Assist a major defense contractor (client) based in North America to become compliant with the Defense Federal Acquisition Regulation Supplement (DFARS) NIST SP 800-171 reporting requirements.
Challenges & Needs
The client had no prior experience with compliance reporting to the Department of Defense (DoD), as the DFARS NIST SP 800-171 framework was new to all DoD contractors throughout North America. Additional challenges included the following:
- Missing corporate compliance culture: Other than performing an informal risk assessment five years ago, the client had no formal exposure to federal regulatory compliance. As a result, senior I.T and operational staff had no prior experience in performing any type of compliance assessments, such as collecting audit evidence, working with third-party assessors, producing compliance reports, and more.
- Antiquated Information Security policies and procedures: Information security policies and procedures existed, yet they were old, had not been updated in years, essentially rendered ineffective for any type of meaningful mapping to the NIST SP 800-171 standard. When asked what initiatives were in place for updating their InfoSec documents, the client expressed little interest in doing so, primarily due to lack of manpower and policy writing expertise.
- Inadequate security and operational controls. requirements: Along with weak security documentation, the client had notable deficiencies with critical security and operational controls when mapped against the NIST SP 800-171 framework.
- Missing security & compliance tools and solutions: NIST 800-171 compliance required implementation of various tools, such as two-factor authentication, File Integrity Monitoring (FIM), data marking/tagging solutions, and more – all of which the client did not have in place. Additionally, the client had little knowledge of which vendors to reach out and how to install and configure the solutions.
- No project management experience for regulatory compliance: None of the internal I.T. and operational staff had history of managing a federal compliance engagement. Because federal compliance is often a complex and arduous undertaking, the client was unprepared for meeting the rigorous demands of such an undertaking. They needed help!
FLANK brought in a team of highly specialized Department of Defense (DoD) compliance professionals with years of defense experience; consultants ready to roll their sleeves up and dig deep in helping clients. In less than three weeks, FLANK’s talented group of DoD and cybersecurity professionals achieved the following:
- Successfully defined project scope, including roles and responsibilities for all internal personnel at the client.
- Identified gaps and deficiencies within the client’s control environment, offering expert recommendations on remediation and next-steps.
- Initiated contact with seven major software vendors, allowing our client to choose the best products for their operations.
- Developed over 200 pages of all-new information security policies and procedures documentation.
- Conducted in-house security awareness training.
- Established and put into operations an all-new cyber incident response and reporting program as required by the DoD.
- Established contact and strong working relationships with all in-scope third-party vendors (i.e., managed security services providers)
- Implementation of a true compliance framework in accordance with DFARS NIS SP 800-171.
- Developed al required information security policy documentation.
- Successfully remediated all technical and security controls that previously had notable gaps.
- Issued System Security Plan (SSP) to client, allowing them to showcase compliance to the Department of Defense (DoD), and to other prospects as evidence of internal control compliance with NIST SP 800-171.
- Put in place a corporate culture that now understands, respects, and truly values the concept of information security.
- Developed and implemented a highly respected regulatory compliance framework formalized and well-documented internal controls
- Successfully met the rigorous DoD compliance requirements of DFARS NIST SP 800-171.
- A company that truly embraces a “security first” mindset in everything they do.