NIST 800-171 Self Assessment

DFARS stands for Defense Federal Acquisition Regulation Supplement.

Yes, if any of the following apply to you:
a) You a Department of Defense government Contractor.
b) Your company works with Covered Defense Information (CDI).
c) You have DFARS clause 252.204.7008 in your contract requirements.

CDI stands for Covered Defense Information.

This special publication of the National Institute of Standards and Technology provides 109 controls, derived from NIST SP 800-53, to address several deficiencies regarding the management and protection of unclassified information, such as inconsistent markings, inadequate safeguarding, and needless restrictions.

Unclassified Controlled Technical Information is information that is “collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of contract performance”.

Incident reporting is required within 72 hours of discovery of a cyber incident that affects DoD UCTI.

Contractors and subcontractors can report a cyber incident by accessing the DoD’s DIB Cyber Incident Reporting & Cyber Threat Information Sharing Portal.

ITAR stands for International Traffic in Arms Regulations.

A cyber incident is “actions taken through use of computer networks that result in an actual or potentially adverse effect on an information system and/or the information residing therein.”

The deadline was December 31, 2017.

Failure to comply with DFARS may subject contractors to penalties either by the United States Government (e.g., criminal, civil, administrative, and contractual actions in law), or by people or private organizations impacted by related failures (e.g., actions for damages).