MENU

Are Your IT And Accounting Departments Talking? (They Should Be!)

January 24, 2020

We’d like to call your attention to an issue that you are likely to be already familiar. In the world of DCAA Compliance cyber security, especially in this world of cloud computing, may not be getting the attention it requires.

Please keep in mind that we are experts in accounting & DCAA Compliance, and not in IT cyber regulations or strategies, so please consider this article an advisory. We're shining a light on a topic that requires vigilance and oversight; a topic that is important to your data integrity as well as to the integrity of the government’s entire Defense Logistics Agency.

Both the integrity and protection of your data are crucial should a disaster occur or if nefarious actors want access to your secrets. We suggest you take steps to avoid a possible nightmare. Your accounting team needs to cooperate with IT staff and IT needs to meet the computing requirements of the Accounting staff. Backup and restore policies and technology need to be in place if you want to avoid the costly process of trying to rebuild a general ledger or other DCAA Compliance-related financial information that was inadvertently destroyed or altered.

If that’s not enough motivation then consider the Department of Defense’s Cyber Security requirements. DoD contractors (including small businesses) must adhere to two basic cybersecurity requirements:  (1) They must provide adequate security to safeguard covered defense information that resides in or transits through their internal unclassified information systems from unauthorized access and disclosure; and (2) They must rapidly report cyber incidents and cooperate with DoD to respond to these security incidents, including providing access to affected media and submitting malicious software. DARPA has issued certain requirements. In fact, for all contract awards, the DoD CIO wants your cybersecurity plan in place.

Uncle Sam would love for your accounting and IT departments to really work closely together so that you meet your adequate security goals. In fact, you may discover that he actually insists, especially when it comes to addressing cybersecurity and protecting information. We prefer to look at it as a cooperative effort to protect the data that drives the companies that serve the warfighter, including your financial data. However you see it, there are several requirements the government has defined, which you must follow.

As a federal contractor you have an obligation to the DoD to create and maintain an adequate cybersecurity system, and to properly (and rapidly) report any breaches, according to DFARS Section 252.204-7012.  While it’s beyond the scope of our work, cybersecurity and accounting information must be properly stored and protected, thus the business case for the Accounting and IT Departments working closely together.

The set of minimum cybersecurity standards are described in NIST Special Publication 800-171 and break down into fourteen areas.  

Access Control

Incident Response

Risk Assessment

Awareness & Training

Maintenance

Security Assessment

Audit & Accountability

Media Protection

System & Communication Protection

Configuration Management

Personnel Security

System & Info Integrity

Identification & Authentication

Physical Protection

 

Do your own research but be aware that having even one contract with DFARS clause 252.204-7012 will require that the company is NIST 800-171 Compliant, meaning they meet the IT requirements in each of the above key areas.

You will likely want to assign a team or individual to oversee your compliance, or seek outside expertise. Locate the NIST SP 800-171, Guide for Applying the Risk Management Framework to Federal Information Systems, which you can find on-line at https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r1.pdf. It provides small businesses a systematic step-by-step approach to implementing, assessing and monitoring the controls. “800-171” as it’s called in federal contractor IT circles details the requirement for any non-federal computer system where controlled unclassified information is used, stored, or transmitted.

Here’s the really good news: according to https://business.defense.gov/Small-Business/Cybersecurity/, small businesses can use this framework to divide the project into small, manageable chunks and work toward attaining compliance. As the website says, “Incurred costs may also be recoverable under a cost reimbursement contract pursuant to FAR 31.201-2.” We can help you make that assessment and, as indicated in the sidebar to the right, FAR 31.205-33(a) may apply as well.  Need to report a cyber incident to the DoD? See https://dibnet.dod.mil

Additionally, check out the Defense Cybersecurity Requirements for Small Business: http://www.darpa.mil/work-with-us/for-small-businesses/cybersecurity 

If you found this article helpful, and would like assistance in helping your accounting department meet or exceed DCAA Compliance requirements, please call us at 603.881.8185 or email cpa@klineco.com


 




 


top