After lots of bidding and lots of hope, many companies finally land a Department of Defense (DoD) contract and are anxious to get started. Still, they want to be sure they are totally in compliance so they can maintain a long and profitable relationship with the government, and so they hesitate.
Or, organizations that have been doing business with the DoD for some time may know there are some major IT rule changes coming but aren’t yet up to speed. They may understand that the new rules are complex and have to do with cybersecurity. But, since they don’t know much else about cybersecurity, they kick the can down the road.
Either way, the time is nearly up to get compliant. Here is the most important information about the Defense Federal Acquisition Regulation Supplement (DFARS) implementation.
What Is DFARS and What Does It Mean for DoD Contractors?
All contractors working for DoD, even subcontractors, face a December 31, 2017, deadline to comply with DFARS 252.204.7012. This clause is in direct response to data breaches and cybersecurity threats and will be part of DoD contractor responsibility going forward. Each DoD contractor must meet technical and procedural controls spelled out by the National Institute of Standards and Technology (NIST) in Special Publication (SP) 800-171.
Following NIST Requirements
In short, SP 800-171 spells out the responsibilities of contractors to protect sensitive information and report cyber incidents quickly. The publication from NIST also expands the types of information that must be safeguarded and includes “Unclassified Controlled Technical Information (UCTI).”
According to NIST, UCTI is information “collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of contract performance.” For this reason, all DoD contractors are subject to the DFARS clause and need to understand it and their responsibilities. The information security requirements of NIST 800-171 were created for non-federal/contractor information systems. Nonetheless, they are significant requirements in 14 different areas of IT security, ranging from access control and risk assessment to maintenance, media protection and overall system and information integrity. Here is the full list of areas addressed by SP 800-171:
- Access Control
- Media Protection
- Awareness and Training
- Personnel Security
- Audit and Accountability
- Physical Protection
- Configuration Management
- Risk Assessment
- Identification and Authentication
- Security Assessment
- Incident Response
- System and Communications Protection
- System and Information Integrity
Clearly, the NIST is taking cyber threats very seriously and expects all DoD contractors to do likewise.
Rapidly Reporting Cyber Incidents to DoD
Another major provision of DFARS is the requirement for DoD contractors, whether the prime contractors or subcontractors, to directly report to the government within 72 hours when there is a “cyber incident.” DFARS defines a cyber incident as “actions taken through use of computer networks that result in an actual or potentially adverse effect on an information system and/or the information residing therein.” This means hacking, potential hacking, attempted hacking or other disruptions. In fact, the FBI defines a cyber incident as an event that “impairs or is likely to impair the confidentiality, integrity, or availability of electronic information, information systems, services, or networks.” Obviously, contractors and their IT support personnel need to be on top of their game to ensure they catch any of these types of incidents and stay out of hot water with federal law enforcement.
DFARS also requires a System Security Plan for sensitive information, audit logging, multi-factor authentication for network access, and advance reporting of use-of-cloud computing services. No doubt, these requirements will have wide-ranging impacts on current business procedures, information security and information governance, as well as data storage and security. DoD contractors need to read the new guidelines, put their security plan in place, enlist IT consulting help as needed, and be ready to implement the changes before the New Year.
How SysArc Helps DoD Contractors Comply
Because DFARS compliance will require far-reaching combinations of technology, procedural controls and technical controls, contractors have basically two choices for ensuring they are in compliance with all of them. They can either upgrade their on-premises IT system to NIST requirements, complete with IT support and network security personnel qualified to keep it running smoothly, or they can migrate to a NIST-secure, cloud-based solution. Either way, the importance of working with an exceptional IT consulting company cannot be understated. And working with an IT company in Washington, D.C., gives DoD contractors the assurance that the agency knows the requirements and how to implement them for the best security.
SysArc offers DoD contractors expertise in government IT security issues to safeguard their business and bring it into compliance with all of the new rules. The company understands modern cybersecurity and can explain it to partners in layman’s terms so that they understand it as well. Even better, SysArc can help with strategic IT planning, which allows DoD contractors to reduce internal IT costs, training and turnover. No matter who shows up, or who doesn’t, at the office on Monday morning, there will be continuity of the company’s IT systems, with no downtime, as well as a disaster backup and recovery plan. For DoD contractors, outsourcing IT to SysArc is a smart choice. SysArc can be reached at