page contents ISO Transitioning specialists for the newest standards Risk
Phone: 703-586-3250
HomeISO StandardsTransitioningTransition FAQInstructionRiskProfilePerformancePartners

Risk Management, NIST 800-30, NIST 800-53, NIST 800-171, DFARS 7012
There is a new requirement for protection of IT systems for Government contractors that takes effect at the end of the year (NIST 800-171) with pretty severe penalties for non-compliance. 
Let us know which standard(s) you need assistance with?

ISO 9001

ISO/IEC 20000

ISO/IEC 27001
ISO/IEC 27017
ISO/IEC 27018

ISO 13485

ISO 14001

ISO/IEC 17025

OHSAS 18001

AS9100
AS9110
AS9120
I found it interesting that when NIST created it, they used ISO/IEC 27001 as a conforming document. It’s just the “confidentially” part of the standard, but Dr. Ross was pretty clear that getting ISO/IEC 27001 processes assured near compliance with the new rules.

Q: What are the compliance requirements for the FAR and DFARS?


A: DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting is directed for use in all solicitations and contracts. It requires contractors and subcontractors to implement, as soon as practical, but not later than Dec 31, 2017, the security requirements in NIST SP 800-171 on any internal/contractor’s information systems that process, store, or transit covered defense information. No new oversight paradigm is created through this rule. If oversight related to these requirements is deemed necessary, then it can be accomplished through existing FAR and DFARS allowances, or an additional requirement can be added to the terms of the contract. The rule does not require “certification” of any kind – by signing the contract, the contractor agrees to comply with the contract’s terms. It is up to the contractor to determine if his systems meet the requirements. The security requirements in FAR Clause 52.204-21, Basic Safeguarding of Contractor Information Systems, are effective June 15, 2016.


Q: How can I tell if CUI applies to me?


A: The DFARS clause is applicable when the effort involves covered defense information. Covered defense information is unclassified information that: 1) Requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies information, as described in the CUI Registry; 2) Is provided to the contractor or is collected, developed, used, or stored by the contractor, in support of the performance of the contract; and (3) Is marked or otherwise identified in the contract, task order, or delivery order. The clause is required for use in all DoD solicitations and contracts, and must be included in subcontracts for operationally critical support or which involve covered defense information

DOD
DFAR Subpart 204.73: DPAP Website

FAR 52.204-21, Basic Safeguarding of Contractor Information Systems

CUI Registry

NIST SP 800-30
​NIST Special Publication 800-30

NIST SP 800-53
NIST Special Publication 800-53A

NIST SP 800-171
NIST Special Publication 800-171

DHS CSET
DHS Cybersecurity Evaluation Tool

Request a Quick Quote today!
Click the Contact Us button below 
or email:

 steve@specaudit.com
Time is running out! Only 4 months to go.