Protecting controlled unclassified information (CUI) has been a top priority for the Department of Defense and its 200,000-strong supply chain in recent years. Facing increasing threats from state-sponsored attackers and cybercriminals, defense contractors and their subcontractors are now under increasing pressure to step up their cybersecurity.
What is the DFARS 7012 clause?
The DFARS 252.204-7012 clause requires that defense contractors and subcontractors follow the best practices outlined in the NIST Special Publication 800-171 document. This is one of the most widely recognized standards for data governance, confidentiality, and security. The framework defines 110 controls across 14 control groups, explained in a 67-page document.
Security assessments
The first thing any organization needs to do is carry out an assessment of its current computing environment against the 110 controls defined by NIST 800-171. A preliminary gap assessment will identify any potential ‘gaps’ in your security that add unnecessary risk to your environment and may be in conflict with your obligations as a defense contractor.
|
Related article: How A DFARS Gap Assessment Helps You Evaluate Security |
While related CMMC legislation gives government-approved auditors the right to assess your environment and assign a security maturity score, it is always better to take a proactive stance. A thorough vulnerability assessment will give you a chance to improve your security and patch any potential issues before they lead to far-reaching consequences.
Ideally, you should carry out a comprehensive assessment of your technology environment at least once per year or whenever you make any significant changes. Everything, including any changes, should be thoroughly documented. After all, a contractor may ask for evidence of your efforts to achieve and maintain compliance at any time.
When contracting out work, the DoD will routinely consider how your controls stack up against their requirements and the industry best practices. Precisely how you implement the NIST 800 171 controls is up to you, but adhering to them all will greatly increase your chances of winning lucrative contracts with the DoD. Similarly, achieving a higher level of cybersecurity maturity can open up even more possibilities.
Identification and authentication
By now, every business should be familiar with the importance of applying encryption to data in transit or in storage, no matter where it lives. But encryption is only one layer of security. It will not stop an attacker if you do not have sufficiently strong identification and authentication measures in place. This requires an optimal combination of technological, administrative, and physical safeguards. For example, no amount of policy-making can protect CUI or other assets if policies are not enforced with employee training and technological measures.
|
Related article: The Importance of Endpoint Encryption for DoD CMMC Requirements |
DFARS 252.204-7012 mandates that all CUI is protected behind two or more authentication factors that verify the user’s identity. After all, passwords alone are highly vulnerable to social engineering attackers, even if they do have a robust password policy behind them.
To keep risk to a healthy minimum, you should also follow the principle of least privilege. This way, no single individual will ever have access to information that they do not explicitly need to do their jobs. The same applies when establishing the relationships between applications and devices, which may need to share certain data to function correctly.
Incident response and reporting
The DFARS 7012 clause also mandates that any incidents are reported to the DoD within 72 hours of their discovery. Given that it still takes weeks or even months for many organizations to report a data breach, this might sound like an impossibly small window. However, with real-time monitoring, alerting, and reporting in place, it should be possible to drastically reduce the time it takes to detect and report an incident. Armed with this information, it should also be possible to stop most attacks before they cause serious damage.
|
Related article: Why a Proactive Incident Response Plan Is Crucial |
Your incident response plan must be regularly reviewed and updated. After all, it will rapidly lose its relevance as you change your systems and employees come and go. The plan should also be tested regularly to ensure it upholds its effectiveness. A comprehensive response plan should provide all the instructions you need to identify, contain, mitigate, recover, and learn from an incident. Once again, everything must be fully documented so that you can provide evidence of your efforts to comply with DFARS should you be compelled to.
Charles IT will help you make sure you are DFARS-compliant so that you can take on contracts that are essential to your business. Get in touch today to schedule your first gap assessment!
