No, Government Contractors Can't Falsify Claims of Compliance with Cybersecurity Standards

Seems obvious, but a recent lawsuit highlights the need for government contractors to comply with government-mandated cybersecurity controls.

It’s not everyday you read a story about an employee allegedly fired because he wouldn’t sign off on documents stating the company was compliant with DOD and NASA federal acquisition regulations (DFARS and NASA FARS, respectively). These regulations are required for contractors to be eligible for federal government contract awards.

Both federal acquisition regulations are based on the NIST Special Publication 800-171, a detailed, 125-page document outlining 14 separate sets of requirement families (shown below).

5-29-19 Blog - Image

The 14 families break down into over 100 separate requirements, which break down into separate security controls; each with specific guidance on what needs to be entailed in execution of the control. It’s a massive undertaking, making it understandable that organizations may have difficulty in meeting every control – but not so understandable that one should falsify its’ state of compliance.

The story of the fired employee demonstrates how difficult it can be for some contractors to meet compliance mandates. By leveraging the right solutions, contractor organizations can dramatically simplify the work of becoming compliant while simultaneously making their organization more secure.

The Problem

You have challenging compliance requirements, not enough time to get audits done, and keeping up with risk assessments including third-party vendors is a continuous problem.

Big, complex GRC platforms are expensive, take forever to deploy, and need 2 people with wrenches to keep them going. Meanwhile, your compliance, risk, and audit projects are piling up because of the lack of resources. Your organization does not need overly complex workflows, but somehow GRC vendors think “complex is good” and expensive.

Specific GRC Problems that IT Teams Face:

  • Challenging compliance requirements
  • Not enough time to get audits done
  • Keeping up with risk assessments
  • Vetting and managing vendors to mitigate third-party risk
  • Lack of resources
  • No easy-to-use tools
  • The Problem Related to Vendor Risk Management

Managing This Problem

The KCM GRC platform was developed to save you the maximum amount of time getting GRC done. Old-school GRC offerings require many months of implementation and high consulting hours to stand up. KCM GRC has a simple, intuitive user interface, easy to understand workflows, a short learning curve, and will be fully functional in a matter of days.

In half the time and half the cost, with KCM GRC you can efficiently manage compliance and risk initiatives, vet and manage third-party risk, and understand at a glance what items need to be addressed.

See how you can get audits done in half the time at half the cost!

Request your 30-minute live product demonstration of KnowBe4's new KCM GRC platform.

See how you can simplify the stress of managing your compliance requirements and save valuable time when risk assessments and audits cycles kick in:

  • Quick implementation with pre-built requirements templates for the most widely used regulations.
  • NEW Simplify risk management with an intuitive interface and simple workflow based on the well-recognized NIST 800-30.
  • You can assign responsibility for controls to the users who are responsible for maintaining them.
  • Secure evidence repository and DocuLinks giving you two ways of maintaining audit evidence and documentation.
  • Dashboards with automated reminders to quickly see what tasks have been completed, not met, and past due.

Request A Demo

Don't like to click on redirected links? Copy & Paste this link into your browser:

Topics: Compliance

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews