Understanding DFARS compliance: Overview & requirements
In order to legally operate, businesses must comply with certain requirements regarding their labor practices, safety procedures, and transactions. It's a no-brainer for management to make sure the company meets its legal obligations, because noncompliance of even the minimum requirements could result in missed opportunities and heavy penalties for certain industries.
Additionally, understanding the reasons for rules, laws, and regulations that govern your business or sector will help you take advantage of the benefits they offer.
As cyberthreats become more complex, cybersecurity continues to expand and to combat them. Because of these changes, the federal government is compelled to prioritize the security of organizations and their customers. The Defense Federal Acquisition Regulation Supplement (DFARS) is a set of regulations that the US Department of Defense (DoD) now imposes on external contractors and suppliers. For businesses with government or defense-related contracts, compliance with DFARS is crucial.
A closer look at DFARS
In December 2015, the DoD published DFARS. These standards were constructed to protect the confidentiality of Controlled Unclassified Information (CUI) and had given DoD contractors until December 31, 2017 to meet the requirements necessary to be classified as DFARS compliant. Now that the deadline has passed, all DoD contractors must meet the minimum requirements for compliance to move forward.
Minimum requirements for DFARS
In spite of the increasingly complex field of data security, the DoD has kept the requirements for contractors reasonable and straightforward. The following are their minimum requirements:
- Provide adequate security to safeguard covered defense information that resides in or transits through your internal unclassified information systems from unauthorized access and disclosure; and
- Rapidly report cyber incidents and cooperate with the DoD to respond to these security incidents, including providing access to affected media and submitting malicious software.
DFARS details 14 groups of IT security requirements. To be compliant, non-federal and contractor information systems/organizations must pass a readiness assessment following NIST SP 800-171 guidelines:
- Access Control – limits system access to authorized users
- Awareness and Training – provides awareness of the security risks associated with user’s activities, and training them on applicable policies, standards, and procedures so they can carry out their duties
- Audit and Accountability – creation, protection, retention, and review of system logs
- Configuration Management – creation of baseline configuration and use of robust change management processes
- Identification and Authentication – identify and authenticate the information system’s users and devices
- Incident Response – develop operations to detect, analyze, contain, recover from, and respond to incidents
- Maintenance – perform timely maintenance on organizational information systems
- Media Protection – ensure the protection, sanitation, and destruction of media containing CUI
- Personnel Security – screen individuals prior to authorizing their access to information systems and ensure such systems remain secure upon the termination or transfer of individuals
- Physical Protection – limit physical access to, protect, and monitor the physical facility and support infrastructure for the information systems
- Risk Assessment – assess the operational risk associated with processing, storage, and transmission of CUI
- Security Assessment – assess, monitor, and correct deficiencies as well as reduce or eliminate vulnerabilities in organizational information systems
- System and Communications Protection – monitor, control, and protect data at the boundaries of the system, and employ architectural designs, software development techniques, and system engineering principles that promote effective information security
- System and Information Integrity – identify, report, and correct information and information system flaws in a timely manner, protect the information system from malicious code at appropriate locations, and monitor information security alerts and advisories and take appropriate actions
Getting technical: Understanding DFARS’ key requirements
- DFARS 3.12.1 and DFARS 3.12.3: Security Assessment – You must regularly assess the environments containing CUI. It’s best to include upper management and employees who take part in processes or environments that store, transmit, or process CUI or CDI. It is wise to run an assessment twice a year or every quarter.
- DFARS 3.5.3: Identification and Authentication – Under DFARs, it’s mandatory to have multifactor authentication (MFA) or two-factor authentication (2FA) for all local and network access. Research and review your budget before you start looking for viable options to implement MFA. Solutions like Google Authenticator is a good choice, or you can ask your trusted managed services provider (MSP) for other options.
- DFARS 3.6.1: Incident Response – Make sure that you can prepare, identify, contain, eradicate, recover, and learn from an incident like a data breach or ransomware attack. Having an incident response plan in place will help prevent data loss, damage, and related penalties and fines. Your incident response plan must be updated in order for you to be compliant and adaptive to new technologies as well.
When your area of expertise and services provided to the DoD fall outside of the technical, adhering to this level of required security can be challenging because compliance is not a one-time event but a continuous assessment, monitoring, and improvement process.
This will require you to allocate a considerable number of man-hours to ensure your business remains compliant. Thankfully, the DoD allows subcontractors. Working with a security-centric MSP like Charles IT could give you the additional security required without a massive capital investment from you. Call us today, and we’ll help you take the right steps toward better compliance.