First things first: If you are a contractor or subcontractor under the employ of the US Department of Defense, you will be required to comply with something called DFARS.
DFARS is the Defense Federal Acquisition Regulation Supplement, and it contains a new clause that takes effect in 2017. It stipulates that every organization handling, storing, processing, or transmitting Department of Defense (DoD) data must meet certain conditions pertaining to the safekeeping and dissemination of that data.
Most importantly, as year’s end comes into view, you need to be aware of the fast-approaching deadline for compliance, and several important definitions surrounding DFARS’ key concern: Safeguarding Covered Defense Information and Cyber Incident Reporting.
What is Covered Defense Information?
DFARS defines Covered Defense Information (CDI) as “unclassified controlled technical information or other information” that must be “adequately secured” according to rigorous national standards outlined in the NIST 800-171 Special Publication.
So, for example, if you are an engineer, network provider, computer programmer, heavy equipment manufacturer, or any other kind of company operating on a DoD contract, there is a high likelihood that you will handle CDI.
This means that you must not only comply with NIST 800-171’s security requirements for data that moves between your systems and the government’s, but that you also maintain a reliable system for Cyber Incident Reporting.
What is Cyber Incident Reporting?
Given the frequency and sophistication with which hackers attack organizations these days -- including the US Government -- DoD contractors and subcontractors are squarely in the crosshairs. And, inevitably, there will be data breaches.
When CDI is breached, it is the contractor’s or subcontractor’s responsibility to conduct a thorough review and report the findings according to DFARS statutes within 72 hours. The report must include identification of the affected data and systems, the affected users’ account information, and the affected data itself.
What is the Deadline?
Don’t be alarmed, and our apologies for the short notice, but the DoD’s Acquisition, Technology, and Logistics website states that in order to be compliant with DFARS clause 252.204-7012, “The Contractor shall implement NIST 800-171 as soon as practical, but not later than December 31, 2017.”
Failing to ensure your firm is CDI-compliant under NIST 800-171, and that your protocols for analysis and reporting of cyber incidents are sound, may result in penalties that fall under the False Claims Act, a spate of negative performance ratings, significant reduction to your fees, or termination of your contract.
How can CharlesIT help?
The data-protection requirements stipulated by DFARS are nothing new for our certified cybersecurity specialists. We’ve been designing, deploying, and managing network defenses, data storage, industry compliance, and business continuity for years -- for both private- and public-sector organizations.
It always starts with a thorough assessment of their existing security infrastructure, followed by comprehensive reporting on any vulnerabilities or weaknesses, and finally detailed recommendations for improvement. And we do it for DFARS, too, which will guarantee that CDI in your possession is adequately secured, and qualified cyber incidents you uncover are reported within the allotted time frame.
So if you don’t have the resources and/or expertise to cover every detail put forth in the 76-page NIST special publication by yourself, then call CharlesIT today. Because next year is right around the corner, and this year is the year for Defense Federal Acquisition Regulation Supplement compliance -- and working for the DoD requires a bit of TLC.