A Guide to Understanding DFARS Requirements
Being a government contractor means having to comply with the numerous regulations—including federal requirements to help safeguard against cyber attacks. With a dramatic increase in cyber threats today, it’s no surprise that this is one area that DoD contractors must examine carefully.
The Defense Federal Acquisition Regulation Supplement (DFARS) is a set of regulations that aims to enhance the security of organizations and their consumers. DFARS requirements are extensive, and compliance is critical for all government contractors.
DFARS was introduced by the Department of Defense (DoD) in 2015 to ensure the confidentiality of Controlled Unclassified Information (CUI). All DoD contractors must meet the DFARS compliance requirements.
Beginning in late 2020, CMMC certification, a third-party certification system for assessing compliance with DFARS requirements, will be required. At that point, all Requests for Proposals must meet the proper CMMC certification. For now, let’s take a closer look at the specific regulations guiding the DFARS requirements currently in place.
How does NIST 800-171 Relate to DFARS?
The National Institute of Standards and Technology Special Publication 800-171 (NIST 800-171) is a set of regulations that specifically govern CUI in Non-Federal Information Systems and Organizations. So NIST 800-171 requires standards to be applied to safeguard and distribute data considered sensitive but not classified. It plays a crucial role in outlining DFARS compliance requirements.
What Are the Critical Areas of NIST 800-171?
All contractors that handle CUI must be DFARS compliant and introduce security protocols covering the following 14 key areas:
Audit and Accountability
This protocol deals with how system logs provide valuable records. Specifically, this includes the protection, creation, review, and retention of system logs in providing feedback for information systems. In other words, contractors need to consider whether records are kept relating to authorized and unauthorized access to sensitive information and how violators can be identified.
Awareness and Training
This aspect deals with the degree of awareness relating to security risks inherent in user activities, and training staff on standards and procedures to perform their duties. Put another way, this criterion assesses whether staff possesses the knowledge on how to handle and treat sensitive information.
This protocol refers to the need to restrict system access to authorized users. This level of control helps prevent data from being accessed by outside users and reduces the risk of information leaks. Consider which users are authorized to view system data and ensure that your systems reflect this restriction.
Another requirement is to create the ability to detect, contain, analyze, and respond to incidents in online systems. Contractors must develop a system to deal with any breach or security threat, which includes the need to follow proper notification directives.
Identification and Authentication
It is important to ensure that access is granted to intended users. Another requirement of effective security is to identify and authenticate all users and devices of the information system. Therefore, it is crucial to determine who is approved to access CUI and how these users are verified before they can access any sensitive information.
Another DFARS requirement is to create a baseline configuration and a robust change management process in your system. Ask yourself how your networks and safety protocols are built and documented.
One of the DFARS compliance requirements is to manage the protection and destruction of all media that contain CUI. So it is vital to examine how hard copy and electronic backups and records are stored as well as which users have access to these files.
It is essential to perform timely maintenance on all information systems. Questions to consider include: “Who is responsible for routine maintenance?” and “What timeline is in place for scheduled maintenance?”.
For effective DFARS compliant information technology, contractors must employ systems that protect access to CUI. These systems should include screening users before authorizing their access to key systems and ensuring that systems remain secure following the termination of staff members.
This component refers to the protection of the physical system. More specifically, this criterion considers the restrictions to physical access that include protecting and monitoring the physical facility and infrastructure of the information systems. It’s imperative to review who can access the systems, equipment, and storage environments and ensure the safety of the system.
You must monitor, analyze, and deal with deficiencies and vulnerabilities in all organizational information systems. This scrutinization requires that you regularly test whether procedures and processes remain effective and consider whether improvements are needed.
For DFARS compliant information technology, you need to assess the operational risk for the processing, transmission, and storage of CUI. Determine whether your security measures are tested in simulations and if individuals and operations are verified frequently.
System and Information Integrity
This component covers many aspects of meeting the DFARS requirements. It is important to report, identify, and correct any problems in the information systems in a timely fashion. You must also take steps to protect systems from the introduction of malicious code and carefully monitor alerts and advisories of information security and take effective action.
System and Communications Protection
You must control, monitor, and protect data at the boundaries of all systems, as well as implement software development techniques, architectural designs, and system engineering principles that encourage effective system security.
Achieving DFARS Compliance
As a DoD contractor, meeting the DFARS requirements provides your partners the security of knowing that their information is sufficiently managed and protected. As you can see, the NIST 800-171 requirements guiding DFARS compliance are extensive. This overview is just the tip of the iceberg. While becoming DFARS compliant can take months to achieve, it doesn’t have to overwhelm your staff. The team at Charles IT is ready to help you meet the demands of DFARS compliance, so you can focus on doing what you do best, growing your business.