Are You Prepared to Implement the New DFARS Requirement to Protect Covered Defense Information (CDI)? - Defense IT Solutions Inc. - News - Defense IT Solutions Inc.

Are You Prepared to Implement the New DFARS Requirement to Protect Covered Defense Information (CDI)? - Defense IT Solutions Inc. - News - Defense IT Solutions Inc.

+502 2286-5347
Ciudad de Guatemala,
Guatemala, Guatemala
Defensa Tecnologica S.A.
Go to content

Main menu:

Are You Prepared to Implement the New DFARS Requirement to Protect Covered Defense Information (CDI)?

Defense IT Solutions Inc.
Published by in News ·
Tags: CDICUIDFARSCompliant252.204.7008NIST800.171
Are You Prepared to Implement the New DFARS Requirement to Protect Covered Defense Information (CDI)?
     
  1. Are you a Department of Defense Government Contractor?
  2. Does your company work with Covered Defense Information (CDI)?
  3. Is DFARS clause 252.204.7008 in your contract requirements?

If you answered "yes" to any of these questions then DFARS CDI COMPLIANCE REQUIREMENT APPLIES TO YOU. All prime and subcontractors doing business with the Department of Defense must implement the new security regulations or document an exception. Even if you don't think this requirement applies to you, you may still need to comply with portions of NIST SP 800-171.

There are less than 4 months left for DoD contractors to become DFARS compliant. Sometimes through no fault of the contractor, such representations may not be wholly accurate, giving rise to theoretical liability under the False Claims Act.

Universal Health v. Escobar (U.S. 2016) - Recognizes that implied certification of contract compliance can be a basis for FCA liability where requirement is material to agency’s decision to pay for performance.
     
  • Agencies will naturally conclude that cyber compliance is MATERIAL to the decision to pay for Performance.
  • Invoice need not be explicitly certified; the act of submitting an invoice gives rise to implied certification.
  • Personal awareness of cyber non-compliance can form the basis of falsity, intent, fraud.
 
Do you have the correct processes in place to be deemed CUI compliant?
 
The DFARS mandate, under NIST SP 800-171, provides guidance and defines 14 process categories of security requirements for Controlled Unclassified Information. The first process category is Access Control. Access Control has two subcategories:
  1. Basic Security Requirements
  2. Derived Security Requirements
 
The Basic Security Requirements for Access Control include:
3.1.1 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems)
3.1.2 Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

The Derived Security Requirements include an additional 19 controls aimed at more specific and somewhat technical areas including Mobile Devices, Encryption, Cryptographic Mechanisms, etc.
 
Don't feel overwhelmed, Defense IT Solutions Inc. Can Help!

Our DFARS CDI Assessment service includes:
  • Conducting Risk Assessments to determine NIST compliance standards
  • FIPS 199 and NIST SP800-60 Data classification
  • Identify data inputs and outputs to determine where unclassified controlled defense information resides or transfers between contractor and subcontractor information systems
  • Assess compliance beyond the Pass/Fail DFARS requirement by providing a more granular Cybersecurity Maturity Assessment Model (see below)
  • Provide recommendations for updating your security policies to incorporate the new DFARS requirements
  • Develop incident response plans, processes, work flow documents and other material that should be completed due to an incidence event
  • Provide and review final report and remediation strategies
 
Contact Defense IT Solutions Inc Immediately to avoid fines or worse!
 


No comments


Back to content | Back to main menu