Since the publication of the regulations, some defense contractors have struggled to define how to comply. Is there an assessing or auditing entity in the government? Is there a “passing” score? Can I be certified as compliant? All of these questions remained somewhat unanswered and it was up to the organization to do their best to show some kind of evidence to their prime contractors and customers that they were satisfying the DFARS regulations.
CyberSheath was one of the first independent security consultants to offer an assessment that measures and documents a company’s DFARS compliance, providing pragmatic recommendations and a clear roadmap to obtain compliance. And we know that basing an organization’s compliance program on only the 51 DFARS controls is not enough. We have always considered the full list of NIST 800-53 Low and Moderate controls to be the standard by which organizations should measure their maturity, and we specifically call out the DFARS 51 controls during a larger NIST assessment effort, demonstrating adherence to the regulation while also gaining a true picture of the security posture of the company.