DoD’s New Interim Rule

 
 

DoD to DIB – Let’s See Your NIST 800-171 Score

 
 

Published:
Oct. 2nd, 2020

Have you been working on closing out your POA&Ms? If not, pay attention.

Since its arrival in 2017, the DoD has been frustrated with its inability to verify contractor compliance with NIST 800-171. Self-attestation, perpetual POA&Ms, and no risk of audits have provided little incentive to fully implement all 110 requirements of the framework, and everyone knows it.

 
 

In an unexpected act of bluff calling, the DoD has changed the rules again. Starting November 30, 2020, contractors and their subs will need to have a score representing their NIST 800-171 progress published in a federal database before contract award. Plus, the score needs to be accompanied by a date in which all requirements will be implemented. Gulp.

This change is embedded in a DFARS update being referred to as the CMMC Interim Rule. This is the DFARS mod that gives contractual teeth to CMMC and describes its five-year rollout.

800-171 Scoring Methodology
 
 

NIST 800-171 Impact

Ok, a couple of things here that you’ll need to know about.

There’s a vendor report card system maintained by the government called the Supplier Performance Risk System (SPRS). The government will check this database to “verify that an offeror has a current (i.e., not more than three years old, unless a lesser time is specified in the solicitation) Assessment, at any level, on record prior to contract award.”.

This “Assessment” refers to a score generated by performing a specific review of your 800-171 implementation as documented in your System Security Plan. “The NIST SP 800-171 DoD Assessment Methodology provides for the assessment of a contractor’s implementation of NIST SP 800-171 security requirements, as required by DFARS clause 252.204-7012.

Let’s pause here and point out something pretty important. You need to have a System Security Plan to perform this assessment. Seriously. The methodology contains this statement:

“The absence of a system security plan would result in a finding that an assessment could not be completed due to incomplete information and noncompliance with DFARS clause 252.204-7012.”
      – NIST SP 800-171 Assessment Methodology Version 1.2.1 Annex A Comment 3.12.4

Don’t get caught lying about this one. You’ve got the whole False Claims Act thing to deal with now that you’re representing your progress to the government. If you still need an SSP, we can help.

 
 

Right. Now you’ve got your 800-171 score, and you need to actually get that score into the SPRS. “If the Offeror does not have summary level scores of a current NIST SP 800-171 DoD Assessment (i.e., not more than 3 years old unless a lesser time is specified in the solicitation) posted in SPRS, the Offeror may conduct and submit a Basic Assessment to webptsmh@navy.mil”. Details regarding what needs to be included in addition to the score (e.g. CAGE code) are found in the Interim Rule.

Good news

 
 

If you’re looking to save yourself an 89-page read and hours of work,
you can use our 800-171 Scoring Methodology Tool for free.
It also provides an email template with your results to submit to the DoD.

800-171 Scoring Tool Ex. 1
800-171 Scoring Tool Ex. 2
 
 

CMMC Impact

The interim rule has also brought about the long-anticipated CMMC clause: DFARS 252.204-7021.

The DoD is implementing a phased rollout of CMMC. Specific contracts (not all of them) will require offerors to achieve a specific CMMC Level. This won’t happen overnight. But, starting on or after October 1, 2025, CMMC will apply to ALL DoD solicitations and contracts.

What does this mean?
Well, CMMC is going to take time (at least 5 years’ time) to roll out to the entire defense industry. They will slowly start to trickle the CMMC clause into specific, selected contracts over the next 5 years. But starting in October of 2025 you can expect to see the CMMC clause in each contract from DoD.

So, while CMMC is absolutely headed this way, we still have roughly five years of NIST 800-171. Time to get that 800-171 SSP up-to-date and those CMMC practices implemented.

 

Is the Coronavirus Affecting the DoD and CMMC?

 
 

Is Coronavirus Affecting the DoD and CMMC?

 

Published:
Mar. 25th, 2020

 

As the spread of COVID-19 (an infectious disease caused by a newly discovered coronavirus) continues, many are turning to the DoD with questions about how it will affect their day to day.

COVID-19
 
 
Will COVID-19 affect the DoD’s Rollout of CMMC?

The simple answer is leaning more towards no.

At this time, the DoD’s official stance is that training is to begin in mid-April. Chief Information Security Officer for DoD Acquisitions Katie Arrington told reporters that the training is to be held remotely using a variety of different channels (webinars, livestreams, teleconferences, etc.) which doesn’t defer from the DoD’s original plan to conduct most of its C3PAO training online. Arrington was firm in saying that the DoD wants to stay on schedule with the rollout while keeping the Coronavirus and safe practices used to combat it in mind.


