DFARS 252.204-7012: Tips for making sure your IT maintenance is up to standard
Unscheduled downtime costs businesses millions of dollars every year, but lost productivity is not the only threat. Maintaining the integrity of any information-bearing system is also essential for adhering to regulatory demands, such as those provided under the DFARS 252.204-7012 clause. Maintaining baseline configurations to ensure the integrity of information and security controls is also a core component of the NIST SP 800 171 framework. Furthermore, DFARS 7012 mandates the need for media preservation and protection, among other things. Keeping your systems proactively maintained is the most effective way to ensure smooth operation and ensure ongoing compliance with most industry regulations.
With that in mind, here are our top recommendations for ensuring your IT maintenance is up to the job:
#1. Automated patch management
Patch management is essential for protecting information systems and networks against new and emerging threats, including those that were only discovered after a software application was released. Any enterprise software that is still supported by its original developers should receive a regular stream of security features. If, however, the software is beyond its extended support lifecycle, it should be retired immediately.
Given the complexity and diversity of today’s business computing systems, it is impractical to apply patches manually at scale. Instead, an automated solution that works off an up-to-date inventory of all your production systems and automatically installs critical security fixes helps keep your systems safe while minimizing disruption.
#2. Backup and disaster recovery
Information integrity is one of the pillars of DFARS 7012 compliance, which is why it is crucial to have a documented backup and disaster-recovery plan. This will help ensure that mission-critical data is kept safe from common threats like ransomware or unexpected system failures.
Many businesses, however, focus almost entirely on the backup element of disaster recovery. It is just as important to ensure that the restorative processes your organization uses in the event of an incident are in line with your requirements and those of clients and stakeholders. Setting your recovery time objectives (RTO) and recovery point objectives (RPO) determine the maximum amount of time it should take to recover a system and the maximum amount of data you can afford to lose respectively.
#3. Information security baselines
Every organization needs to meet a certain predefined standard of security in order to comply with regulations, as well as internal needs. While it is impossible to create a completely risk-free environment, establishing a security baseline will help ensure you pass your compliance audits and live up to the demands of clients and stakeholders.
The NIST 800-171 special publication serves as a strong foundation upon which to define the minimum standards of security and compliance. Many compliance regimes, including DFARS 252.204-7012, are based on this internationally recognized framework.
#4. Monitoring and alerting solutions
You cannot protect what you do not know about, which is why round-the-clock monitoring and automated alerting are essential to any IT maintenance program. After all, it is much better if you are proactively informed about any anomalous system activity, so you have a chance to act before it becomes a problem. For example, if a storage system is recording errors in disk integrity, an early warning should give you time to replace it before you start losing data.
Ongoing monitoring and alerting solutions, such as security incident and event management (SIEM) platforms and outsourced security operations centers (SOC) will cast a watchful eye over the integrity and security of your systems to minimize downtime and uphold the demands of compliance.
#5. Regular compliance auditing
The DFARS 7012 clause requires all contractors that make up the Defense Industrial Base to comply with the standards laid out by the NIST SP 800-171 framework. Regulatory bodies are now scrutinizing companies across the DoD supply chain to ensure they are adhering to these standards. However, rather than waiting for a surprise audit, it is far better to take a proactive approach with regular security and compliance auditing to ensure you are ready to pass an official audit when the time comes.
These audits should ideally be carried out by a third party, which provides a fresh perspective and may reveal issues you might not have thought about. This will help you demonstrate and validate accountability and, in doing so, win more profitable requests for proposals (RFP) from potential clients.
Charles IT provides unlimited IT support to proactively protect you from unscheduled downtime and compliance and security risks. Schedule an assessment today to learn more.