The Defense Federal Acquisition Regulation Supplement (DFARS) applies to all Department of Defense (DoD) contractors with access to Controlled Unclassified Information (CUI). This supplement details the general requirements and identifies the types of information that need additional controls. NIST SP 800-171 is the document that details the security requirements to keep that information safe.
If you want to stay active as a DoD contractor, you must be up to date on the required security methodologies. That can be a tough challenge when operating with little to no in-house IT support. However, the DoD specifically says that “Small manufacturers may use subcontractors and/or outsource information technology requirements, but they are responsible for ensuring that these entities they use to meet the cybersecurity standards.” This means that you don’t have to take direct ownership of all security updates. The right partner can enable you to focus on your business, while the IT company worries about securing your networks.
Minimum Requirements for DFARS
While data security is an increasingly important field, the DoD has kept the requirements on contractors straightforward and reasonable. To meet the minimum requirements, you must:
1. Provide adequate security to safeguard covered defense information that resides in or transits through your internal unclassified information systems from unauthorized access and disclosure.
2. Rapidly report cyber incidents and cooperate with the DoD to respond to these security incidents, including providing access to affected media and submitting malicious software.
While that sounds straightforward and easy to meet in-house, the term adequate security can cover a lot of ground. The DoD references 14 different areas with individual minimum security requirements. These include:
- Access Control Media
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
When your area of expertise and the services provided to the DoD fall outside of the technical, meeting this level of required security can be challenging with existing resources. After all, “Meeting the SP 800-171 is not a one-time fix, rather it is a continuous assessment, monitoring and improvement process.”
That means a considerable number of man-hours devoted solely to ensuring that your business remains compliant with constantly evolving security requirements. Thankfully, the DoD understands the challenge and allows for the use of subcontractors. Data breaches happen even in the most secure computing environments. Working with a security-centric third-party provider like SysArc can give you access to the additional security required without a massive capital investment to develop internal controls and cybersecurity departments.
Cyber Security Breaches Happen… What’s Next?
Even when your systems meet or exceed the minimum requirements for DoD contractors, breaches happen. In 2017, sensitive information was found on an unsecured Amazon server. Not only was the data unencrypted, you didn’t even need a password to gain access. While this isn’t an actual intrusion into a protected system, it easily demonstrates the need for tighter controls over sensitive information. To help with those controls, the DoD now requires rapid reporting on all intrusions and potential security threats. Rapid reporting means within 72-hours of the discovery. While the DoD makes reporting easy using this link, getting together all of the needed information could be a challenge without a cybersecurity expert on hand to help.
Benefits of Subcontracting Cyber Security
Creating internal security systems that meet all 14 areas of required security minimums for the DoD would not only be cost prohibitive, it would take a lot of time. Since all contractors are required to meet these standards before starting work, and thus collecting invoices, that’s a substantial upfront investment with little guarantee of eventual profit. Third-party providers like SysArc already have the security in place to meet the minimum requirements.
If you need cloud-based services, their systems are compliant. If your on-the-ground systems need updating, instead of devoting every in-house IT resource you have, you can rely on their security options.
A large portion of DFARS/NIST 800-171 requirements falls under the heading of reporting and auditing.
- SysArc’s virtual CISO services give you access to the documentation you need to handle an audit, create a strategic plan to handle security moving forward and generate reports on existing systems and potential breaches.
- With Security Incident Response support, you have a team of security experts responding to every breach.
- Advanced Cyber Security Monitoring tracks intrusions in real time and watches for odd network behaviors that could indicate a breach.
- You not only get security during an incident but also have regular scans to identify potential areas of weakness along with remediation reports to help you close those security gaps.
Security Awareness Training is another essential part of keeping your network closed to intruders.
- SysArc offers all of these options under the heading of their ProtectIT Managed Security Service.
Essentially, you go from underprepared to ready for DoD contract requirements quickly and seamlessly. Best of all, as a subcontractor solely on board for IT services, you can scale up or down depending on your needs. If you choose not to continue with DoD contracting and no longer need that level of security, downgrading is simple. If you scale up your contracts and expand business operations, your security scales with you.