How is COVID-19 affecting the DIB?

The Defense Industrial Base as a whole is being held to expectations to keep design, production, delivery, and maintenance in motion. Ellen Lord (Undersecretary of Defense for Acquisition and Sustainment) issued a memo on Friday Mar. 20th stating that the DIB contractors are identified as Critical Infrastructure Sector by the Department of Homeland Security. With this in mind, the contractors are expected to keep normal hours and continuing to keep our nation’s security as a top priority.

This isn’t without its fair share of limitation, though, and the Pentagon is aware of that. In an effort to increase cashflow to its small and large business contractors, the Pentagon has increased progress payment rates and is actively working to expedite payments and modify contracts.
Progress Payment Rates Graph


How the DoD is Assisting

While the various branches of the Department are not fit to treat the Coronavirus, they can assist hospitals and hot spots that are being overwhelmed by treating those not infected with COVID-19 and freeing up care facilities that are equipped to do so. The Navy is doing just that. Jonathan Rath Hoffman, Assistant to the Defense Secretary for Public Affairs went on record Wednesday, Mar. 18th saying that the USNS Mercy and USNS Comfort were beginning preparations for deployment in major cities that needed space freed up in local hospitals. New York has been determined as one of the cities that will receive this aid (via the USNS Comfort), while Los Angeles will house the USNS Mercy.

Similarly, the United States Undersecretary to the Army, Ryan McCarthy, said on Tuesday, Mar. 24th that he has ordered three field hospital units be deployed in Washington state and New York. Typically, the units are equipped to remediate sick and wounded soldiers, but they will be deployed to help clear hospital and care facilities of space for Coronavirus victims.

The Airforce has been assisting in a different way. On Monday, Mar. 23rd, five hundred thousand COVID-19 testing kits were flown from Italy to Memphis, TN. The kits included swabs to collect samples and a liquid test to place the used swabs in. These tests are being deployed and the Airforce has plans to continue the distribution of test kits in the upcoming days.


Staying informed is important during this time. For COVID-19 related updates, visit https://www.cdc.gov/coronavirus/2019-ncov/

For more news and updates on CMMC, keep an eye on our blog.

 

How Mobile Devices Can Complicate NIST 800-171

 
 

How Mobile Devices Can Complicate NIST 800-171

 

Published:
Apr. 18th, 2019

NIST 800-171 has a variety of requirements that are meant to ensure that sensitive information that resides on a contractor’s system remains protected. One set of requirements mandates that mobile devices follow information security protocol in order to guard against a breach. This requires contractors to devise and apply a solution so their employees do not have to carry a separate device for work matters. The good news is there are solutions available that allow employees to work on their own phones.

An organization cannot simply allow users to connect to its system from their own mobile device. This would make the information housed on the system rife for hacking. Mobile devices can carry malware which can infect the information system of the employer. In order to prevent this, there must be multi-factor authentication and other strong security protections in order for the employee to access controlled unclassified information from their mobile device. In the past, this was extraordinarily difficult to accomplish.

Now, much of the focus of securing this information is on the data itself as opposed to the device, allowing users to bring their own device. This is done through a containerized workspace that can completely separate business data from personal data. This will segregate the personal functions on the phone and keep them entirely walled off from the business functions, allowing employees to access work information without being imbued with anything originating from the personal side.

Still, not every type of architecture can satisfy the mobile requirements of NIST 800-171. There must be an effort focused on making this data difficult to access. In other words, a user should not be able to simply go on to their mobile device and immediately be able to access any sensitive information that they wish. Companies should consider biometrics and password management solutions in addition to multi-factor authentication. This should be used in conjunction with 256-bit encryption to protect the sensitive data and allows for a secure solution that can be integrated with a user’s own device.

When this system is successfully in use, the information will be compartmentalized on the employee’s device. Should they no longer need or have permission to access the data, it can easily be removed from the user’s device without affecting anything else housed on the device? Ensuring a physical partition on the mobile device is one of the only ways that will permit companies to allow employees to use their personal devices for work. Outside of that, the company will have to provide not only the device but will have to pay for a monthly service for its employees.

It is imperative that users apply the same cybersecurity principles and rules to mobile devices. NIST 800-171 demands it, and if contractors do not follow these cybersecurity standards, they will eventually be out of the government contracting business. Should their networks be breached from a mobile device, the contractor will face serious business and reputational consequences. For more information about NIST 800-171 requirements, contact ComplyUp.

