It’s been five months since the DoD issued their interim DFARS rule and provided updated guidance for how contractors must safeguard Covered Defense Information primarily through the implementation of NIST SP 800-171 controls. For those affected by these rules, and if not already completed, it would be prudent to review 800-171 immediately to gain an understanding of the controls, and begin defining an implementation plan. Contractors will need to determine what controls they will be able to fully implement themselves, what controls will need to be outsourced, and finally identify those controls where an alternative control method can be put into place.
To get an idea of where members are at, and to facilitate discussion, we would be interested to know where companies are at with their attempts to comply these new requirements. There’s no need to divulge sensitive internal information, just a general idea of where do you stand? Reviews complete? Implementation plan defined? Implementation plan budgeted for? Funded? A partial or full implementation? Let us know please.
