If you’re in the Department of Defense supply chain, you’ve become familiar with DFARS and the corresponding NIST SP 800-171 r1 over the last few years. It is a list of 110 controls that you need to be compliant with in order to continue supplying certain contracts.
The reason we wear our seat belts is not to avoid getting a ticket from the police, but rather to avoid a potential injury in a car accident. This analogy is an easy way to describe the difference between box-checking security and real security, and it's instantly understood regardless of technical knowledge. This message resonates with executives, because they typically prefer to “get to the point” and correctly protecting their data is “the point” of cybersecurity.
The hot topic for contractors in the DoD supply chain these days is DFARS compliance. DFARS regulations increase our cybersecurity maturity as a country, to better protect ourselves from threats that can disrupt the DoD supply chain.
As of Dec. 31 2017, contractors that store, transmit, or process certain types of government information were required to comply with DFARS (Defense Federal Acquisition Regulation Supplement) regulations.