DFARS: What Happens After the POA&M
Organizations are finding out that DFARS compliance takes more than a POA&M and SSP. In a 2016 amendment to the Defense Federal Acquisition Regulation Supplement (DFARS), the Department of Defense laid down the law for government contractors who process Controlled Unclassified Information (CUI) from the DoD. According to DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, all contractors who process DoD CUI must implement NIST SP 800-171, a NIST Special Publication that features an extensive list of required security controls that are further specified in another Special Publication, NIST SP 800-53. All contractors who attested to being compliant were required to show evidence of the implementation of NIST SP 800-171 by December 31, 2017. And many of them did, but are now left wondering: What happens next?
For most, the combination of a System Security Plan (SSP) and an associated Plan of Action and Milestones (POA&M) was the mechanism used to demonstrate implementation of NIST SP 800-171 (and therefore demonstrate compliance with DFARS 7012). The SSP and POA&M make up the “how” and “when” of an organization’s strategy to implement security solutions to safeguard Controlled Unclassified Information (CUI). Now that the December 31st deadline has passed, many of the organizations that successfully completed their POA&Ms and SSPs are breathing a sigh of relief, but that was just the beginning. DFARS compliance is a continuous process.
So, what happens next? Merely having a POA&M is not enough. If you are a contractor striving for DFARS compliance, you now have to take steps to accomplish the planned actions and remediate any remaining deficiencies. It’s time to execute the POA&M. There are three main elements to POA&M execution: implementation, technical installation/modification, and continuous updating.
The creation and implementation of policies and procedures is paramount to the success of any security program. Policies and procedures that correlate to the planned actions in your POA&M will give you and your team members a solid foundation upon which to build a DFARS-compliant system.
Without the technical mechanisms to maintain security, even the best-laid plan is nothing but that, a plan. If those technical mechanisms are currently nonexistent, you must install and configure them appropriately. If you already have technical mechanisms in place, they may need modification to be brought up to par with the standards expressed in your SSP and POA&M.
Continuous Monitoring and Updating
A static security program is a failing security program. The mechanisms and policies you have in place will need to be monitored so that, over time, they can be properly maintained, reconfigured, and updated to best suit your evolving needs. Special attention must be paid to controls that specifically mentioned that items need to be reviewed on a periodic basis. For example, Control 3.11.2 explicitly requires periodic vulnerability scanning.
“Scan for vulnerabilities in the information system and applications periodically and when new vulnerabilities affecting the system are identified”
NIST SP 800-171 Control 3.11.2
Maintaining compliance is of immeasurable importance if you plan on doing business with the DoD. Many organizations that have similar policies don’t meet the same standards of security desired by the DoD when handling CUI. Achieving DFARS compliance is hard enough. Maintaining it can be a chore all on its own. Fortunately, contractors are allowed to enlist the assistance of outside companies. Mission Multiplier stands ready to help you navigate the DFARS requirements moving forward and offer you consistent cybersecurity at the best possible value.
And if you missed the December 31st, 2017 deadline, don’t worry. Mission Multiplier can still assist you in creating an SSP and POA&M built around your company’s needs. We employ a methodology for rendering and presenting our findings and thoughts effectively based on extensive industry experience, helping you make sense of DFARS 252.204-7012 and the associated NIST Special Publications.
If you, your organization or company, or someone you know would like more information on our company or how we can help you achieve DFARS compliance, please do not hesitate to reach out to Mission Multiplier at firstname.lastname@example.org.