If you’re a service provider to the U.S. federal government – whether to civilian agencies or the Department of Defense (DoD) – your information systems must meet requirements as specified in the Federal Acquisition Regulation (FAR) or the Defense Federal Acquisition Regulation Supplement (DFARS). You may also need to comply with the requirements of the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR).
These regulations impact your organization if it meets any of the following criteria:
Furthermore, with the final stages of the implementation of Executive Order 13556 -- "Controlled Unclassified Information" -- contractors to the DoD that handle controlled unclassified information (CUI) are required to safeguard CUI under Defense Federal Acquisition Regulation Supplement (DFARS) 252.204.7012 and the newly established National Archives and Records Administration CUI processes (32 CFR part 2002).
The CUI requirements recommended for use in Executive Order 13556 are derived from FIPS Publication 200 and specify NIST SP 800-171 -- “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” -- as the security guideline. An assessment against NIST SP 800-171 is needed for federal contractors to provide services for transmitting or storing these datatypes in non-federal information systems in a way that complies with applicable regulations. Note these requirements also apply to all cloud service providers (CSPs) that are storing, processing and transmitting these datatypes on behalf of federal agencies, civilian contractors, or DoD contractors.
How Coalfire Can Help
Coalfire’s team of advisors and assessors can work with your organization to help you understand ITAR, EAR, DFARS, and NIST SP 800-171 requirements and how they impact your information systems. Our services include strategic advisory for organizations with questions of regulatory applicability or questions of program implementation, assisting organizations in the application of specific security controls or security documentation, and detailed assessment and validation of implemented security controls to ensure appropriate protections are in place.
Why Choose Coalfire for ITAR, EAR, DFARS, and NIST SP 800-171 Advisory and Assessment Services
Coalfire has helped organizations evaluate their ability to control technical data in accordance with ITAR, EAR, and DFARS ranging from exporters, government contractors, and cloud service providers. In addition, Coalfire has experience with NST SP 800-171 implementations in many different environments – from CSPs to major defense contractors.
Coalfire provides advisory and assessment services -- from strategic advisory to security documentation development and high-level security assessments to in-depth technical security testing -- to help organizations appropriately protect exported data and CUI.