top of page

6 Questions CEOs Should Ask Their Staff About DFARS & NIST SP 800-171

Updated: Aug 24, 2023

Photo of aircraft

Bluestreak Reading Time: 4 minutes

If you’re a CEO of a company that does work for a Department of Defense (DoD) Contractor, no matter how far down the supply chain you are, you need to be asking these questions. Your customers may already be asking you about this.

Here are six important questions CEOs should be asking their staff and IT teams about their company’s compliance with the DoD’s cybersecurity regulations found in DFARS and NIST SP 800-171. The answers to these questions will give you an excellent indication of how well your organization is protecting sensitive data and complying with DFARS requirements in effect today, and with CMMC mandates, too, for when that time comes.

Top 6 questions CEOs should ask their staff about DFARS & NIST 800-171 compliance:

  1. Are we aware of the DFARS & NIST 800-171 requirements and their applicability to our company? CEOs should ask their IT team's understanding of NIST 800-171 and whether they are aware of its relevance to their specific company. This question helps gauge the team's knowledge and awareness of the requirements.

  2. Have we conducted a thorough assessment of our company's compliance with NIST 800-171? CEOs should ask if their IT team has performed a comprehensive gap assessment (with detailed documentation) to determine the company's compliance with NIST 800-171. This includes identifying any gaps or areas that require improvement to meet the required cybersecurity standards.

  3. What steps have we taken to address the assessment gaps and ensure compliance with NIST 800-171? CEOs should ask about the specific actions and measures taken by the IT team to address any gaps identified during the compliance assessment. This question helps assess the team's progress in implementing the necessary controls and safeguards.

  4. Are our employees and stakeholders adequately trained and aware of NIST 800-171 requirements? CEOs should ask if their IT team has provided adequate training and awareness programs to employees and stakeholders regarding NIST 800-171 requirements. This question addresses the importance of cybersecurity education throughout the company.

  5. How do we monitor and assess ongoing compliance with NIST 800-171? CEOs should ask about the mechanisms and processes in place to monitor and assess ongoing compliance with NIST 800-171. This includes regular audits, reviews, and assessments to ensure continued adherence to the requirements.

  6. What is our plan for evolving and improving our cybersecurity in line with NIST 800-171? CEOs should ask about the company's strategic plan for continuously improving its cybersecurity posture in alignment with NIST 800-171. This question emphasizes the need for a proactive approach and ongoing efforts, with adequate documentation, to enhance security measures.

These questions facilitate communication between CEOs and IT teams, ensuring a shared understanding of DFARS & NIST 800-171 requirements, compliance efforts, and the company's overall cybersecurity strategy for protecting your data and your customer’s data. If there aren’t internal discussions going on now about this, your company, and future business, is at risk!

About the Author

Joe Coleman is the cybersecurity officer at Bluestreak Consulting™, a division of Bluestreak | Bright AM™, and a regular editorial contributor for several trade publications providing technology, tips, and news for manufacturers. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, a machining manager, and an early additive manufacturing (AM) pioneer. Contact Joe directly at

About BluestreakBluestreak™ is a powerful Manufacturing Execution System (MES) and a fully integrated Quality Management System (QMS), designed for the manufacturing environment and service-based manufacturing companies ( metal-treating/powder-coating, plating, heat-treating, forging, and metal-finishing), businesses that receive customers’ parts, perform a process (service) on them, and send those parts back to the customer). Companies need MES software tailored to specific functionality and workflow needs such as industry-specific specifications management, intuitive scheduling control for both staff and machinery maintenance, and the ability to manage work orders and track real-time data. If different work centers on the production floor aren’t “speaking” to each other via the MES, the data loses value and becomes disjointed or lost in disparate silos.

Bluestreak | Bright AM™ is an MES + QMS software solution specifically designed to manage and optimize the unique requirements of Additive Manufacturing’s production of parts and powder inventory usage.

15 views0 comments

Related Posts

See All


bottom of page