DFARS 252.204-7012: Are the Safeguards for Your IT Systems Enough?
Every business faces a unique set of risks across a number of key domains. If your company stores, processes, or transmits controlled unclassified information (CUI) in the capacity of a defense contractor then you will need to ensure all these risk areas are accounted for. This is essential for upholding your DFARS 252.204-7012 obligations and winning new contracts from the DoD.
Here are the main cyber risk areas that you will need to evaluate regularly to stay compliant:
#1. Information governance
You cannot protect assets that you do not know about, which is why every system that collects, processes, or transmits information requires proper governance. Governance must extend to legacy systems as well, which are a common source of dark data. A risk management regime should also include a documented set of the unique risks facing your organization, the level of risk that you are willing to accept, and a full lifecycle approach to data management.
#2. Network security
While perimeter security might not get the attention it once did now that most companies rely heavily on cloud-hosted resources, it is still vital to protect your internal network. To effectively police the network perimeter, you must take a multilayered approach consisting of intrusion detection and prevention and network firewalls. To evaluate their effectiveness, you also need to conduct network penetration tests and regularly audit your activity logs.
#3. Security configuration
Maintaining up to date security configurations is a key obligation under the DFARS 252.204-7012 framework. You will need to establish policies concerning patch-management and take every possible step to ensure that no systems are left vulnerable due to failure to install critical security updates. This requires creating an up to date inventory of all hardware and software assets, including those hosted in the cloud.
#4. User access privileges
Having an effective account management process involves creating and enforcing the policies governing user access to sensitive information. The best approach to follow is the principle of least privilege, whereby an individual only ever has access to the systems and data they need to do their jobs. Furthermore, these systems should be protected by multiple layers of security, including multifactor authentication, strong password policies, and encryption.
#5. Security awareness training
Contrary to popular belief, cybersecurity is very much a human problem rather than a technical one. Thus user education and awareness are essential for maintaining high security standards and developing a security-first company culture. New users should receive a comprehensive training program, and continuous training should be compulsory for everyone on the team to keep people informed about the latest threats.
#6. Incident management
Your DFARS 252.204-7012 obligations also include a fully documented incident management plan just in case, despite your best efforts, things do go wrong. Incident management should include a list of emergency contacts and a step-by-step guide on how to mitigate the effects of any type of incident that may befall your business, such as unexpected data loss or a data breach. This document should also adhere to breach notification rules.
#7. Malware prevention
While most data breaches now rely heavily on social engineering attacks, malware is still just as widespread as it always was. Antimalware policies and systems must be applied throughout the organization and across every area of business. This includes antivirus software, heuristic scanning, and constant monitoring of all data-bearing systems. There also need to be stringent rules governing the deployment of new software.
#8. Removable media
Removable media might not be as widespread as it once was, but many companies still retain large archives of potentially sensitive data on things like tape drives and external hard drives. These are common sources of dark data, which many businesses fail to retain oversight of. The use of removable media should be limited as much as possible, and all removable media should be scanned for malware before being brought into the organization.
#9. Remote working
Distributed working is the new norm in many modern businesses, but despite its benefits, it also presents some unique risks. This is often compounded by the fact that many companies have a bring your own device (BYOD) policy that allows employees to use their own devices for work. Home and mobile working must be governed by strict policies, and employee-owned devices should only ever be used for access to data, rather than storing it locally.
#10. Monitoring and alerting
Round-the-clock monitoring of all your data-bearing systems is essential for maintaining high levels of security, transparency, and accountability. For example, security incident and event management (SIEM) offers complete oversight and takes a proactive approach to mitigating potential security risks. Network traffic should also be continuously monitored to identify any unusual activity and keep administrators informed with real-time alerts.
Charles IT will carry out a comprehensive audit of your entire IT environment and provide the insights you need to uphold your DFARS 252.204-7012 obligations. Call us today to find out more.