Common questions about tools and methods of DFARS compliance

socket-wrench

There are many factors to consider as you address how to achieve DFARS compliance with new standards for information control. Here are a few questions and concerns that clients have shared regarding the controls, methods and tools associated with DFARS compliance:

Will I need specific monitoring tools for compliance?

In our experience, and based on client conversations, achieving compliance will require some form of monitoring Security Operations Center (SOC) and a Security Event and Incident Management (SIEM) tool to stream line event and alert handling.  The scope, scale and investment will depend on factors such as the number of in-scope information systems, where they are logically located, and the types of detective and protective technologies in place to meet the controls.

Will we have the option to implement alternative controls?

In some cases, contractors may have implemented security measures that provide protection equivalent to the controls defined in NIST 800-171. In those cases, the DoD CIO will assess alternate measures. Assessment responses will be provided within 5 days.

Will a plan of action and milestones (POA&M) be sufficient for compliance if controls will not be in place by the deadline?

No and yes.  It is clear that no one can draft POA&Ms for every control, push completion out as far as they want, and still expect to be deemed compliant.  Strictly speaking, compliance can only be demonstrated by showing either a fully implemented control or a sufficient compensating control.

However, for controls that require significant and complex change to the business (e.g., extending multi-factor authentication across the enterprise), there is a growing consensus that an inflight project, accompanied by a POA&M and notification to the DoD Chief Information Officer will be sufficient.  We understand these will be evaluated on a case by case basis and may be accepted or rejected by a Contracting Officer.

For additional thoughts from DXC, read our Defending Your Approach to DFARS white paper or watch the replay of our recent webinar.

RELATED LINKS

DFARS compliance software questions that you need to answer

Frequently asked questions (FAQ) about DFARS compliance

Trackbacks

  1. […] Common questions about tools and methods of DFARS compliance […]

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

%d bloggers like this: