DFARS COMPLIANCE: A COMPREHENSIVE GUIDE TO UNDERSTANDING REQUIREMENTS
As a DoD contractor, you understand that compliance with federal government regulations is no easy affair. Not only are there extensive regulations, but interpretations of them may vary and are often evolving. In addition to the changing state, there is also the risks of fines and business impacts for noncompliance which can be dire.
It’s a lot to consider, which is why we have created this resource—it’s your comprehensive guide to understanding how to achieve compliance, one step at a time.
Contracting with the DoD, your business handles sensitive information and must attain a higher level of compliance with security regulations. Statistics reveal a concerning historical pattern:
Because of the increasing rate of cybercrimes, the Defense Federal Acquisition Regulation Supplement (DFARS) established a set of regulations that aim to prioritize the security of organizations and their customers. Becoming compliant takes time and requires a close look at the standards that are examined during an audit.
It should be noted that the DFARS assessment is in the process of shifting toward CMMC certification, which is a third-party certification system that will no longer allow contractors to self-certify. CMMC certification will be required to bid on all requests for proposals starting in late 2020.
This time of transition creates a lot of questions, but having a clear grasp of DFARS regulations is the first step to prepare for changes. By understanding DFARS, you can best position your company to adapt to CMMC certification system smoothly and successfully.
What Is CMMC?
To understand DFARS, it helps to take a look at its history and why it was established. Published in 2015 by the Department of Defense (DoD), the main purpose of DFARS is to protect the confidentiality of Controlled Unclassified Information (CUI)— these regulations apply to all DoD contractors.
The DoD created DFARS cybersecurity to establish a framework of regulations designed to enhance the security of civil and defense organizations across the United States. Leaks of this secure data would compromise military activities as well as the safety of U.S. citizens. And there is also information that is less sensitive yet still requiring protection. This kind of content is usually related to financial services, web, electronic mail services, security clearances, healthcare data, cloud services, communications, satellite and weapons systems.
In spite of best efforts, DoD contractors can unknowingly have big gaps in their data protection systems, leaving them vulnerable to a cyberattack. DFARS cybersecurity was created to fill those gaps by establishing protocols for contractors’ internal systems and procedures to follow in case of an incident.
DFARS also requires defense contractors to comply with specific cybersecurity requirements detailed in NIST 800-171. These standards specify the proper manner in which Controlled Unclassified Information (CUI) must be handled and protected.
Contractors who don’t manage CUI must get an exception and may still be held accountable for compliance with DFARS and NIST 800-171. Noncompliance with these guidelines may end in lost government business for those contractors.
What is CUI?
To fully grasp DFARS, it’s essential to note what exactly constitutes CUI. The U.S. National Archives defines CUI as
More simply put, CUI is information that is sensitive and in the interests of the United States but is not strictly regulated by the Federal government.
CUI includes any potentially sensitive and unclassified information in need of controls in place that define methods for safeguarding or dissemination. Each federal agency has provided a public registry of categories and subcategories of CUI and determines why information is considered CUI.
What Is NIST 800-171?
The NIST 800-171 is a collection of regulations that govern CUI in Non-Federal Information Systems and Organizations. NIST 800-171 establishes a set of standards that apply to safeguarding and distributing data that is considered sensitive but not classified.
A revised version of NIST compliances was introduced in 2017, which requires anyone working with CUI as part of the DoD, General Services Administration (GSA), or National Aeronautics and Space Administration (NASA) to adopt security measures in handling data.
The purpose of the National Institute of Standards and Technology (NIST) Special Publication 800-171 (NIST 800-171) is to help any organization that works with federal agencies set up cybersecurity protocols and strategies.
DFARS follows the regulations specified in NIST SP 800-171. Instituted after several well-documented security breaches in federal agencies, NIST 800-171 seeks to enhance cybersecurity. If your company meets each requirement outlined in NIST 800-171, you are considered both DFARS and NIST 800-171 compliant.
Who Needs to Be DFARS Compliant?
It doesn’t matter if you are a large defense contractor or a small firm, any organization that holds contracts with the DoD or other federal agencies must be compliant. Even if you do not currently engage in any work for the DoD, you can take advantage of future opportunities by becoming DFARS-compliant.
There are several basic requirements in meeting a DFARS compliance audit. These include:
To more fully understand how a DFARS audit could affect your company, let’s examine how your current IT systems may be putting you at risk.
The Scope of DFARS Cybersecurity
The reach of DFARS cybersecurity requirement is often misunderstood. Most businesses that work with the Department of Defense (DoD) realize that there are precise controls for systems that utilize classified data. But did you know that there are DFARS regulations that also apply to unclassified information?
DFARS compliance includes systems operated by or for a contractor, including processes, storage, and transmission of defense information—this is where the waters get murky. For many firms, this means expanding security controls to incorporate coverage for these additional systems.
DFARS protects the unclassified DoD information living on a contractor’s internal information system so that it can be protected from cyber incidents. In addition, any consequences associated with the loss of contractor information can be assessed and minimized through the utilization of the cyber incident reporting and damage assessment processes. This single DoD-wide approach to safeguard contractor information systems prevents the proliferation of cybersecurity clauses and contract language by the various entities across the DoD.
The changes that are required may have significant impacts on the way you do business. Gaining DFARS compliance is critical because companies can’t do business with the DoD without it. Furthermore, achieving compliance can determine if your company can be competitive and thriving, so it’s imperative to take steps to ensure your company meets the requirements.
What Does it Mean to Be DFARS Compliant?
To understand how to achieve DFARS compliance, you must examine how DFARS and the NIST 800-171 are related. As stated, DFARS is a set of requirements requiring contractors to implement a set of cybersecurity practices to ensure the careful handling of information and resolution of cybersecurity.
The National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171), on the other hand, is a set of guidelines that contractors must adhere to in order to be DFARS compliant. Essentially, NIST SP 800-171 defines how firms should handle CUI.
In general, DFARS requires firms to have adequate cybersecurity practices in three key areas: regularly assessing the environments that contain or process CUI, implementing multi-factor or two-factor authentication for all local and network access, and having coherent and rapid incident response capabilities. Let’s break it down further.
What Are the Critical Areas of NIST 800-171?
All contractors that handle CUI must introduce security protocols covering the following 14 key areas:
1. Audit and Accountability
You should examine how system logs provide valuable records. Specifically, this includes the protection, creation, review, and retention of system logs in providing feedback for information systems. To put it simply, contractors need to consider whether records are kept relating to authorized and unauthorized access to sensitive information and determine how violators can be identified.
2. Awareness and Training
This protocol addressed the degree of awareness relating to security risks inherent in user activities, and how staff are trained on standards and performing their duties. This standard seeks to ensure your staff has the proficiency to handle and treat sensitive information.
3. Access Controls
You should address the need to restrict system access to authorized users. By establishing controls like this, you help prevent data from being accessed by outside users and reduce the risk of leaks.
4. Incident Response
Another requirement is to create a procedure to detect, contain, analyze, and respond to incidents in online systems—this includes the need to follow proper notification directives.
5. Identification and Authentication
Another key component of effective security is to identify and authenticate all users and devices of the information system. Determine who is approved to access CUI and how they will be verified before they can access any sensitive information.
6. Configuration Management
Establish a baseline configuration and a robust change management process in your system. Identify how your networks and safety protocols are built and documented.
7. Media Protection
DFARS requires that you manage the protection and destruction of all media that contain CUI. Review how hard copy and electronic backups and records are stored as well as which users have access to these files.
Timely maintenance of all information systems is not optional. Questions to consider include: “Who is responsible for routine maintenance?” and “What timeline is in place for scheduled maintenance?”.
9. Personnel Security
For this protocol, contractors must implement systems that protect access to CUI. These systems should include screening users before authorizing their access to key systems and, importantly, ensuring that systems remain secure following the termination of staff members.
10. Physical Protection
This criterion considers the restrictions to physical access that include protection and monitoring of the physical facility and infrastructure of the information systems. Again, it’s important to determine who can access the systems, equipment, and storage environments to ensure the safety of the system.
11. Security Assessment
You must prove that you monitor, analyze, and deal with deficiencies and vulnerabilities in all organizational information systems. This means regularly testing whether procedures and processes remain effective and employing improvements when needed.
12. Risk Assessment
Frequent incident simulations are necessary to gauge risks—these simulations should assess the operational risk for the processing, transmission, and storage of CUI.
13. System and Information Integrity
Simply put, you must take steps to protect systems from the introduction of malicious code and carefully monitor alerts and advisories of information security and take effective action. This component also stresses the need to report, identify, and correct any problems in the information systems in a timely fashion.
14. System and Communications Protection
This requirement focuses on the data sharing boundaries of all systems, which must be controlled, monitored, and protected. It’s advisable to only implement software development techniques, architectural designs, and system engineering principles that encourage effective system security.
The failure to achieve NIST 800-171 compliance could have lasting impacts—from failed audits to severance of contracts. It could even lead to contract suspension or an outright ban on contracting with the DoD (or even bidding to do so). If you are unsure whether you need to be DFARS compliant, you can check out NIST’s official self-assessment handbook.
Changes On the Horizon
Over the years, the DoD struggled with a low rate of DFARS compliance among its contractors. To combat this problem while still trying to increase the security of defense data and networks, the department introduced the Cybersecurity Maturity Model Certification (CMMC).
CMMC builds upon existing cybersecurity frameworks and requirements, such as the NIST SP 800-171. Since CMMC has five levels of cybersecurity maturity, contractors who achieved CMMC Levels 1 and 2 are not necessarily compliant with all aspects of DFARS.
On the other hand, you can be DFARS-compliant but not earn your CMMC. That’s because, unlike DFARS’s self-assessment, CMMC requires third-party accreditation. However, if you’re already DFARS-compliant, you can easily achieve CMMC Level 3 maturity with a third-party auditor by just implementing a few more cyber hygiene practices.
Beginning in late 2020, CMMC certification, a third-party certification system for assessing compliance with DFARS requirements, will begin to take effect. At that point, all Requests for Proposals must meet the proper CMMC certification.
For now, let’s take a closer look at the specific regulations guiding the DFARS requirements currently in place so you can proactively prepare for changes.
Tips for Achieving DFARS Compliance
As you can see from Chapter 3, the NIST 800-171 requirements guiding DFARS compliance are extensive with a lot of room for interpretation—in fact, the overview provided is just the tip of the iceberg. That’s why we came up with five tips to help companies address all 14 security requirements. Implementing these best practices will get you started on the road to compliance:
Undergo Security and Risk Assessments
Inherently, there are operational risks involved in processing, storing, and transmitting CUI, so you should routinely scan your internal procedures and IT systems for vulnerabilities that may endanger CUI. Doing so will help you identify and correct deficiencies so you can reduce or eliminate risks. Given the growing complexity of security and regulatory obligations, it’s best to ask a DFARS compliance expert like Charles IT to conduct these assessments for you.
Roll Out IT System and Physical Safeguards
Physical facilities that house IT systems must be protected too. This involves actions like restricting physical access to your office, encrypting communications, separating internal networks from publicly accessible systems, and prohibiting unauthorized data transfer to shared system resources.
Implement Identification, Authentication, and Access Controls
The importance of user access cannot be overstated. It’s a best practice to register and manage every user and device that accesses your data and IT systems, taking care that each user only has access to what they need to do their job. Also, set methods to identify, track, and authenticate users and devices with proper security protocols each time they access your data or system. This means implementing multifactor authentication, prohibiting password reuse, enforcing password complexity requirements, and logging out a user automatically after a defined period of inactivity, among others.
Conduct Cybersecurity Awareness Training
Without proper training, employees cannot be made aware of the security risks associated with their use of company data and systems. Educate them about the different policies, standards, and procedures they can adopt to ensure safety.
Develop and Employ an Incident Response Plan
Designate a team and a set of procedures that allow you to detect, analyze, contain, recover from, and respond to a data breach or any kind of cybersecurity incident. Then regularly test your company’s Incident Response Plan and make adapt it as necessary.
DFARS Compliance: A Checklist
It’s clear that undertaking DFARS compliance may be an intimidating task for a small firm without a robust IT department. We’ve developed a useful tool to assess the integrity and security of their information systems to avoid the consequences of noncompliance. Use this list as a review of what we’ve outlined earlier to begin examining your processes:
Checklist 1: DFARS Compliance
Contractors can use the DFARS compliance self-assessment checklist as a resource to examine whether their information systems’ existing security mechanisms adhere to DFARS standards. It contains guidelines that must be followed, based on the NIST MEP Cybersecurity Self-Assessment Handbook.
Using this self-assessment checklist, contractors can scrutinize relevant compliance matters, including, but not limited, to:
Access Permission to System Resources
Identify users that can be given access and the type of system resource they’re authorized to use.
Information Security Awareness and Training
Increase users’ and managers’ awareness of the need to protect systems, making sure employees know how their actions impact system security and provide them with appropriate training.
