The US Department of Defense (DoD) handles a lot of controlled unclassified information (CUI), which requires “safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies.” In December 2017, the DoD published a rule to the Defense Federal Acquisition Regulation Supplement (DFARS) that requires DoD contractors to meet certain cybersecurity requirements.
If you’re planning to bid on a DoD contract, then you have to make sure that you achieve DFARS compliance.
What Does DFARS Compliance Entail?
DFARS compliance standards requires DoD contractors to have the National Institute of Standards and Technology (NIST) Special Publication 800-171-compliant security controls to prevent a data breach as well as procedures to report a breach should it occur. Under DFARS, DoD contractors must also periodically assess themselves to keep CUI protected.
What Can You Do to Meet DFARS Compliance?
To be DFARS-compliant, you must adequately address all 14 security requirement families outlined in the NIST SP 800-171. Following these five tips will help you get started:
#1 Undergo Security and Risk Assessments
There are operational risks involved in processing, storing, and transmitting CUI. That’s why it’s important for you to periodically scan your internal procedures and IT systems for vulnerabilities that may endanger CUI. Doing so will help you identify and correct deficiencies so you can reduce or eliminate risks.
Given the growing complexity of security and regulatory obligations, it’s best to ask a DFARS compliance expert like Charles IT to conduct these assessments for you.
#2 Roll Out IT System and Physical Safeguards
To ensure effective information security, you need to monitor, control, and protect your IT systems and the physical facilities housing these. This involves limiting physical access to your office, encrypting communications, separating internal networks from publicly accessible systems, preventing unauthorized data transfer to shared system resources, and more.
#3 Implement Identification, Authentication, and Access Controls
Register and manage every user and device that accesses your data and IT systems, and make sure each user only has access to what they need to do their job. For example, rank-and-file HR staff shouldn’t be able to easily obtain the finance department’s high-level information.
You must also be able to identify, track, and authenticate users and devices with proper security protocols each time they access your data or system. This means implementing multifactor authentication, prohibiting password reuse, enforcing password complexity requirements, and logging out a user automatically after a defined period of inactivity, among others.
#4 Conduct Cybersecurity Awareness Training
All employees must be made aware of the security risks associated with their use of company data and systems. It’s imperative that they learn about the different policies, standards, and procedures they must adopt to safely carry out their responsibilities.
#5 Develop and Employ an Incident Response Plan
You should have a team and a set of procedures that allow you to detect, analyze, contain, recover from, and respond to a data breach or any kind of cybersecurity incident; this set of procedures is called an Incident Response Plan. You should regularly test your company’s plan and make changes accordingly.
CMMC: Is This an Update to DFARS Compliance?
Over the years, the DoD grappled with a low rate of FAR and DFARS compliance among its contractors. To address this issue while still trying to increase the security of defense data and networks, the department introduced the Cybersecurity Maturity Model Certification (CMMC).
CMMC builds upon existing cybersecurity frameworks and requirements, such as the NIST SP 800-171.
That said, you can be DFARS-compliant without earning your CMMC. That’s because, unlike DFARS’s self-assessment, CMMC requires third-party accreditation (depending on the level). But if you’re already DFARS-compliant, achieving CMMC with a third-party auditor will come easier just by implementing good cyber hygiene practices.
What Should You Do Next?
Passing CMMC has been mandatory for all organizations doing business with the DoD since September 2020. That’s why you should work toward DFARS compliance and earn your CMMC if you want to be a DoD contractor.
It’s easy to get lost in all the legal and technical jargon of DFARS and CMMC. Good thing you can leverage the expertise of Charles IT. With our help, you’ll quickly and easily comply with DFARS and CMMC standards. Drop us a line today!
Editors Note: This blog was originally published on July 9, 2020 and was updated June 27, 2023 for accuracy.