The DFARS 252.204-7012 documentation requires defense contractors and subcontractors to implement adequate security measures to protect controlled unclassified information (CUI). This is, of course, an extremely vague term that, by itself, is rather unhelpful.
The term ‘adequate security’ is, however, vague for good reason. The cyberthreat landscape changes all the time, as do the best practices that need to be implemented to protect against the latest threats. For example, control systems designed to counter common threats several years ago might no longer provide a satisfactory level of protection.
DFARS defines adequate security as the protective measures taken to mitigate the risk of an attack. The documentation obligates defense contractors to follow the industry-standard NIST Special Publication 800 171 framework, which also provides some flexibility over precisely which measures to take. After all, every computing environment is different, so there is no such thing as a completely standardized set of controls and systems.
Following the NIST SP 800 171 framework
The DFARS cybersecurity requirements are based upon the framework set out by the National Institute of Standards and Technology (NIST). The documentation lists all the measures you need to take to ensure that ‘adequate security’ standards have been met. In other words, it is a baseline that organizations should follow to achieve a satisfactory level of protection against cyberthreats.
To secure your data systems, you need to protect all the physical and virtual components that make up your infrastructure. Physical components include things like workstations, networking hardware, and mobile devices. Virtual components include things like virtual machines hosted in the cloud, web-based apps and their storage systems, and virtual networking infrastructure. You also need a set of clearly defined policies and processes in place to govern how these various components function within security parameters.
The NIST SP 800-171 framework is shorter and simpler than the 800-53 one, but the publication is still 76 pages long. It contains 110 controls across 14 security domains, such as access control (AC), audit and accountability (AA), and Awareness and Training (AT). You can think of these controls as the various high-level requirements you need to implement to achieve adequate security. However, precisely how you implement these controls is up to you. In other words, much like paying taxes, you have to do it, but there are different ways to do it.
Related article: DFARS 252.204-7012: 14 Control Families You Can’t Afford to Overlook |
Building your security strategy
There is more to achieving adequate security than complying with regulations or implementing the most commonly accepted best practices. Every organization also needs to determine its own definition of adequate, and the range of actions taken can vary considerably. The best approach is to start by asking yourself the right questions, such as which value you need to protect, which assets you have that handle CUI, and how you can effectively manage residual risk. After all, no organization can fully protect everything and prevent every possible attack, which is why it is important to prioritize.
Related article: A Guide to Understanding DFARS Requirements |
When building your security strategy, you need to think about the unique characteristics that make up your business and its market. For example, businesses managing multiple physical locations may need to take a broader range of protective measures than an organization that only operates a single location. Also, protecting a highly distributed computing environment in which employees often work from home using their own devices is very different to protecting a traditional in-house network.
In the end, adequate security is largely a matter of determining and managing risk and, in the case of DFARS compliance, ensuring all the 110 controls of NIST SP 800 171 are being met. A level of risk will always remain, but by following the industry best practices exhaustively, it should be possible to bring that risk down to a negligible level. Achieving perfection is not the goal, simply because that is impossible. Instead, the goal should be continuous improvement through the establishment of a routine auditing process that regularly evaluates your existing security controls and how they match up against the latest best practices.
Charles IT helps both large defense contractors and small businesses looking to win lucrative contracts with the DoD achieve the highest possible levels of security. Get in touch today to schedule a comprehensive assessment of your current DFARS security posture!