Independent Audit and Review of Records and Activities
Perform this to ensure that operational procedures comply with policies, keeping a close watch of system records for unlawful or suspicious activity.
Other Pertinent Matters
Consider all possible issues, including IT systems maintenance, standard operating procedures implementation in case of security incidents (e.g., malware, natural disasters, corrupted files, etc.), and risk assessment about the transmission of CUI.
Checklist 2: Risk Assessment
Evaluating the safety of your workplace safety is also key to DFARS compliance. Use this checklist to manage workplace risks, determine the likelihood of hazards occurring, and implement measures to reduce or eliminate them.
DoD contractors must take the following details into account:
Demographic(s) At Risk
Specify which specific groups within the workplace are vulnerable. For example, is it workers at the assembly line or engineers and technicians? Each company’s list will vary.
Existing Control Measures
After defining the vulnerable demographic(s), you’ll know better how to reduce possible injuries from any workplace risk.
Control Measures Improvements
Strong internal controls are a must— learn how to find which current measures must be improved or replaced with more effective measures.
Person-In-Charge and Deadlines
Reward accountability in the organization by putting a person in charge of implementing the new risk prevention measures. Next, set deadlines for when these will be enforced.
Checklist 3: Gap Analysis
A gap analysis is a tool that we deploy to measure if system setups meet DFARS rules.
Use this list to help reveal gaps in security that need to be addressed and improved.
Analyze the Present State
Ascertain whether employees’ performance is at an optimal level.
Illustrate the Ideal state
In clear terms, express what processes must look like in the future, given the present state.
Highlight the problems that must be overcome in order for your organization to achieve the ideal state.
Create a Comprehensive Plan
Outline, in step-by-step fashion, what actions must occur to address gaps and set a deadline for closing them.
To conduct these checklists, you may either use in-house resources and expertise, or consider outsourcing the task to a qualified DFARS consultant that specializes in helping DoD contractors meet compliance rules.
DFARS and The Impact on Your Business
Consider the practical effects that lack of compliance may have on your business. Cyberattacks against the U.S. military aren’t uncommon, but cyberattacks against military contractors are what worry defense officials the most. Just consider these recent examples:
Attackers may be more likely to bypass primary defense contractors, in favor of the small and medium-sized businesses that support them who might not be able to provide the same level of security.
With the consequences of a cyberattack looming on one side and the consequences of violating DFARS regulations looming on the other, how can small to midsize businesses have room to navigate? Let’s explore some of the challenges small- and medium-sized businesses (SMBs) face and look at solutions.
Why Is it Difficult for SMBs to Comply with DFARS Regulations?
First off, you should understand what can happen if you suffer a data breach: you will not be automatically subject to penalties under DFARS; however, you might get subjected to a DFARS audit. If this audit reveals gaps or something out of place, you could face any number of consequences, including:
Since any of these scenarios could significantly impact your business, why do DFARS violations happen in the first place? The answer is simple: it’s not the core of your business, and if you’re an SMB with few full-time IT staffers, you may have deemed such matters cost-prohibitive. On the other hand, your IT personnel may simply have little experience with information security.
Additionally, the idea of hiring a CIO/Chief Information Security Officer with experience may not be in your budget. And even if you go this route, the cost of new personnel is just the beginning of your security expenses, because you’ll also need new tools and infrastructure as well.
Finally, there’s always the shadow of doubt that even if you conduct a well-intended effort to secure your CUI and other sensitive data, you could inadvertently fail to check a DFARS box and jeopardize your next audit.
If you’re a business leader at an SMB military contractor, you don’t want to get hacked. Still, you also want to prioritize your core business priorities without getting derailed by security. So, what do you do?
First off, understand that it can take months to become fully compliant. But the good news is that there is help available in complying with DFARS and NIST 800-171. A professional organization with experience in IT consulting for DoD firms knows precisely how organizations can best comply with DFARS—and the forthcoming CMMC—standards.
You don’t have to try to hit this moving target alone. Consider our two-step process. The first important step to becoming DFARS compliant is to see where your organization stands in meeting the minimum DFARS requirements. This step is referred to as a Gap Assessment, designed to determine the “holes in your business’s security posture” and show you what you need to do to fill those gaps.
Typical results of our Charles IT GAP Assessment may uncover issues such as:
The second step is the support and backing we provide for security services, such as: