As of Dec. 31 2017, contractors that store, transmit, or process certain types of government information were required to comply with DFARS (Defense Federal Acquisition Regulation Supplement) regulations.
If you handle either of the following two types of information, then DFARS compliance impacts you:
- Controlled technical information (CTI), such as research, engineering data/drawings, specifications, manuals, etc.
- Controlled unclassified information (CUI), such as privacy, patent, or tax information
Lack of compliance could lead to the loss of current and future government contract work. But there’s no need to panic – we’ve pulled together information to help you understand what’s required.
While DFARS regulations are specifically geared toward organizations that provide solutions and services to the U.S. government, the guidelines serve as a good roadmap for any organization interested in establishing a solid cybersecurity program.
What is DFARS?
DFARS compliance is a multi-step process involving the creation and documentation of cybersecurity systems, processes, and technology. Essentially, it ensures that you have appropriate cybersecurity measures in place to work with sensitive government information.
DFARS NIST 800-171a regulations include 110 security controls, which were established from a mix of FIPS 200 security requirements and NIST 800-53 security requirements. They are grouped into 14 different “families.” Here are some examples of high level controls required for each of the families:
1. Access Control
Limiting access to only those who are authorized (through measures like restricting unsuccessful login attempts and encrypting CUI on devices).
- Create/maintain a list of users who have information access
- Limit and monitor remote, wireless, and mobile access
2. Awareness and Training
Ensuring that employees know how to responsibly complete tasks according to appropriate policies and procedures.
- Provide annual general security training to staff
- Provide additional job-specific training to those who need it
3. Auditing and Accountability
Creating, storing, and reviewing activity trails and logs.
- Actively review audit logs
- Sync time stamps across all data systems
4. Configuration Management
Developing and maintaining baseline configurations for hardware, software, firmware, etc.
- Implement/enforce hardening guidelines
- Ensure that configuration changes are reviewed and approved before implementation
5. Identification and Authentication
Correctly identifying and authenticating approved users/devices.
- Implement password-complexity rules, requiring minimum characters and numbers/symbols
- Only use encryption to store/transmit passwords
6. Incident Response
Establishing processes to dictate how your organization will respond before, during, and after a breach.
- Create an incident response plan
- Track internal and external incidents as they occur
Performing all necessary hardware and software maintenance and updates.
- Sanitize decommissioned media
- Utilize the most up-to-date versions of antivirus and anti-malware solutions
8. Media Protection
Protecting and managing any media that contains CUI.
- Control/prohibit use of removable media
- Protect backups at offsite storage locations
9. Personnel Security
Appropriate screening of people who have access to information, as well as appropriately removing access when necessary.
- Perform background checks on individuals who are authorized to access data
- Enforce termination/transfer processes and verify that access is revoked
10. Physical Protection
Preventing access through physical security.
- Monitor/escort in-person visitors
- Maintain logs of who has access (and when they’re accessing information)
11. Risk Assessment
Assessing risks associated with handling controlled unclassified information.
- Identify and document potential risks
- Prioritize and remediate potential vulnerabilities
12. Security Assessment
Monitoring for, identifying, and correcting security vulnerabilities.
- Create a security plan of action
- Complete vulnerability scanning and penetrating testing
13. System and Communications Protection
Creating information security policies and procedures to monitor, control, and protect communications.
- Create network/architecture diagrams
- Limit/prohibit collaborative computing devices (cameras/microphones)
14. System and Information Integrity
Taking necessary actions to monitor for, identify, and correct potential information system flaws.
- Install patches and software updates
- Implement automated vulnerability identification and remediation
To be compliant, DFARS regulations require that you complete all 110 security controls. That may seem like a daunting task, but there’s good news: Upon reviewing them, we believe that there are about 60 controls you can likely complete on your own without help from a third party. Depending on the size and talents of your team, there may be even more controls you can implement on your own.
There are others, however – at least 18 of the 110 controls, in our opinion – that we think will likely require involvement from a third-party professional to ensure compliance with DFARS regulations. In these cases, your team may be able to take them on, but outsourcing can help share risk and ensure that processes are being completed thoroughly and correctly.
If your organization processes, stores, or transmits DoD-controlled information as mentioned above, we recommend taking the following steps:
- Become familiar with the 110 cybersecurity controls
- Assess current cybersecurity strategies and tactics
- Determine gaps and identify areas of non-compliance
- Pinpoint potential solutions to comply with all 110 cybersecurity controls
- Decide how gaps will be addressed and resolved
- Implement a plan and solutions to comply with all regulations
If DFARS regulations seem overwhelming, think of them this way: they’re simply another layer of compliance requirements. If you’ve had to follow PCI, ISO, or HIPAA requirements, for example, DFARS compliance is just a more detailed, defined approach to meet cybersecurity regulations.
Although it’s likely that you can implement several of these required practices on your own, ProCircular can help when you need an independent, third-party perspective or verification. We can also provide suggestions for ways to meet some of the more challenging controls requirements.
Knowing that cybersecurity plans and programs are never “done,” and are constantly changing to guard against the most recent threats, we anticipate that DFARS regulations become even stricter in the future – and potentially expand to include not only federal government agencies, but also schools, municipalities, and local government agencies.
Want to learn more about DFARS regulations and compliance? (Or ready to get started with a simple cybersecurity program?) Contact us – we’ll be happy to answer your questions!
P.S. To get a copy of our DFARS checklist, which outlines all 110 controls, difficulty levels associated with implementing them, and different options for compliance for each control, just send us a note!