Common questions about tools and methods of DFARS compliance

socket-wrench

There are many factors to consider as you address how to achieve DFARS compliance with new standards for information control. Here are a few questions and concerns that clients have shared regarding the controls, methods and tools associated with DFARS compliance:

Will I need specific monitoring tools for compliance?

In our experience, and based on client conversations, achieving compliance will require some form of monitoring Security Operations Center (SOC) and a Security Event and Incident Management (SIEM) tool to stream line event and alert handling.  The scope, scale and investment will depend on factors such as the number of in-scope information systems, where they are logically located, and the types of detective and protective technologies in place to meet the controls.

Will we have the option to implement alternative controls?

In some cases, contractors may have implemented security measures that provide protection equivalent to the controls defined in NIST 800-171. In those cases, the DoD CIO will assess alternate measures. Assessment responses will be provided within 5 days.

Will a plan of action and milestones (POA&M) be sufficient for compliance if controls will not be in place by the deadline?

No and yes.  It is clear that no one can draft POA&Ms for every control, push completion out as far as they want, and still expect to be deemed compliant.  Strictly speaking, compliance can only be demonstrated by showing either a fully implemented control or a sufficient compensating control.

However, for controls that require significant and complex change to the business (e.g., extending multi-factor authentication across the enterprise), there is a growing consensus that an inflight project, accompanied by a POA&M and notification to the DoD Chief Information Officer will be sufficient.  We understand these will be evaluated on a case by case basis and may be accepted or rejected by a Contracting Officer.

RELATED LINKS

DFARS compliance software questions that you need to answer

Frequently asked questions (FAQ) about DFARS compliance

Trackbacks

  1. […] Common questions about tools and methods of DFARS compliance […]

Speak Your Mind

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.