DFARS compliance

Helping you meet the standards.

DFARS (NIST 800-171) compliance

DFARS is a Department of Defense information regulation concerning a Controlled Unclassified Information, or CUI. Anyone with a contract from the Defense Department is obligated to take steps to protect this information.

what is DFARS? who does it affect?

Defense Federal Acquisition Regulation Supplement (DFARS) provides Department of Defense (DoD) specific acquisition regulations that contractors doing business with DoD must follow in the procurement process for goods and services.

DFARS protects a specific type of non-classified information, Controlled Unclassified Information (CUI), that is held within its contractors.  Manufacturers who want a contract with the DoD, already have a defense contract, or are a downstream
supplier to a defense contractor, all must take steps to become compliant with
DFARS (NIST 800-171).

The specific regulations are a part of NIST, or the National Institute of Standards and Technology. NIST Special Publication 800-171: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.

how to be compliant with DFARS

DFARS is risk management-based confidentiality program at the organizational level. The data and corresponding systems are owned by business line leaders and the responsibilities lie with them.

DFARS Compliant businesses must produce:

  • System Security Plan (SSP)
  • Plan of Actions and Milestones (POAM)
  • CUI Environmental Management Team (CEMT)

Peters & Associates can guide you through the compliance process to fulfill your obligations with DFARS (NIST 800-171). This includes generating or gathering security documents, making proactive plans to protect CUI, as well as assigning roles on a team tasked overseeing DFARS compliance.

what is controlled unclassified information? (CUI)

CUI can be loosely defined as information held by those with Defense Contracts, which is not classified but is sensitive enough to require some protections by the DoD.

This data use to hold classification levels such as:

  • Sensitive But Unclassified
  • For Official Use Only
  • Law Enforcement Sensitive

National Archives and Records Administration (NARA) decides what is classified as Controlled Unclassified Information (CUI). The Department of Defense must spell out clearly within the defense contract what information qualifies for this protection. The contract holder is then responsible for communicating with its downstream suppliers to ensure compliance.

Today’s 800-171 standard also provides a means to self-assess using templates and guidance. We are familiar with the assessment and overall compliance regimen. Contact us to have a conversation with one of our DFARS Compliance experts.

free trials

Off-board your IT management to industry experts to keep your business tech secure and optimized so your teams can get back to business initiatives. Contact one of our IT consultants in Chicago to find out what secure, scalable, and optimized solutions are right for you.