DFARS Cybersecurity: Requirements and Compliance

DFARS Cybersecurity: Requirements and Compliance

Businesses that work with the Department of Defense (DoD) understand that there are precise controls for systems that utilize classified data. What might not be as well known are the specs for DFARS (Defense Federal Acquisition Regulation Supplement) and the compliance that applies to unclassified information. 

DFARS compliance includes systems operated by or for a contractor, including processes, storage, and transmission of defense information. Security controls must be expanded to incorporate coverage for these additional systems—these changes can have a significant impact on how your business functions.

What is DFARS Cybersecurity?

Many federal contractors process, store, and transmit sensitive federal information to support various federal agencies. Content is usually related to financial services, web, electronic mail services, security clearances, healthcare data, cloud services, communications, and satellite or weapons systems.

The DoD created DFARS cybersecurity to protect military secrets from adversaries who are driven to steal this information. Leaks of this secure data would compromise military activities as well as the safety of U.S. citizens. Much of this information has been classified as secret or top secret, but there is also information that is less sensitive yet still requiring protection.

The DoD requires both prime and subcontractors to use this important but less sensitive information in their IT networks, a fact that doesn’t slip by organizations not friendly to the U.S. Consequently, these contractors have to be on alert at all times to safeguard the information with which they have been entrusted. In spite of their best efforts, contractors can unintentionally allow big gaps in the data protection system when information is stolen through the manipulations of outside entities. 

DFARS cyber compliance was created to fill in those gaps. DFARS protects the unclassified DoD information living on a contractor’s internal information system so that it can be protected from cyber incidents. In addition, any consequences associated with the loss of contractor information can be assessed and minimized through the utilization of the cyber incident reporting and damage assessment processes. 

This single DoD-wide approach to safeguard contractor information systems prevents the proliferation of cybersecurity clauses and contract language by the various entities across the DoD.

DFARS also requires defense contractors to comply with specific cybersecurity requirements detailed in NIST 800-171. These standards specify the proper manner in which Covered Defense Information (CDI) or Controlled Unclassified Information (CUI) must be handled and protected. 

Contractors who don’t manage CDI or CUI must get an exception and may still be held accountable for compliance with DFARS and NIST 800-171. Non-compliance with these guidelines may end in lost government business for those contractors.

NIST 800-171 Compliance Requirements 

The National Institute of Standards and Technology (NIST), located in the US Department of Commerce, develops guides and standards related to data security. The group has published a special set of security standards called the NIST 800-171, which serves as a guideline for protecting the confidentiality of CUI in organizations outside of the federal government. Contractor adherence to these guidelines helps the federal government carry out military strategies as well as business operations.

DFARS requires the following conditions to be met in order to achieve adequate compliance:

  • Implementation of cyber incident analysis and reporting
  • Adoption of 79 predefined security protocols
  • Coverage of all information, regardless of location, pertaining to Controlled Technical Information, OpSec Information, Export-Controlled Information, and anything specifically related to the contract that doesn’t fall into one of these categories
  • Adequate intrusion monitoring and disclosure

Before the development of NIST 800-171, outside contractors and agencies created their own methods for safeguarding sensitive material. NIST 800-171 standardized the handling, transmission, and disposal of this type of data, creating uniform methods to be implemented by companies working with the government.

The 14 Points of NIST 800-171

Contractor businesses that access CUI must verify compliance and implement security protocols for 14 important areas

  1. Access Control – limits system access to authorized users
  2. Awareness and Training – provides awareness of the security risks associated with user’s activities and trains them on applicable policies, standards, and procedures so they can carry out their duties
  3. Audit and Accountability – creation, protection, retention, and review of system logs
  4. Configuration Management – creation of baseline configuration and use of robust change management processes
  5. Identification and Authentication – identify and authenticate the information system’s users and devices
  6. Incident Response – develop operations to detect, analyze, contain, recover from, and respond to incidents
  7. Maintenance – perform timely maintenance on organizational information systems
  8. Media Protection – ensure the protection, sanitation, and destruction of media containing CUI
  9. Personnel Security – screen individuals prior to authorizing their access to information systems and ensure such systems remain secure upon the termination or transfer of individuals
  10. Physical Protection – limit physical access to, protect, and monitor the physical facility and support infrastructure for the information systems
  11. Risk Assessment – assess the operational risk associated with processing, storage, and transmission of CUI
  12. Security Assessment – assess, monitor, and correct deficiencies as well as reduce or eliminate vulnerabilities in organizational information systems
  13. System and Communications Protection – monitor, control, and protect data at the boundaries of the system, and employ architectural designs, software development techniques, and system engineering principles that promote effective information security
  14. System and Information Integrity – identify, report, and correct information and information system flaws in a timely manner, protecting the information system from malicious code at appropriate locations and monitoring information security alerts and advisories to take appropriate actions

Does Your Business Meet DFARS Cybersecurity Compliance?

Gaining DFARS compliance is critical because companies can’t do business with the DoD without it. In fact, achieving compliance can be the difference between thriving and not making the cut, so it’s important to take the appropriate steps to ensure your company meets the requirements. 

Maybe you’re a small business with inexperienced staff and no CFO or Controller. Perhaps you’d rather focus on what you’re best at and not concern yourself with regulations. Or maybe you are unsure of the regulations and don’t have confidence that your business is properly equipped.

Danny DFARS (1)-1

What's Next? DFARS and CMMC

The DoD demands that all government contractors and subcontractors abide by DFARS regulations. However, by the end of 2020, DFARS will transition to Cybersecurity Maturity Model Certification (CMMC). CMMC will identify different security controls to create a hierarchy of maturity levels so that the DoD and other government agencies can align with contractors with the most appropriate maturity needs to execute on their needs.

This change doesn’t mean that DFARS is going away. In fact, working within DFARS regulations and earning a CMMC maturity level will position a business favorably with the DoD.

Compliance, Security, and Trust

The protection of sensitive federal information while residing in nonfederal systems and organizations is paramount to federal agencies and can directly impact the ability of the federal government to carry out its designated missions and business operations.

Cybersecurity issues will only increase in the future, so the DoD will require proof positive that your business is set up for compliance, security, and trust.  Charles IT can help you achieve DFARS compliance and be positioned to earn lucrative DoD business. To learn more and to get a quote for CMMC services, contact us today!