The Defense Federal Acquisition Regulation Supplement (DFARS) is a set of cybersecurity regulations that the Department of Defense (DoD) now imposes on external contractors and suppliers.
This definitive guide provides detailed information about how the regulation applies to DoD contractors, what the minimum requirements are, and the options DoD contractors have available to meet compliance standards.
An Overview of DFARS Compliance
As cyber threats become more serious, cyber security technology continues to expand and evolve. Therefore, addressing security threats has become an ever-increasing priority for the federal government. Enforcement of “Controlled Unclassified Information” (CUI) protection continues to intensify as private government contractors and other non-federal organizations are continually required to update their security systems and procedures to meet the threats of the day.
In December 2015, the U.S. Department of Defense (DoD) published a FAR (Federal Acquisition Regulations) supplement referred to as the Defense Acquisition Federal Regulation Supplement (DFARS). The DFARS is intended to maintain cybersecurity standards according to requirements laid out by the National Institute of Standards and Technology (NIST), specifically NIST SP 800-171.
These standards were constructed to protect the confidentiality of CUI and had given DoD contractors until December 31, 2017 to meet the requirements necessary to be classified as DFARS compliant. Failure to meet these requirements could have resulted in the loss of current DoD contracts. With the deadline now past, all DoD contractors must meet the minimum requirements and show proof to the Department of Defense for all contracts moving forward.
Minimum Requirements for DFARS
While data security is an increasingly complex field, the DoD has kept the requirements on contractors straightforward and reasonable. To meet the minimum requirements, DoD contractors must:
- Provide adequate security to safeguard covered defense information that resides in or transits through your internal unclassified information systems from unauthorized access and disclosure.
- Rapidly report cyber incidents and cooperate with the DoD to respond to these security incidents, including providing access to affected media and submitting malicious software.
While that sounds straightforward and easy to meet in-house, the term “adequate security” can cover a lot of ground. DFARS details fourteen groups of security requirements, which affect numerous aspects of IT information security. In order to be considered DFARS compliant, non-federal and contractor information systems/organizations must pass a readiness assessment following NIST SP 800-171 guidelines.
The summary of guidelines include:
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
For complete details on each guideline, please see “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” document provided by NIST.
When a DoD contractor’s area of expertise and the services provided to the Department of Defense fall outside of the technical, meeting this level of required security can be challenging with existing resources. After all, meeting the SP 800-171 is not a one-time fix, rather it is a continuous assessment, monitoring and improvement process.
That means that a DoD contractor will have to allocate a considerable number of man-hours devoted solely to ensuring that its business remains compliant with constantly evolving security requirements. Thankfully, the DoD understands the challenge and allows for the use of subcontractors. Data breaches happen even in the most secure computing environments. Working with a security-centric third-party provider such as a Managed Security Service Provider, or MSSP, may give contractors access to the additional security required without a massive capital investment to develop internal controls and cybersecurity departments.
Termination of Contracts and Penalties for Non-Compliance
DoD Contractors that are audited by the Department of Defense and are found to not be in compliance with DFARS NIST SP 800-171 are likely to face a stop-work order. This means that their work on behalf of DoD will be suspended until they implement suitable security measures to protect CUI. In addition, the Department of Defense may impose financial penalties, including seeking damages for breach of contract and false claims.
In the worst case scenario, DoD contractors could find that their contracts with the Department of Defense are terminated. They could even face suspension or debarment from working with the Department of Defense again.
For more information on the penalties for non-compliance, see section 252.204-7014 of DFARS here.
What Options do DoD Contractors Have?
Do it Yourself: Meet Compliance Requirements In-House
If a DoD contractor or supplier has the expertise and resources available, becoming DFARS compliant can be obtained in-house. The in-house team can follow the “Self Assessment Handbook – NIST Handbook 162” provided by NIST. This handbook was specifically developed by NIST with the intention of assisting U.S. DoD contractors who supply chains for the Department of Defense.
If the contractor does not have the expertise to meet the requirements outlined in the Self Assessment Handbook, DoD contractors have the option of outsourcing the requirements to a third-party DFARS consultant. There are many qualified and experienced Managed Security Service Providers (MSSP) in the U.S. who specialize in compliance services and monitored cyber security for DoD contractors who need to meet DFARS compliance requirements. An MSSP will be able to perform this assessment and perform any remediation work necessary to become compliant.
Outsource: Work with a DFARS Consultant
For many small DoD contractors, the most effective way to meet the requirements of DFARS is to outsource the task to a Managed Security Service Provider (MSSP) that specializes in DFARS consulting, or IT Risk Management and Compliance. Remember that DoD contractors remain ultimately responsible for ensuring that their company meets the DFARS requirements, so it is essential to choose an MSSP you are sure you can trust.
