Category: DFARS 7012

Posted on by

Business Operating Policies Enable Compliance

business operating policies for cyber security

Compliance with the security controls described in NIST SP 800-171 Revision 1 and DFARS Clause 252.204-7012 is required for organizations doing business with the U.S. Federal Government that involves the transfer, storage and processing of controlled unclassified information (CUI) and/or covered defense information (CDI).

Compliance is a Process

In our modern information technology world, it is easy to buy an application or service that purports to solve our problems. In some cases, these solutions may get the job done, or come very close. Others may be outright misleading. As with anything, the truth is often somewhere between and buried in the details. It is important, therefore, to expend due diligence and resolve the truth. Often, this requires resources that not all small businesses have on staff or easily accessible. In these circumstances, a partnership with someone with the right expertise goes a long way.

Policies Help Meet Compliance Objectives

The measures and controls outlined in the relevant NIST and DFARS references are not all related to technical measures, applications or devices. Some are more the providence of business operating policies and procedures that must also be defined, enacted, and enforced. Two of the NIST control families can be used as examples in this discussion: 3.3 – Awareness and Training; 3.10 Personnel security.

The awareness and training family discusses the need to ensure personnel using information technology (IT) systems receive appropriate instruction regarding the cyber threat environment, their roles in protecting CUI and CDI, and the actions they should take to help protect the organization and information. Certainly, there are services that provide this type of instruction. Assured Bridge offers this service as well. But, in addition to just having the services, reporting and auditing must be accomplished to validate both the program and participation by the team. This requires organizational leaders to both ensure the team is aware of and completing their training, and that the training is fully appropriate to the risk and threats that may be faced. Ensuring these responsibilities are met must be outlined in an appropriate policy to which the team is bound.

The personnel security family, too, evidences the need for appropriate hiring and staffing policies to ensure employees meet the security requirements for handling of CUI and CDI. There are services that can assist in finding and vetting qualified personnel, but the standards, training and qualifications must be set by the organizational leadership. A personnel and staffing policy is a great way to ensure the team is aware of these needs, and can be used as a ready-reference for decision makers in the selection and hiring processes.

Assured Bridge

At Assured Bridge, we’re gathering, developing and refining appropriate policy templates to assist our customers in meeting the compliance objectives of NIST SP 800-171 and DFARS 252.204-7012. These policy templates are intended to supplement and support the technical controls necessary to meet the security and protection requirements inherent in government contracts.

Image credit: http://alphastockimages.com/

Posted on by

NIST SP 800-171 and DFARS Clause 7012

NIST SP 800-171 & DFARS Clause 7012 .

New Cyber Security Regulations

For small businesses planning to business with the U.S. Government and Department of Defense, new cyber security and incident reporting rules will apply. The rules can impact your contract work and the data sent, received or created as part of those efforts. These rules are primarily codified in the National Institute for Science and Technology Special Publication 800-171 Privacy Controls for Federal Information Systems and Organizations and Clause 252.204-7012 to the Defense Federal Acquisition Regulation Supplement.

Continue reading NIST SP 800-171 and DFARS Clause 7012