NIST SP 800-171 DFARS users

I’m a long time Asana user - I have recently joined a DoD contractor that is subject to NIST SP 800-171

Are there any organizations out there where you are subject to NIST SP 800-171 and able to use asana without restrictions?

My reach out to Asana directly was less than helpful

We are not DFARS compliant at this time, but we are confident and proud of what we do to protect our customer’s data and, as such, have taken measures to make sure every customer has the information they need to determine exactly how Asana can be trusted. You can find the documents mentioned below in our page.

To that end, we are sharing our SOC 3 report , which is a summary of our SOC 2 Type II certification produced by 3rd Party auditing firm, The Cadence Group. That document details the scope of their audit and their findings as they measured Asana practices and policies against the SOC 2 Type II criteria. The most important part of that report is that we have been affirmatively certified against those requirements. Additionally, we are sharing our ISO 27001 Compliance Certification. The Cadence Group has assessed Asana’s conformity with the defined requirements of the standard in regards to its Information Security Management Systems.

Asana’s homepage claims NASA uses asana - in theory NASA is subject to NIST 800-171 -but they might have used Asana way back when - or they may use in for the marketing team etc.

@K_Karunaratne, like you, I am a long-time Asana User and we are a DOD contract obligated to NIST SP 800-171. I also got less than helpful response from Asana. It seems like it’s a topic they don’t know well and can’t comprehend why it’s such an important issue for many of their customers.

From what I can tell, asana does not offer a gov cloud environment (or more importantly an environment that meets CMMC requirements) and therefore we’re concerned that we’ll need to leave Asana because we have no way to control technical data shared on the Asana platform. Are you thinking–to be compliant to NIST–that your organization will need to consider leaving Asana?