Symantec Contributes to NIST 800-171 Compliance

 
 

Symantec Contributes to NIST 800-171 Compliance

 

Published:
Apr. 9th, 2019

Much of the United States’ response to the cybersecurity threats facing the nation is a result of coordination between companies and other entities. The underlying assumption is that when information is shared, there is a more effective response to the threats. With that in mind, the Department of Defense initiated the Defense Industrial Base Cybersecurity Program. Recently, Symantec, an industry leader in cybersecurity, announced its plans to join the program.

The DIB Cybersecurity Program is a public-private partnership that provides participants in the program with classified and unclassified information regarding potential threats. In addition, participants also receive best practices regarding information assurance to assist them in their own cybersecurity efforts. By participating in this program, contractors can receive the information necessary to help them exercise better situational awareness with regard to any threats that could potentially compromise the information that is on their systems. At the same time, the participants in the program can share information that they have learned through their own cybersecurity efforts. While companies have their own proprietary processes, the information that they feed into the program can help improve the overall national cybersecurity defense effort.

The DIB Cybersecurity Program is not open to every contractor. In order to join, a contractor will need to have security clearance, the permission to view classified information, and the clearance level to view the particular type of information that they are seeing. While compliance with cybersecurity standards is mandatory, participation in the information-sharing program is voluntary. For this particular program, contractors put their profit motives aside in order to cooperate for the greater good. The program operates under the theory that cooperation works best to protect vulnerable information systems.

Symantec is one of the larger information security companies in the United States. The company has 123 million attack sensors and 175 million protected endpoints at its disposal. Its participation in the program is seen as bolstering cybersecurity defense since there is a national interest in strengthening a large cybersecurity contractor. At the same time, the information that Symantec can share will aid national security since it is one of the companies that is best positioned to learn of new cybersecurity threats as they emerge.

Symantec has been active in providing solutions that assist with NIST 800-171 compliance, which are cybersecurity standards with which companies must certify their compliance in order to do business with the federal government. They are aimed at protecting sensitive information that is housed on contractors’ business systems. Compliance companies such as ComplyUp have been helping government contractors implement the requirements of these standards and can help these contractors stay on top of necessary developments.

The NIST standards have been one of the latest moves in a growing federal government effort to combat the myriad of cybersecurity threats facing the country. Recent examples of hacks have exposed the vulnerability of many information security systems. As a result, cybersecurity defense has been a major priority of the Trump Administration.

Data Breaches Can Be Far More Costly Than Compliance

 
 

Data Breaches Can Be Far More Costly Than Compliance

 

Published:
Mar. 20th, 2019

A data breach can be a business’ worst nightmare. The costs of a breach are substantial and can have a negative effect on both the reputation of the company and economically as a whole. Not only are data breaches embarrassing and angering to those who had their information compromised, but there may also be some regulatory liability for a business that is hacked, especially if the measures taken to protect the information were not stringent enough.

A recent study has demonstrated the costs that are associated with data breaches. This study pegged the cost of the average data breach at $3.8 million, and this does not even factor in the costs for the large data breaches in which millions of records have been stolen. The costs associated with these hacks result from a variety of different measures that businesses must take when they learn that their systems have been penetrated.

The first thing that a business must do once it learns of a data breach is to contain it. This requires intensive activity, and containing the hack, unfortunately, does not happen overnight. Instead, it can take businesses months to secure their information systems again. Until a business can get control of a situation, countless hours of overtime may be necessary, and the costs for this can add up fast. In addition, there are steep legal costs too, as there are a variety of threats in that area in the wake of a data breach as well. The regulators will come fast, and legal help is necessary to deal with most of these inquiries.

Data breaches will almost assuredly cost companies some business. If the client is the federal government, the fact that there was a data theft in a previous contract could affect the company’s ability to get new contracts in the future. In the event that private clients have their information stolen, they will also be extremely hesitant to trust that company in the future. Unfortunately, much of a business’ value comes from its brand and a data breach will surely tarnish that brand.

It behooves companies to make sure that they follow the applicable cybersecurity standards. By protecting their information systems, companies stand a better chance of avoiding a large-scale hack that can place their future business at risk. The NIST standards that have been made mandatory to follow by the DFARS provide a starting point for companies that want to secure their networks. By complying with NIST 800-171, businesses can point to tangible efforts they have made. While hackers are determined and may still have the ability to penetrate a network, when a business is compliant with the rules, they can point to those efforts they have made in protecting their networks, and it can help placate regulators and the federal government customer(s) if there happens to be a data breach.

