It’s not enough for a company to be compliant with the NIST SP800-171 Standard; their suppliers must be, too. If not, you could be in violation of invoked FAR and DFAR Clauses from the Department of Defense. (NIST = National Institute of Standards and Technology.)
DFARS Cybersecurity Requirements state that all Department of Defense (DoD) contractors that process, store or transmit Controlled Unclassified Information (CUI) had to meet the Defense Federal Acquisition Regulation Supplement (DFARS) minimum security standards by December 31, 2017 or risk losing their DoD contracts.
DFARS provides a set of “basic” security controls for contractor information systems upon which this information resides. These security controls must be implemented at both the contractor and subcontractor levels based on the information security guidance in NIST Special Publication 800-171 “Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations.” The DFARS cybersecurity rules and clauses can be found at http://www.acq.osd.mil/dpap/dars/dfars/html/current/204_73.htm (link is external)
All control implementations are documented in dataCon’s System Security Plan and can be provided if requested. dataCon has internally employed a Governance, Risk Management, and Compliance Program to address all security controls and requirements. Distinct requirements that are further elaborated within the “DFARS 252.204-7012” such as Incident Reporting requirements on https://dibnet.dod.mil with a Medium Level of Assurance (MLOA) certificate have been incorporated and addressed within our implementation of the NIST SP800-171 Standard.
Relevant System Security Plan (SSP) and Plans of Actions and Milestones (POA&M) artifacts can be provided to the Contracting Office for any RFQ, upon request.
The security of all client and project data, whether or not covered by NIST requirements, is of paramount importance to us at dataCon, and we will do our utmost to protect it.