DFARS Cybersecurity Audits: What to Expect
It’s getting real – the government is moving from self-reported compliance to external audits of a company’s cybersecurity posture: drilling deep to evaluate that company leadership fully understands their DFARS compliance measures to protect critical information.
As cybersecurity compliance becomes more top-of-mind and breaches become a common pit-in-the-stomach reality, the industry is learning an important lesson: An audit is not just a vague and unlikely possibility. It is happening to companies at almost every tier in the defense supply chain.
Could your company withstand an audit? How about your own supply chain?
We got insider information from a few companies that navigated the audit process – they shared their insights and words of wisdom to help you be prepared in the event of an audit:
Both business and technical leaders need to be deeply familiar with the 14 families of NIST 800-171.
Be prepared to go through your SSP and POAM, line-by-line and with enough detailed insight to provide articulate, persuasive justification of what your company does for each policy, requirement, and response procedure.
Demonstrate that cybersecurity vigilance is ingrained in your company culture.
Like a fire drill, every employee needs to know what to do in event of a breach or compromise. More importantly, the tone for cybersecurity prevention, monitoring, response and remediation comes from the top – and auditors will be expecting it.
Training all levels of staff on cyber threats with an attitude of urgency and vigilance, and implementing an incident response procedure, creates an internal culture that’s poised for optimal response. In one best-case scenario of a company hit with a ransomware attack, a trained employee saved the day; this person quickly shut down the system, containing the threat, and contacted IT immediately.
Auditors will stick closely to your SSP and POAM as the structure for the audit.
You and your leadership team should know these documents inside and out and be prepared to show your company’s proof of progress and supporting technical tools for each of the recommended actions of the SSP and POAM.
Expect the bulk of the audit to be a one-on-one interview format.
The auditors will not inspect your network tools and configurations — but rather, look at how your technical tools feed into your SSP and POAM. Demonstrating your company’s action and progress on your SSP and POAM is the true crux of the audit.
Be prepared to prove and demonstrate:
- What’s your incident response plan?
Be prepared to provide granular detail on the technical components, policy, training and enforcement. If you can’t prove it, you’re at risk of failure.
- Demonstrate how your SIEM (security info & event management tool) is working
Are you keeping your logs for 90 days?
- How long do you store your backups?
Business continuity and data-loss prevention will all be covered.
Not as far along in your POAM as you’d hoped to be?
Take advantage of this fair warning to shore up your plan and your cybersecurity posture. If you’re not yet compliant, you must be able to prove the actions you’ve been taking to show credible progress in the event of an audit.
How do you prepare your company for the possibility of an audit – even if you feel really far behind?
We love seeing this combination in action: CyberSaint’s CyberStrong platform coupled with the NeQter Compliance Engine. CyberStrong leads you through your risk assessment, building your SSP and POAM and policies as you go while NeQter’s integrated set of required software tools (vulnerability scanning, SIEM tool, continuous monitoring and inventory management), satisfy the technical requirements of the NIST 800-171 guidance. We can say without reservation that this is the fastest and easiest path to compliance – with embedded expert guidance, recommendations, tools and monitoring to support you through the audit process.
Everyone could use help in putting DFARS Compliance into natural language.
The complex DFARS language can create an unnecessary burden on security teams of any size — first translating the requirements into actionable questions, and then being able to act and reach compliance. The CyberStrong platform makes the DFARS framework available in natural language as well as original NIST language. So, regardless of whether the compliance team has never conducted an assessment or if they are seasoned cyber veterans, they can reach compliance as fast as possible with the greatest amount of understanding.
Your cybersecurity posture is going to be a key procurement requirement for winning the bid.
Your cybersecurity posture needs to be rock-solid not just to withstand an audit, but as a key procurement requirement for winning new government business. Expect your cybersecurity position to be just as important as cost and past performance in future contract bids.
Post-script: Once you are compliant, you need to take a proactive role to help your supply chain achieve and prove their own cybersecurity compliance.
According to Chris Lanen, Government Relations & Strategy Manager for Raytheon Integrated Defense Systems:
“The security protocol is only as strong as its weakest link. It’s critical that every company supporting our critical defense programs understand and embrace our roles in the collective mission. None of us want to be the weak link in the chain.”
Whether you want to see our solutions in action, or just to talk to an expert about how to interpret the newest version of the NIST 800-171 guidelines and the forthcoming DFARS audits, we’re always happy to help. Talk to us.