job roles. We provide for this training and require confirmation that staff members have indeed read the policies designed for them.

As an MSP providing NIST 800-171 compliance, it’s a necessity to understand where insider threats may come from: individuals or departments that don’t excel in their training may be good candidates for limited access, etc. Robust training in security policy has an added bonus, as employees with a strong understanding of risk serve to reduce the likelihood that the MSP will need to interfere (helping reduce expenses).

If the Department of Defense determines that other measures are required to provide adequate protection and security, you and your subcontractors may also be required to implement additional precautions. It’s essential that you stay up to date on these requirements if you want to keep your standing with the DoD or to bid on future contracts. Neuron IT Services is your best friend where this is concerned.

For more information, contact us at (603) 413-3992 or [email protected]