There are a lot of questions surrounding the upcoming DFARS requirements for DoD Contractors. What does it mean for your business? What happens if you're not compliant in time? To help guide you through the process, here are some questions and answers that you may need to know.
29. What regulation mandates NIST 800-171 outside the DFARS 252.204-7012?
Currently, the only document that specifies NIST SP 800-171 is DFARS 252.204-7012. NIST 800-171 is titled “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”. It is a special publication created as a subset of NIST SP 800-53 to apply specifically to nonfederal information systems. NIST SP 800-53 is the standard for securing federal information systems. Looking toward the future, it is expected that the FAR update - underway as GSA Case 2017-016 - will extend NIST 800-171 as the standard for protecting CUI across all of the federal government.
30. So all fed contractors using commercial Office 365 need to move to GCC? Same with Azure public as Office 365?
Office 365 Commercial meets many of the requirements set forth as part of the DFARS 7012 clause. It is both FedRAMP Moderate and it can be secured to NIST 800-171 Standard with the appropriate licensing, configuration and policies to back it up. However, there are specific sub paragraphs within DFARS 7012 relating to incident management that Microsoft will not provide support for within Office 365 Commercial.
31. Could the contract itself be considered CUI?
Yes, Contract information can be considered CUI. This falls under the “Procurement and Acquisition” category of CUI. The description for that category is “Material and information relating to, or associated with, the acquisition and procurement of goods and services, including but not limited to, cost or pricing data, contract information, indirect costs and direct labor rates.” You will need to determine if any of the information provided to you as part of your contract includes content covered by 48 CFR 3.104-4 or 48 CFR 52.215-1(e). Some contracts will have this type of content, but many others may not.
32. Is there a recommended minimum license to support NIST 800-171?
Yes, we do have a recommended medium. Please see our DoD Licensing Guide.
33. How long is it to convert to GCC from commercial Office 365 /Azure?
This is completely dependent on the size and complexity of your existing environments within Office 365 and Azure Commercial. It could be as short as a couple of weeks (after tenant availability) or as long as 12+ months. To get access to GCC High, it is currently taking about 6 weeks from contract signature with Microsoft to tenant availability.
34. Is there a different timeline for ITAR compliance and can you use the SSP/POAM approach for small clients?
ITAR content is also CUI content, so the compliance timeline is the same. All DoD contractors with the DFARS 7012 clause must have an SSP / POA&M regardless of size.
Be sure to subscribe and get notified when there's a new post, or check back soon for the next post in the series!