DFARS Compliance 1-year Later: Still Struggling?

Compliance should never be “easy” when it comes to protecting the data that is used to protect our nation, in turn providing us our freedom.
This article is written based on CMMC version 1.0, and may not reflect the updated requirements of CMMC 2.0.

For the latest information on CMMC 2.0, please click here.

As the end of 2018 approaches, so does the 1-year anniversary of the DFARS compliance mandate. What have we learned?

A lot.

DFARS Compliance is “Hard”

Compliance should never be “easy” when it comes to protecting the data that is used to protect our nation, in turn providing us our freedom.

But why is DFARS compliance so hard? Because prior to the mandate, there was basically nothing!

For most sub-contractors, small and large, information security and cyber security was not a priority. Nor were they going to magically become cyber experts and implement all 110 NIST SP 800-171 controls overnight.

That said, protecting Controlled Unclassified Information (CUI) is no laughing matter. It’s a serious issue. And it needs to be done, correctly, because malicious actors are working with a massive head start.

As referenced in this article by Military Embedded Systems,

Today, hackers need only breach one vulnerable third party to gain access to hundreds or thousands of connected organizations.

When this happens (spoiler alert, it already has!), nobody wins.

The Narrative is Changing

Perhaps CUI needs to be viewed differently. Think of it this way: The CUI your organization processes, stores or transmits…is not YOURS.

It’s the Federal Government’s. Basically, it’s ALL OF OURS.

If the President of the United States shows up to your front door with a box that reads “CUI – Please Keep Safe“, are you going to leave it unattended in your garage all year? Hopefully not.

When the DFARS mandate was rolled out, everyone involved had to adjust. From education, to research, to understanding and so on.

Unfortunately, this lead to a lot of misguidance, though not maliciously.

Information and cyber security companies had to get up to speed on the mandate just as much as the sub and primary contractors did.

Early on, there was a lot of noise about “what contractors need to do first”.

  • NIST 800 -171 gap analysis
  • System Security Plan (SSP)
  • Plan of Actions and Measurement (POAM)

What’s alarming, is some organizations thought that’s all they needed, because that’s what they were told!

Seems easy enough, right?

Not if you aren’t prepared for the time and costs for what comes next…REMEDIATION!

Let’s recap quick. You’ve just paid a 3rd party organization (or two) to conduct an assessment and provide a bunch of reports on what you need to do in order to become DFARS compliant. Now what?

What happens if you don’t have the resources and funds to implement the POAM?

Is there a solution that is focused more on getting the organization compliant quickly, easily and for a much smaller cost?

Yes, there is.

New Solutions: Better and Cost-Effective

Imagine if an information and cyber security company collaborated with other security organizations/solutions, as well as information technology solutions, to create a turn-key DFARS compliance solution with the contractor’s best interests in mind.

Beryllium InfoSec Collaborative has done just that with CUICK TRAC™. “Compliance as a Utility.”

Why spend money and time on things you don’t need? What if you could hit the pause button and find a quicker (or CUICKER…get it?!) solution?

What good is a SSP or POAM if you aren’t able to achieve compliance in a timely manner?

CUICK TRAC™ gets you compliant in as little as 14 days, keeps you compliant and allows you to prove it any time you’re asked.

DFARS compliance isn’t a “race to the finish line.” It isn’t something an organization can ignore once they meet the requirements. In order to maintain current contracts or be awarded future contracts, organizations need stay and prove compliance.

Is your organization still struggling to achieve DFARS compliance? If so, contact Beryllium to see if CUICK TRAC™ is the right solution for you.

To learn more about CUICK TRAC™ and Beryllium InfoSec Collaborative, click here.

Derek White
Chief Product Officer
Derek’s success comes from his customer first mentality, utilizing collaboration between security and technology, to create positive outcomes & compliant solutions.

Speak With a NIST Security Expert at Beryllium InfoSec Today

To reach us please fill out the form below.