Blog   |   Compliance   |   June 13, 2017

The Journey to DFARS Compliance in the Cloud

As we mentioned in our previous post about DFARS compliance in the cloud, the time is now for organizations to begin taking steps to meet the requirements of NIST SP 800-171. On average, it will take an organization around six to eight months to become compliant,  depending on the organization’s current security model and the resources available to deliver the changes that are required.
This means that if you haven’t already, your organization must takes steps now to ensure DFARS compliance by December 31, 2017.
In this post, we’ll share an action plan for ensuring your cloud environment is safe and compliant according to the DFARS mandate.

Assessment and Planning for DFARS

It is important to remember to put controls in place for current systems and data, while taking into consideration the need to cover new systems and data as they are created—otherwise you may quickly find yourself falling just short of compliance.
As with most cloud initiatives, the key to success in your DFARS compliance journey is planning. Treat this as a project, and ensure you have the adequate resources and funding allocated. If treated as a side project, especially when added onto a regular workload, your compliance and security initiative will surely suffer. Side projects often don’t get the focus they need, or are neglected altogether, until crisis point is reached. In the rapidly evolving cloud landscape, this is a risk your organization simply cannot afford.

Successful projects follow four key stages:

  1. Gap Analysis
  2. Remediation Plan Creation
  3. Project Team Formation
  4. Control Implementation


1. Analyze Gaps

A few things to keep in mind for analyzing your organization’s starting point:

  • Who is the project executive sponsor?
  • What are the systems and data in the scope of DFARS?
  • Is there an existing data classification process in place?
  • What controls are currently utilized?
  • Do you have any third-party subcontractors that need to be in scope?

Armed with this information, you now need to compare it to the controls listed in NIST SP 800-171, and document the gaps between your current position and the expected end state.   

2. Create Remediation Plan

The remediation plan should cover the following areas:

  • Prioritized list of actions
  • Resources required
  • Estimated budget requirements
  • Review and tracking process for third-party contractors, if applicable
  • Timelines
  • RAID log

Having a structured delivery process will make the journey to compliance a lot easier, as it will ensure that resources are used effectively and provide a method for tracking information.  

3. Form Project Team

Once the remediation plan has been created, resources can be allocated to deliver the project. As part of this step, there should also be agreement on a reporting and communication process. This way, your team has guidelines for keeping key security stakeholders informed of progress and any issues that may impede successful execution.  
Resource Management is a crucial element of ensuring proper execution of DFARS requirements. Mismanagement of resources can lead to project failure, overtime, budget overages, which will lead to failure to meet the DFARS deadline.

4. Implement Controls

There are over 100 controls that must be in place to ensure compliance with NIST SP 800-171. These are broken out into the following main sections:

  • Access Control
  • Awareness and Training
  • Audit and Accountability
  • Configuration Management
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Personal Security
  • Physical Security
  • Risk Assessment
  • Security Assessment
  • Systems and Communications Protection
  • Systems and Information Integrity  

As the new controls are put in place, it is critical that they be validated to ensure that they work as expected and all teams understand their implications for day-to-day activities.
In some cases, you might not be able to implement some of the controls. If so, you need to identify:

  • Which controls
  • What compensating controls you can apply to mitigate the risk

You then need to obtain the agreement of your Contracting Officer.

Maintaining DFARS Compliance in the Cloud

Understanding the need for achieving and maintaining compliance can be overwhelming for organizations—that’s why CloudCheckr provides an automated approach to compliance assessment, alerting, and remediation. In fact, CloudCheckr supports compliance for over 40 of the 109 DFARS requirements. Additionally, best practice checks and self-healing automation help to enforce standards.
Security automation is a force multiplier; it allows your security and compliance teams to manage large volumes of systems in a consistent and compliant manner. It also reduces the chance of human error as it identifies common configuration mistakes that could impact the security of your organization.
In addition, AWS has several services that can be utilized to help you achieve compliance, including:


Security is an Ongoing Task

There is a tendency within organizations to focus heavily on the controls during the deployment phase. However, maintaining compliance is a constant undertaking. You must constantly ensure that new data and systems are adequately classified and that the correct controls are applied. Once DFARS has been implemented and business returns to usual, this level of diligence must be upheld to ensure the safety and compliance of your organization.
Utilizing the built-in capabilities of AWS and products such as CloudCheckr CMx Federal can be a powerful solution to to help ensure efficient deployment and maintenance of compliance requirements.
Get a CloudCheckr demo today to see how we can help your organization maintain security and compliance, while saving money on your cloud investment.