Compliance solutions for NIST 800-171 can help contractors in their efforts to make sure that their systems are protected. An investment made today on the front end will not only help a contractor keep its contracts, but can also save it from costly issues that may arise in the future.

Maryland Now Offers Defense Cybersecurity Assistance Program

 
 

Maryland Now Offers Defense Cybersecurity Assistance Program

 

Published:
Mar. 9th, 2019

Maryland-based DoD Contractors who use ComplyUp’s DFARS/NIST 800-171 Compliance Solutions may qualify for financial assistance through The Maryland Defense Cybersecurity Assistance Program (DCAP).

Defense contractors are prevalent in the areas surrounding Washington DC, particularly Maryland and Virginia, and have a large impact on the economy, as they amount to a sizable proportion of the tax base in these areas. In fact, defense contractors in Maryland have $57 billion of economic impact annually.

To ensure businesses continue to grow and become profitable, the State of Maryland is now providing contractors with assistance in complying with the new DFARS cybersecurity standards, administering a program to distribute federal grant dollars to local contractors to help them become compliant with these rules.

Compliance with these standards is an existential issue for those that do business with the federal government. If these businesses fail to account for and follow these new rules, they will lose the ability to get new contracts and even keep their existing ones. As a result, it is in Maryland’s best interests to help its contractors remain in business. If Maryland contractors can no longer do business with the federal government, the work will simply migrate to other states and Maryland will become less competitive.

The new program is administered by a public-private partnership that is aimed at supporting the defense contracting industry in Maryland, and is run by the Maryland Defense Cybersecurity Assistance Program. Specifically, this program is funded by the Maryland Department of Commerce and is run by the Maryland Manufacturing Extension Partnership. This partnership counts both state government agencies and industries as its members.

There are three different types of grants available. Contractors can receive assistance for NIST 800-171 gap analysis, remediation, or tools, hardware and software services.

The program itself imposes requirements on who is eligible to participate. First, contractors must have a physical location in the State of Maryland. They must also derive at least ten percent of their revenue from work related to the Department of Defense. Alternatively, they should have a procurement request for compliance with the DFARS rule. The program is funded by Department of Defense’s Office of Economic Adjustment and is administered by the Maryland state government.

Compliance with these rules is a pressing issue for contractors who not only have to follow the standards themselves, but also make sure their subcontractors are in compliance. Since the money that funds this program comes from the Department of Defense, there are similar programs in other states, such as Indiana and New York. Each program has its own specific rules for participation unique to that particular program.

For contractors, these new rules present a challenge that can be costly and time-consuming. Government suppliers are better off if they can take advantage of every resource available to cut their own costs of compliance with the NIST standards. By fully complying with these requirements, contractors can maintain their business with the federal government.

NIST 800-171 Isn’t Just a Regulation, It’s Smart Business

 
 

NIST 800-171 Isn’t Just a Regulation, It’s Smart Business

 

Published:
Feb. 20th, 2019

Getting NIST 800-171 Compliant isn’t just about satisfying a regulation, it’s smart business. Hacks can come from anywhere and target anyone. Not only can your business get in hot water with the government for failing to be compliant, you could be in an even bigger mess if a hack is the result of negligence on your part.

Recent hacks of systems belonging to United States companies have been validation of the reasons behind the new cybersecurity rules that contractors must follow in order to do business with the United States Government. Foreign nation-states have been behind several large scale hacks and have managed to penetrate the systems belonging to several contractors. While the NIST standards and DFARS rules have been effective for some time, contractor information systems are still at risk of foreign penetration efforts.

Several high-profile intrusions and information thefts caused a change in the way that the government views its information and the contractors whose information systems house it. While the government must take pains to protect sensitive information, contractors were not subject to standards for their own systems, even though they could function in the same role as the government. This changed with NIST 800-171 which contained cybersecurity standards that contractors must follow. These are requirements for anyone hoping to obtain or keep a contract with the federal government.

Even with the new rules, problems still abound. Hackers from China have been active in trying to access contractor systems. In some instances, they have been effective. It has been reported that Chinese hackers have accessed the systems of numerous contractors who do business with the United States Navy. In addition, when the computers belonging to Marriott Starwood were breached, the hackers gained access to information about movements of United States Government personnel.

