What is DFARS/NIST 800-171 Compliance?
Department of Defense contracts are a big revenue stream for many local businesses.  These business sometimes handle sensitive defense information known Controlled Unclassified Information (CUI).  The National Institute for Standards and Technology (NIST) has established the DFARS requirements to ensure small DoD contractors provide adequate security to safeguard CUI that resides in or transmits through their IT networks from unauthorized access and disclosure.  In addition, contractors must rapidly report cyber incidents and cooperate with DoD to respond to these security incidents, including access to affected media and submitting malicious software.  If your business does not become and remain DFARS compliant, you will not be eligible to compete for DoD contracts.


Controlled Unclassified Information encompasses many different types of sensitive, but not classified, information. Personally identifiable information such as health documents, proprietary material and information related to legal proceedings would all count as CUI.


DFARS is the Defense Federal Acquisition Regulation Supplement that lists a minimum set of technology security standards for the basic safeguarding of contractor information systems that process store or transmit Federal contract information.


You own a HVAC business and you’re working on a series of buildings at Fort Meade.  The plans and schematics of that system is considered CUI and could be valuable to hackers abroad.  Those hackers know the government’s information systems are well protected.  They also know that your network is not held to the same standard.  They can and will attack your network to obtain that information.  DFARS compliance closes the loophole in the eyes of the Feds.


The set of minimum cybersecurity standards are described in NIST Special Publication 800-171 and broken down into fourteen areas:

  • Access Control Media
  • Awareness & Training
  • Audit & Accountability
  • Configuration Management
  • Identification & Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Personnel Security
  • Physical Protection
  • Risk Assessment
  • Security Assessment
  • System & Communications Protection
  • System & Information Integrity

The details on each area are laid out in a 68 page document found here: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf

We suggest working with a quality Managed-IT Service Provider on an ongoing basis which will:

  • Ensure you are DFARS compliant
    • Properly functioning firewall
    • Anti-virus and other security tools
    • Automatic software updates to your network
  • Provide 24/7 monitoring and maintenance of your systems
  • Establish a business continuity plan in times of disaster
  • Eliminate downtime
  • Maintain effective communications across your workforce
  • Create a technology map and plan for growth aligning technology with your business

Eliminate IT Frustration!  KNOW that you are DFARS Compliant!  Contact Certified CIO today!