DFARS 252.204-7012: Are the physical safeguards protecting your IT systems enough?
In the days of widespread virtualization and cloud computing, it might seem physical security is no longer as relevant as it once was. However, this is simply not the case. All data has to live somewhere on a physical device, be that in a major data center used by hundreds of other companies or in an in-house server room exclusive to one business. While companies might not have any direct control over the physical security of their cloud-hosted assets, they must still deploy physical safeguards to protect the devices used to access those services.
Related article: How do your accountability standards measure up?
What is physical security?
Information security broadly spans three main areas – administrative, technical, and physical safeguards – all of which are just as important. In the case of DFARS 252.204-7012, all data must be physically stored within the United States, unless the contractor has received written notification from the DoD that they may store or transmit it elsewhere.
However, physical safeguards do not only concern where the data physically lives. They also govern how the systems storing or transmitting the data are physically protected. For example, server rooms must be securely locked and monitored, while mobile devices require additional safeguards due to the fact they are more vulnerable to loss or theft.
Compliance with the DFARS 7012 clause, like many other regulatory regimes, requires close attention to physical safeguards, including those inside and outside the workplace. Together, these safeguards protect data and systems from physical theft and other forms of compromise, and work hand in hand with things like administrative policies and technical controls.
Physical safeguards fall into the following three primary categories:
Facility access controls govern the policies, procedures, and measures put in place to prevent physically unauthorized access to facilities like server rooms. A facility security plan includes a documented strategy for securing facilities with things like locked doors and access codes or cards and a means to monitor security, such as by CCTV. There must also be clear controls in place to limit and control an individual’s access to facilities, which may also include having a special protocol for visitors. Businesses should also account for emergency operations, so that emergency services can access the facility in the event of a natural disaster or to replace, maintain, or upgrade the hardware. In this case, organizations should also keep a complete and up to date record of maintenance programs, including how they may relate to security.
Related article: How effective are your access controls?
Non-portable computing systems, such as servers and workstations require security too, even though they might not be as susceptible to loss as portable devices like laptops or cellphones. Policies must clearly define any limitations for their use as well, such as prohibiting the use of workplace computers for non-work-related activities. While facility access should also govern access to the premises where the computers are located, chances are they will not be quite as secure as server rooms, if only for practical reasons. That said, the devices must still be physically secured. Laptops that are used to store or access CUI, for example, should ideally be secured using a Kensington lock, which almost all modern business laptops support. These are fixed into the case of the laptop, making it much harder to physically remove them.
Remote work, while essential these days, poses additional security challenges. Employees routinely use laptops, smartphones, and removable storage media for work, and preventing it outright is simply not practical. However, these devices must still be protected using technical and administrative measures that prevent unauthorized access. Software-based solutions can also be deployed to track the location of devices and automatically revoke access rights from devices that have been reported lost or stolen. Due to the increased risk of loss or theft though, it is advisable to avoid storing sensitive information on them in the first place, instead using them only for access to cloud-hosted services. Similarly, portable storage devices, such as removable flash drives or external hard drives, should be fully encrypted so that any data on them will be completely inaccessible, even if they are misappropriated.
Charles IT can evaluate your current security and compliance posture and deliver the expertise and technical solutions necessary for taking on high-value contracts that are essential to your business. Call us today to schedule your first security assessment.