Even though there are new standards in place, the risk of cyber attacks has not gone away. If anything, hackers associated with nation-states are doubling their efforts to gain entry to sensitive information stored on contractor business systems. While the effective date of these standards has passed, there are still many issues because not every contractor is in full compliance yet. Further, every subcontractor must also comply with these rules. Oftentimes, these subcontractors are smaller entities that have trouble mustering resources to fully comply with these rules. Eventually, the contractors will be held responsible for the errors of their subcontractors because the onus is on them to make sure that they enter into subcontracts with those in compliance. In essence, hackers are doing what they can to test the systems of contractors, knowing that they may still not be fully compliant with new cybersecurity rules.

The threat and the intrusions are not limited just to Navy’s contractors. The Department of Defense has its own vulnerabilities that China and other nations are trying to exploit. Even information pertaining to ballistic missiles is at risk of being misappropriated by foreign entities.

To the extent that contractors can take steps to protect their information systems, they must do so. Not only do contractors have an obligation to the government with whom they transact, but taking vigorous steps to enhance cybersecurity is also a good business practice. Cyber breaches are both costly and embarrassing and many businesses have trouble surviving the hit to their reputation if their laxness leads to a large-scale theft of information from their systems. Compliance solutions can help companies take steps to shore up their systems.

The Importance of Having a NIST 800-171 Compliance Checklist

 
 

The Importance of Having a NIST 800-171 Compliance Checklist

 

Published:
Jan. 20th, 2019

Why a Checklist Helps Solve NIST 800-171

The requirements that are imposed by NIST 800-171 are extensive and leave little room for error on the part of the government contractor. One mistake is all that it takes to leave controlled unclassified information vulnerable when it resides on a contractor’s system. Possible consequences for non-compliance include the potential loss of all government contracts and debarment as a government contractor. Given the possible repercussions, compliance with these requirements becomes an existential issue for businesses.

nist-800-171-checklist

Knowing how high the stakes are, contractors must consider the best way to comply with these rules. Without the proper planning and foresight, critical aspects of compliance may be missed. Since compliance is a process that proceeds in multiple steps, it may sense to plan out the steps before they occur and monitor them as they are being executed.

Don’t Miss a Step

When going through a large systemic change such as NIST 800 171 compliance, it is easy to miss a step or even a small detail. Since everything flows together, even the smallest of details can trip up the unsuspecting contractor. The rule requires 110 different areas of compliance across 14 different categories, so there is plenty to track.

With that in mind, contractors should consider drawing up a NIST 800 171 compliance checklist. This will keep the business organized and ensure that they do not lose sight of any critical steps when it comes to meeting the obligations of these rules. This checklist should break compliance steps into every piece of action that must be taken and should be composed ahead of time and updated as things change.

Prepare Beforehand

Before a contractor even draws up a compliance checklist, they should scrutinize each of their contracts to understand what the cybersecurity requirements are. There could be additional requirements beyond those which are required by NIST 800-171. These would be contained in various contract clauses that are included in each contract. Contracts with the Department of Defense will include the DFARS clause that makes NIST compliance mandatory. Contracts with non-DOD agencies may have other requirements.

A sound NIST 800 171 compliance checklist will involve the identification of all relevant areas. Each specific area will be categorized and assigned a baseline control. Each baseline control should be tested. In addition, the checklist should state how each area will be continuously tested. Further, the compliance checklist will set forth the meaning of each requirement next to the requirement so everyone is clear on what the requirement actually means.

Be Organized

Organization and preparation are the keys when compiling a NIST 800 171 compliance checklist. If everything is coherently enumerated ahead of time, compliance with the cybersecurity rules will be a matter of executing a previously planned set of events. It is the foresight and the planning that will make this a smoother process. Contractors are already intimidated enough by these extensive new mandates and any hint of disorganization will only make a difficult process worse. Compliance solutions from a NIST 800 171 expert can help your business better devise a checklist that will make following these new rules easier.

Updates on Securing Controlled Unclassified Information

 
 

Updates on Securing Controlled Unclassified Information

 

Published:
Jan. 9th, 2019

Big changes are on the way when it comes to controlled unclassified information. There is an amendment to the Federal Acquisition Regulation that will apply certain requirements for security to contractors outside the Department of Defense. Additionally, some of the underlying requirements may be changing because more stringent cybersecurity measures may be required by government agencies.

NIST CUI Updates

The new government contracting rule addresses how contractors deal with CUI. This involves information that is sensitive, but not considered to be classified. Federal government contracts will need to include a provision that dictates how contractors will dispose of CUI that they gain in the course of performance of their government contracts. The new rule will also include provisions for safeguarding and marking of CUI. The FAR case is based off of a rule that was issued in 2016, and applies to the executive branch. Now, it will be required to apply to contractors as well.

