Office 365 DFARS Frequently Asked Questions (and Answers) - Part 9

    There are a lot of questions surrounding DFARS requirements and implementing a POA&M for DoD Contractors. What does it mean for your business? What happens now that I have a POA&M and SSP? (Still not compliant? Check out parts 1-5 of this series) To help guide you through the process, here are some questions and answers that you may need to know.  

    47. Can you describe the contents of a system security plan? 

    DFARS FAQ 9.1.jpg

    A System Security Plan (SSP) contains and addresses a variety of things: it holds information about the organization, the Information System you manage, your data protection and classification system, and your own roles and responsibilities. It also holds a top bottom listing of all security controls and how each of your identified Information System components are meeting them, as well as an inventory of the hardware and security devices in your environment and connections to external systems. Although there may be other components as well, these examples are the ones typically covered. 

    48. What guidance can you provide on how long a company has to implement the POA&M? 

    There is no hard and fast guidance.  We have seen POA&Ms that are just a few weeks long for a company that is almost 100% technically compliant, to 18+ months for organizations who are just starting their technical compliance journey.  The government has released no known direct guidance on this. 

    DFARS FAQ 9.2.jpg

    49. If the DFARS clause was not part of the original contract, does it now apply, or only apply to contracts with the 7012 clauses? 

    The DFARS clause only applies to contracts that have the actual clause in the contract.  However, if you have a single contract with the clause, you must be compliant across the board.

    50. For the POA&M, are only the open security controls to be shown? 

    It is a good idea to leave all closed POA&M actions in the document for reference as they are closed, but if you are just beginning the POA&M, then only those controls that are currently open need to be listed. 

    51. How does a small company maintain separation of duties with one IT/Admin person? 

    Typically, a small company would have either a company principal act in some of those roles or an outside IT service provider can assist in this way. 

    52. Does the DoD have a requirement to tell the contractor what CDI/CUI must be protected?

    DFARS FAQ 9.3.jpg

    The Government should properly mark content according to the marking guidance.  However, this does not always happen.  Additionally, many contractors create CUI in the performance of the contract and this content must be properly marked and protected as well.


    53. Do all 110 NIST 800-171 Security controls have to be in the POA&M?

    The only controls that must be listed in the POA&M are those that are not fully satisfied within the SSP.


    Note: This FAQ is part of a series. Check out the previous FAQ's here: FAQ #1FAQ #2FAQ# 3FAQ #4, and FAQ #5, FAQ #6, FAQ #7, FAQ #8. 

    Be sure to subscribe and get notified when there's a new post, or check back soon for the next post in the series!



    Subscribe Here!

    Recent Posts

    Posts by Topic

    see all