Avoid These Top 7 DFARS & NIST 800-171 Mistakes


Over the past few years, we have seen millions of dollars invested and contracts lost because
of DFARS & NIST 800-171 compliance. DFARS has been characterized as the “Big Bad
Wolf”, here to blow down profits and destroy businesses with stiff regulations. But in fact,
DFARS is more like Arnold Schwarzenegger in the Terminator. Here to protect your
business so you can provide goods that help support the country.

As a manufacturer, it is your responsibility to create a quality product. That also includes
protecting the Controlled Unclassified Information (CUI) and Covered Defense Information
(CDI) needed to produce that product. In the past, that meant keeping a secret.
Unfortunately, keeping that secret in today’s digital world is a lot more complicated.
DFARS and NIST 800-171 gives you a framework to help you do that.

Here are 7 of the most common security requirements missed by organizations.

Issue #1: Incomplete GAP/Risk Analysis
Many organizations fail to do a complete analysis if they even do one at all. This is hands
down the most important item that gets overlooked. Look at it this way, you cannot protect
everything if you don’t know where or what everything is.

Issue #2: Failure to Manage Identified Risk
This should go without saying, but if you identify risks and create a plan to address them,
you actually have to do it. You will fail an audit if you don’t do what you outline in your
Plans of Action and Milestones (POAMs). You will also fail if you do not do it in a
reasonable amount of time.

Issue #3: No Security Awareness Training Program
On the surface, this one seems to be pretty straightforward. But this has been a stumbling
block for many organizations. Cyber and socially engineered threats are constantly
evolving. Thus, your training should be too. You should continuously test and train your
staff to recognize the latest attacks.

Issue #4: No Incident Response Plan in Place
You should know how quickly possible threats are detected, identified, and corrected. When
an incident is confirmed, you have 72 hours to report it to the DoD. You also have to
provide the affected data and all related data spanning 90 days before the incident date. You
need to have the plan and systems in place to provide that information within the allotted

Issue #5: Bad Internal Processes
You need to have a process to control who has access to CUI/CDI. An employee with
unauthorized access to these files is a violation. It is also required that you immediately
remove access for former employees.

Issue #6: Weak Physical Security
So much focus is placed on digital security that many organizations overlook physical
security. You need to know who has access to the physical hardware that your data is stored
on. You should also be able to produce an audit log for that access.

Issue #7: Lack of Appropriate Auditing
Most organizations take the step to put hardware or software in place to do the auditing. The
problem is that they don’t actually review the information for suspicious activity. The
following examples are things that should be automatically flagged and immediately
 Accessing files during non-business hours
 Accessing an unusually high volume of files
 Accessing files from an unusual remote location

Here is a BONUS one for you that goes along with number 7.

Issue #8: No Testing of Security Measures
You should review and test your security measures at least once a year. Ideally, you should
do penetration testing and vulnerability assessments on an ongoing basis. This way you
know if your processes and procedures are still effective or if improvements are needed.

This is a small sample of the common issues we have seen organizations struggle with.
Rather than trying to fight DFARS, we propose that you use it to create a strong
cybersecurity plan. A plan that is designed to adapt to the evolving threats and changes
within your business.


DFARS compliance can be an intimidating goal for a business. Figuring out where to
start, what is required, and how much it’s going to cost are just a few of the things that
businesses wrestle with.

But unfortunately, this is not something that you can take lightly. Your security systems
have to win every time, the attacker only has to win once.

Simple Plan IT takes all of the guesswork out of DFARS compliance. Our Cyber Secure
service was created by our in-house team consisting of 2 Certified Information Systems
Security Professionals (CISSP), a Certified Ethical Hacker (CEH) and is supported by
certified Project Management Professionals (PMP). Our service starts with a detailed risk
analysis. We then address everything needed to become and maintain DFARS

For those that are serious about cybersecurity, we’re able to do real-time monitoring with
near real-time remediation. Dedicated engineers in our private Security Operations
Center (SOC) will watch your network in real-time. They will be looking for events that
require more investigation, documentation, and remediation. Should and event occur, they
will immediately execute upon a predetermined plan.

If you’re missing any of these examples or question whether your current strategy is
adequate, we encourage you to give us a call. Our certified security experts can assist you
in developing a plan that is right for you.

Thank you for your time and we look forward to helping you in the future.

Follow Us on Social Media

Subscribe to our Blog

Most Recent Blog Posts

Don’t Stop Here

More Useful Security Information

Top 10 IT Security Myths — Debunked


Thanks to the recent COVID-19 pandemic, there has been a historic shift in the way people work. Remote work or work-from-home (WFH) policies were set

Cybersecurity Policies That Bridge Generations


Cybersecurity policies are necessary for any business to avoid becoming cybercrime victims. Cybercrimes continue to rise as cybercriminals get more creative- it’s imperative every business