By outsourcing the DFARS Compliance work to a qualified provider, DoD contractors should save a lot of time and money getting and staying compliant. An outsourced provider will have all of the required document templates for the Gap Analysis and the System Security Plan as well as the advanced tools required to monitor and respond to security incidents. They will also have the resources required to perform the remediation steps required to become compliant and the legal documentation to prove compliance has been reached and is being maintained should the Department of Defense ask.
The Gap Analysis
The first step towards compliance will require the MSSP is see how close, or how far away, the DoD contractor is from meeting the minimum requirements outlined in DFARS. This process is called the Gap Analysis. Gap Analyses are designed to discover inadequate systems setups and processes that may not meet the DFARS regulations. Taking a close look at a company’s network and procedures is the first step to ensuring compliance.
The results of the gap analyses may reveal issues not limited to:
- How access to information systems is controlled
- How managers and information system administrators are trained
- How data records are stored
- How security controls and measures are implemented
- How incident response plans developed and implemented
Without a gap analysis, it’s impossible to know what changes an organization needs to make before it meets the DFARS regulation. The professionals at an MSSP use their findings to create remediation plans that will correct any problems and keep our clients in line with DFARS compliance standards.
The gap analysis will either aid a DoD contractor in performing their own remediation plan, or they may opt to have a third-party, such as an MSSP, perform the remediation for them.
The Remediation Plan
An MSSP will develop a remediation plan based on the findings outlined in the gap analysis. A remediation plan may involve small relatively inexpensive fixes to a network and/or its processes, or it may involve more extensive, from the ground up, development of compliant networks and processes that meet today’s NIST cyber security standards.
Remediation plans provide careful documentation of processes that don’t meet today’s standards. Having a well-researched plan also makes it easier for DoD Contractors to make necessary changes to their systems.
Ongoing Cyber Security Monitoring and Reporting
Once the remediation plan is complete and a DoD Contractor’s systems and procedures are DFARS compliant, an MSSP will have the tools and processes in place to monitor, detect, and report on cyber security breaches within the DoD Contractor’s systems in accordance with DFARS policy section 204.7302. If the DoD Contractor is not outsourcing compliance to an MSSP, they have the option to report cyber incidences themselves, given they have tools to monitor and detect such incidents. For those DoD Contractors, please see “What to do if a security breach occurs below.”
Legal Documentation: How to Prove Your Compliant with the DoD in Case of Audit
Once the MSSP helps clients meet DFARS/NIST SP 800-171 standards, they will provide legal documentation that proves compliance. This documentation provides legal protection from potential fines. Instead of taking risks, companies should make sure they have as much protection as possible. Otherwise, they could find themselves spending millions in court costs and fines.
What to do if a Security Breach Occurs
Even when systems meet or exceed the minimum DFARS requirements for DoD contractors, breaches do happen. To help with those controls, the DoD now requires rapid reporting on all intrusions and potential security threats. According the policy, rapid reporting means within 72-hours of the discovery of the breach. While the DoD makes reporting easy using this link, getting together all of the needed information could be a challenge without a cybersecurity expert on hand to help.
SysArc’s DFARS Compliance Offering:
At SysArc, we aim to help DoD Contractors understand the requirements laid out by NIST and take the proper steps necessary towards properly protecting the confidentiality of CUI, in order to be eligible for DFARS compliance and remain in good standing with the Department of Defense. Our approach follows our Robust Managed Security Services Plan (MSSP) in the utilization of our professional team, detailed processes and successful tools to meet compliance needs.
Our Security Operations Center (SOC) team of specialists set up alerts to monitor potential threats and promptly remediate any that may be found. We pay careful attention to detail in targeting weaknesses and implementing best practices to maintain security measures in the prevention of future potential threats.
A Security Services Plan will be set in place to collect and analyze data, focusing on events that could be the most impactful to your organization. We use threat intelligence tools designed to organize tasks and execute operations in the most productive way.
The tools we use include, but are not limited to:
- Vulnerability Assessments
- Determines points of weakness where attackers may infiltrate critical systems and secured data.
- Behavioral Monitoring
- Effectively monitors cybersecurity and spots anomalies.
- Intrusion Detection
- Identifies known threats and activities at the point of entry.
- Security Information and Event Management
- Finds patterns of activity in order to detect cyberattacks and place blocks in accordance with compliance guidelines.
If you are a DoD contractor needing help complying with DFARS, learn more about our NIST 800-171 Compliance Solution and get a free compliance consultation.