LeveL5Cyber

Define the Risks
Defend the Assets

LeveL5Cyber

Define the Risks
Defend The Assets

LeveL5Cyber

Define the Risks
Defend The Assets

DFARS

The LeveL5Cyber process

Building upon the DoD Assessment methodology, the LeveL5Cyber team offers more than a century of combined field experience working with assessments and regulatory compliance requirements. Our mature processes can help you define the scope of the assessment, identify the appropriate stakeholders and proper documentation for review and conduct in-depth workshops with interviews to baseline the current cyber posture. The LeveL5Cyber team can draft the SSP while identifying compliance gaps and the artifacts needed for evidence and work collaboratively with your key resources to finalize the deliverables and the out-brief presentation.

  • Easily schedule assessment interviews
  • Review and document areas within your existing documentation
  • Conduct in-depth workshops to baseline your environment and interview the appropriate subject matter experts
  • Draft SSPs and POAMs (gap analysis)
  • Review the draft SSP and POAM with your organization to incorporate your feedback
  • Deliver a final version of the SSP and other additional artifacts
  • Perform an Executive out-brief session to educate other members, as noted by you, of the activities and actions
  • Identify key areas of success and key areas in need of growth

Your Risks

Organizations that work directly with the DoD, including through a Prime, and have non-federal systems that store, process, or transmit CUI information are required to adopt and comply with the mandated Defense Federal Acquisition Regulation Supplement (DFARS) NIST SP 800-171 security controls or risk losing the opportunity that your business depends on supporting the DoD’s critical supply chain. The LeveL5Cyber DFARS Assessment provides organizations with an understanding of their current posture in terms of adhering to the DFARS requirements. Our assessment clearly identifies gaps in compliance, provides actionable recommendations for closing those gaps, and moves the organization forward significantly in their preparation efforts towards the soon-to-be required CyberSecurity Maturity Model Certification (CMMC).

Cybersecurity threats are constantly evolving and target all industries. Use of third-party software, cloud computing, and most recently, a remote workforce, has left many businesses vulnerable. Companies have fallen victim to phishing and ransomware. These attacks can have catastrophic business implications, which is why it is critical to maintain an effective cybersecurity plan that matures as your company grows and as threats evolve.

Our Roles

Risk reduction and avoidance is the foundation of an effective cybersecurity program and achieving DFARS compliance is an important step. Leverage our deep expertise to help your company not only reduce the risk of a cyber threat but achieve and maintain DFARS compliance to avoid losing the opportunity that your business depends on supporting the DoD’s critical supply chain.

Where do you want to be?

Organizations that work directly with the DoD, including through a Prime, and have non-federal systems that store, process, or transmit CUI information are required to adopt and comply with the mandated DFARS NIST SP 800-171 security controls. This is the minimum required level of cybersecurity, though many organizations strive to strengthen their cybersecurity posture beyond these mandates. Performing regular DFARS assessments can help to provide assurance that the organization has not fallen out of compliance. In addition, regular assessments produce an ongoing method for measuring improvements and identify where efforts should be focused for each upcoming year. Furthermore, with the upcoming mandate of the CyberSecurity Maturity Model Certification (CMMC), which requires an authorized third-party auditor to validate the implementation of the NIST SP 800-171 controls, a Level 3 maturity rating must be achieved if the organization has a need to protect CUI data. CMMC Level 3 controls are made up of the same 110 security controls as DFARS compliance; however, it includes an additional 30 controls. Continuous elevation of your cybersecurity maturity will not only allow you to continue bidding on DoD contracts and RFPs, but it significantly reduces the risk and exposure to the organization.

What's the value of DFARS?

The benefits of complying with the DFARS NIST SP 800-171 security controls are abundant. More specifically, DFARS non-compliance may result in the organization’s inability to bid on DoD contracts, potentially losing a significant amount of business. LeveL5Cyber’s DFARS-experienced team can assist your business leaders by identifying potential compliance gaps and supplying an actionable plan that is the foundation of the POAM. Our mature methodology can produce a repeatable process to measure ongoing improvements, along with the required SSP, and simultaneously provide a foundation and confidence for achieving CMMC certification. Once CMMC certification is mandated, this will reduce the time and effort required of your team.

What is DFARS?

The LeveL5Cyber team partners with your organization to review the scope of the assessment, analyze the applicable internal documentation, assist with identifying key stakeholders and work with those stakeholders throughout the interviews and other activities. The results are a completed System Security Plan (SSP) and gap analysis for areas of non-compliance in the SSP, which serves as the foundation for the Plan of Actions and Milestones (POAM). Artifacts for evidence are identified for each of the applicable security controls, providing the basis for what is needed for potential future audits. As the CMMC mandates approach, the deliverables from the DFARS Assessment may provide approximately 85% of what is required for the CMMC Level 3 certification, minimizing the efforts necessary for the audit.

  • TheDFARS (Defense Federal Acquisition Regulation Supplement) requires Defense contractors to comply with specific cybersecurity requirements detailed in NIST SP 800-171.
  • If a contractor is non-compliant with the NIST cybersecurity controls outlined in the cyber DFARS clause 252.204-7012, then the contractor must notify the DoD within 30 days of contract award of the areas of non-compliance. 
  • Contractors required to implement NIST SP 800-171, in accordance with the clause at 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, are required at the time of contract award to have at least a Basic DFARS Assessment that is current.

Who developed DFARS?

DFARS stems from the Federal Acquisition Regulation (FAR), which is the set of regulations that govern all acquisitions and contracting procedures in the federal government. DFARS is the supplemental set of requirements specific to the DoD’s acquisition and contracting activities. These supplemental regulations were mandated for all organizations that process, store, or transmit Controlled Unclassified Information (CUI), covering nearly all organizations that do business with the DoD, and requires the adoption of the NIST SP 800-171 security controls. The organization’s self-attestation of DFARS compliance, along with a completed System Security Plan (SSP), is required to continue doing work for the DoD when contracts include DFARS clause 252.204-7012.

Defense Federal Acquisition Regulation Supplement FAQ

DFARS provides a set of security controls to safeguard information systems where DoD data resides. Based on NIST Special Publication 800-171 “Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations”, manufacturers must implement these security controls through all levels of their supply chain.

Each organization’s cybersecurity resources, capabilities, and needs are different. The time to evaluate and implement DFARS compliance will vary among organizations, ranging from as short as a few weeks to several years.

All DoD contractors that process, store, or transmit CUI must meet and maintain DFARS minimum security standards or risk losing their DoD contracts. Although there are no regulatory ties to how often a review of cybersecurity posture is required, baseline state should be evaluated at least annually.

Compliance with DFARS requirements protects DoD information from vulnerabilities when it is removed from secured storage. Any company with a DoD contract that includes a DFARS clause is at risk of losing their contract if they are not compliant.

The purpose of DFARS compliance is to protect CUI on non-federal systems. By maintaining DFARS compliance, your company is proving its capability to protect federal information in the supply chain. DFARS standards list 110 security controls that provide an indication of an organization’s cybersecurity maturity.

An organization must complete a self-attestation of DFARS compliance, along with a completed System Security Plan (SSP) to continue doing work for the DoD when contracts include DFARS clause 252.204-7012. LeveL5Cyber’s DFARS-experienced team can assist your business leaders by identifying potential compliance gaps and supplying an actionable plan that is the foundation of the POAM. Our mature methodology can produce a repeatable process to measure ongoing improvements, along with the required SSP, and simultaneously provide a foundation and confidence for achieving CMMC certification.

Contact LeveL5Cyber

Executive Vice President for Strategy

Anthony Morrone

Executive Vice President for Delivery

Michael Piccalo

Executive Vice President for Delivery

Michael Piccalo

LeveL5Cyber_Michael_Moten_SM

Mike Moten

Senior Director

Marianne Swarter

North American Director, Strategy Development

Dan Callahan

Executive Vice President for Strategy

Anthony Morrone

Our team is listening.