Since this new rule will be in the FAR, it will be a factor in whether contractors are eligible for award and whether they have complied with their contracts. Government agencies will likely have to make this clause mandatory in all of their contracts that are signed. Cybersecurity may also well become an evaluation factor in many contracts that involve the use of information systems.

Optional Cybersecurity Measures

NIST 800-171 serves as the basis for this rule. It requires “adequate security” for the information. However, NIST 800-171 will soon be changing. Agencies will be able to prescribe that contractors follow even more stringent measure to protect CUI. “Adequate security” will simply be the baseline, but agencies may be able to ask for more and contractors will need to comply. Contractors could choose to implement this level of security on their own, even if they are not required to do so by the agency.

NIST 800-171 provides the bedrock principles and protection measures when dealing with CUI. However, this area is rapidly changing as the regulatory agenda moves towards greater cybersecurity protection. Those who do business with the federal government can expect further continued evolution in this area.

Government Assistance

As the new rules take hold and more entities within government assert their right to audit contractors for compliance, there are many issues with figuring out who the proper entity is to conduct the audit. Without a single unified regulator, contractors could be aiming for compliance with different targets. Multiple regulator authority often creates unnecessary confusion. There will likely be a single entity in the future to assess compliance with these rules. Currently, contractors certify their own compliance and then are subject to audits. In the future, there will be more clarity about the process, especially when audits are conducted by a single federal entity.

Given the rapid changes in cybersecurity requirements when dealing with the federal government, your business is best off getting as much help as possible. There are NIST 800-171 compliance solution that are available that can help your business keep track of and meet these ever-changing requirements.

NIST 800-171 Consultant Alternatives

 
 

NIST 800-171 Consultant Alternatives

 

Published:
Dec. 20th, 2018

In the wake of the effectiveness of NIST 800-171 and its incorporation into the DFARS, you may be wondering how your business can best comply with the new requirements. Whatever compliance method you choose, the stakes are very high for your business, as failure to comply with these requirements can have dire consequences, such as the loss of contracts with the Department of Defense. Still, you do not want a solution that will cost too much and render your business unprofitable. The process that goes into choosing a compliance solution can be difficult. For some, it may make sense to hire a consultant but for many, this is too pricey of an option.

Nist 800-171 Consultant

There are generally 3 routes contractors choose from. Hiring a consultant, doing it themselves, or using compliance software.

Hiring a Nist 800-171 Consultant

While a consultant may have some helpful benefits for your business, they are not always the best. Essentially, you will have to weigh the benefits that a NIST 800-171 consultant can provide versus the costs that are involved in hiring that consultant. These consultants can be pricey and the costs do add up quickly. Many of the businesses that are figuring out how best to comply with the new requirements are small businesses and may not be in the best position to pay the consultant’s hourly rate. In the end, costs can be in the tens of thousands.

Do-it-Yourself DFARS Compliance

At the other end of the spectrum, you can try to do it on your own and avoid as many costs as possible. While employing a do-it-yourself solution is always going to be the cheapest option, it may not always be the most cost-effective. These new requirements are very involved and require multiple precautions to be built into your information systems. This, of course, will require the investment of your time, and as you know, time is money. Given the importance of this area, this is not a place where you can afford to fail. There are many risks that go along with attempting to do this on your own. Not to mention, it can be easy to make mistakes and have the process take even longer.

DFARS Compliance Management Software

The middle road to choosing between do-it-yourself and hiring a consultant is using a guided process. This was why we created ComplyUp, a Compliance Management Platform to guide you through the process of getting compliant. When you use our system, you get the benefits of a consultant with the cost savings of doing it yourself. We ensure you are not left to your own devices in regards to DFARS compliance and pay a fraction of the cost in hiring a NIST 800-171 consultant. Our software is programmed with the knowledge that will walk you through the compliance process step-by-step. When you use the software to achieve compliance with NIST 800-171, you save both time and money. In other words, you get the best of both worlds.

Our solution can help take the worry out of what is a very stressful area for many contractors. Because the product is a software platform, you are never left alone in securing the CUI that may be on your servers. Our system will be able to help you assess the environment, figure out the steps to take, and document the results in a System Security Plan. This is everything that a consultant would do for you but at a fraction of the cost. At the same time, you will also not be spending valuable time trying to figure out everything on your own.