Service providers to the U.S. Federal Government – Civilian Agencies and Department of Defense –need their information systems to meet requirements as specified in Federal Acquisition Regulation (FAR) or Defense Federal Acquisition Regulation Supplement (DFARS). Systems internally hosted or outsourced to third-party providers must be designed to meet the various federal regulations as it relates to FAR, DFARS and additional requirements for International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR). You are subject to meeting some or all of these requirements if your organization:
- Handles Controlled Unclassified Information (UCI)
- Produces, maintains and/or exports items on the United States Munitions List (USML)
- Provides defense articles and services
- Produces items or “know how” on the Commerce Control List (CCL)
Furthermore, with the final stages of the implementation of Executive Order 13556 "Controlled Unclassified Information", contractors to the U.S. Department of Defense that handle controlled unclassified information (CUI) are required under contract to safeguard CUI under Defense Federal Acquisition Regulation Supplement (DFARS) 252.204.7012 and the newly established National Archives and Records Administration CUI processes (32 CFR part 2002) flowing throughout the Executive branch of the U.S. Federal Government. The CUI requirements recommended for use in this publication are derived from FIPS Publication 200 and specify NIST SP 800-171 “Security and Privacy Controls for Federal Information Systems and Organizations” as the security guideline. An assessment against NIST SP 800-171 is needed to provide services for transmitting or storing this data in non-federal information systems. This also applies to the cloud service providers they use and/or cloud service providers wanting to provide services to Federal Civilian and DoD contractors storing, processing and transmitting CUI.
Coalfire’s team of advisors work with organizations to help them understand ITAR, EAR, and DFARS requirements and how these requirements impact their information systems. Our services can range from advisory services assisting organizations in the application of specific security controls to detailed assessment of existing system controls needed to secure CUI. For both DoD contractors and service providers that store, process or transmit ITAR/EAR/CUI data, this assessment will identify gaps in meeting these regulatory requirements and a plan to remediate these gaps.
How Coalfire Helps
Coalfire has helped organizations evaluate their ability to control technical data in accordance with ITAR, EAR, and DFARS ranging from exporters, U.S. Federal Government contractors, and cloud service providers.
Coalfire provides advisory and assessment services to ensure controls are in place to safeguard export controlled data and CUI. From controls mapping of various environments, to documentation development, to the assessment and through technical security testing, Coalfire can do it all.