We have been granted the phone service business from a machine shop that does a significant amount of work for the DoD (Department of Defense). They are now asking us whether the system complies with NIST 800-171 and DFARS 252.204-7012. Rather than wasting a huge amount of time reading through these requirements, I was hoping maybe someone was using FreePBX for an account with ties to DoD.
Appreciate any insights.
Dave
In a former life the company I worked for sold through a reseller equipment which included FreePBX based servers used in military FOBs.
Unfortunately everything is as secure or insecure as you make it. As open source software you can lock it down or open it wide up.
My advice is to read what is required. It actually isn’t a waste of time because it is rather vital you know and do what is required. If you had glanced at either of those that you cited, you would see that in certain places based on the type of vendor and services you may have to comply to other regulations.
You also have looked at the other laws and regulations you need to comply for regardless of this being a DoD contract? E911, STIR/SHAKEN, new rules about 7 digits that are coming?
I mean if something goes down and you are asked “Why werent we in compliance?” the answer of “I thought it was a waste of time so I just asked on the Internet” isn’t going to work out well.
In my current “day job” I work for the DoD.
Your NIST 800-171 requirements are all about protecting unclassified information that shouldn’t be shared. If your contract is with a civilian company, then you need to make sure that your phone system can’t leak information of possible use to adversaries. This means reading through the checklist for double protection of data (two-factor authentication, for example) and other specific items. There should be a good checklist in https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/archive/2016-12-20 that gives you the run-down you need. The good news is that, in general, it’s pretty easy to do if you are working with a company that’s working with the government.
DFARS 252.204-7012 is mostly about incident reporting, which means if you have a CUI disclosure, you are obligated to report it and have a process in place to do that.
Neither of these is hard to get through, and there are checklists galore (including from the government) that can walk you through the processes of getting squared away on this stuff. If it was me, I’d just follow the docs.
This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.