The hot topic for contractors in the DoD supply chain these days is DFARS compliance. DFARS regulations increase our cybersecurity maturity as a country, to better protect ourselves from threats that can disrupt the DoD supply chain.
So... what exactly is DFARS?
In the Info-Sec community there seems to be an acronym for everything. The same goes for the government and the military industries, so it’s natural that there would be an acronym when these things are brought together. DFARS (pronounced “Dee-Fars”), stands for Defense Federal Acquisition Regulation Supplement. Because of the substantial increase of successful cyber-attacks in recent years, it has required the government to place increased scrutiny on their private sector partnerships. The government now requires companies to demonstrate a baseline level of cybersecurity protection to do business and penalizes business partners that do not adequately adhere to the new security rules. These rules when into effect Dec 31st, 2017.NIST 800-171
DFARS standards point directly back to NIST 800-171, which is a set of security questions that dives into the heart of how to protect a business, and more importantly your organizations’ controlled data. It’s not terribly difficult to understand, but it does require a systematic, intentional approach.
There are 14 Families of Control Measures with 110 Specific Control Measures underneath them. The 14 families include:
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
NIST 800-171 also includes rules for mandatory reporting in the event of a breach. Breaches should be reported here: https://dibnet.dod.mil/portal/intranet/What does this mean for your business?
Contractors are now accepting the new reality that revenue growth is directly tied to adhering to government cybersecurity guidelines and maintaining compliance. If you can’t demonstrate that you’re compliant with DFARS, including an ongoing action plan to mitigate gaps, there’s a chance that your business will lose contracts, or have existing contracts terminated.Why do you have to do it?
If all the contractors and sub-contractors in the DoD supply chain must answer to these security standards, why do we have to as well?
First and foremost, by not being compliant, you’re putting your business at risk of a breach. As a compliance auditor, I often live by checklists, but we’re not just doing cybersecurity audits for fun. It’s to bring protection and security to your organization. If gaps exist and you choose to leave them open, you should probably make sure your Incident Response (IR) plan is ready. Unfortunately, breaches aren’t a matter of if, but a matter of when.
Secondly, you must consider loss of contracts, proposal exclusions, adverse performance reviews, etc. Your prime-contractors are going to ask about DFARS, and you should be asking your sub-contractors as well.
Thirdly (and this one usually gets people’s attention), you must consider hefty fines for non-compliance. And if you try to pass your business off as DFARS and NIST compliant when it isn’t, the government can use their favorite litigation tool against contractual fraud, the False Claims Act, aka the “Lincoln Law.” You don’t want your business to be forced to learn a lot about this after you’ve been dragged into court for fraud.The good news
It’s not all doom and gloom. The good news is that your competitors must comply too, and if you take this seriously and implement a real security program with a cadence of identifying and closing risks, you can use it as a competitive advantage against those who pretend that DFARS isn’t real. Having a third party firm who specializes in cybersecurity guide you will carry a lot of weight with your prime-contractors.