If you are a business leader of an organization that works with the U.S Department of Defense (DoD), you understand that protecting sensitive information is a top priority. While you most likely already have a lot on your plate to run your business, throw compliance into the mix and it can become a constant journey to make sure you’re doing the right things.
Many organizations assume that once they have systems in place to meet compliance or other regulatory requirements, they can check the box and they are done. Unfortunately, the reality is that the journey is just beginning.
As Manager of Engineering at Kelser Corporation, I’ve seen organizations that embrace the ongoing nature of compliance and those that don’t. I understand the demands that business leaders face, and I also understand why ongoing compliance is a challenge but a necessity.
One key regulation that contractors and subcontractors who work with the Department of Defense (DoD) need to be complaint with is the Defense Federal Acquisition Regulation Supplement (DFARS).
Making sure your company is compliant with DFARS is highly critical if you do any business with the US government, regardless of whether the information is classified as sensitive or not. Overwhelmed? Don’t be.
In this article, I’ll help you understand what exactly DFARS is, what it requires, who needs to comply with it, and what the relationship is between DFARS and NIST 800-171.
What Is DFARS?
The Defense Federal Acquisition Regulation also know as DFARS are rules and regulations that have been created by the U.S Department of Defense (DoD) to make sure that contractors and subcontractors are following specific cybersecurity best practices to protect sensitive information.
DFARS is an extension of the Federal Acquisition Regulation (FAR) which you can think of as the general rulebook that all companies must follow if they wish to be contracted and do business with the DoD.
Simply put, DFARS adds additional layers of security to FAR to make sure organizations have the necessary cybersecurity measures in place to keep sensitive data secure.
Who Needs To Comply With DFARS?
DFARS is mandatory for all contractors and subcontractors who work with the DoD and handle Control Unclassified Information (CUI). You can think of CUI as government created or possessed information that requires safeguarding but doesn't fall under the traditional bucket of classified information.
Related Article: What Is Controlled Unclassified Information (CUI) In NIST 800-171?
DFARS applies to companies of all sizes and anyone who is looking to win a contract and work within the supply chain with the DoD will be required to make sure that they are DFARS compliant.
DFARS mandates that contractors and subcontractors who work with the DoD must:
- Implement and follow the 110 security controls and cybersecurity framework outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-171 to protect CUI.
- Report any cyber incidents or cyber breaches that affect CUI to the DoD within 72 hours.
Failure to comply with DFARS can result in non-compliant businesses losing their valuable contracts, which could have a significant impact on your business.
Your company’s reputation may also be damaged and could lead to potentially being blacklisted from participating in future DoD projects and you may even be subject to hefty fines and penalties.
What Cybersecurity Best Practices Does DFARS Require?
You now know what DFARS is, why you need to be compliant, and the risks associated with non-compliance. As I mentioned before, the main goal of DFARS is to ensure that contractors and subcontractors implement and follow specific cybersecurity best practices to protect CUI and safeguard sensitive information.
In order to accomplish this, you may be wondering which best practices matter the most. Let’s break these down:
-
Access Controls
Understand who in your organization is authorized to access data, and what permissions (read-only, read and write, etc.) do they have? Establish system access requirements.
Control internal system access. Control remote system access. Implement multi-factor authentication (MFA) and limit data access to authorized users only.
-
Data Security
Ensure that you have safeguards in place like encryption, firewalls and data loss prevention processes to protect CUI being stored or being shared.
-
Incident Detection And Response
Have a plan in place for incident response. What processes are followed when security events, threats, or breaches are suspected or identified? Make sure you can identify, report and respond to a cybersecurity incident.
Practice using your plan so that it will be seamless when an incident occurs and perform post-incident reviews. Additionally, don’t forget to test your incident response plan regularly.
-
Monitoring
Regularly monitor your systems and networks for vulnerabilities. By collecting and reviewing information about what is going on in your IT environment, you will have early notice of anything strange ranging from performance issues to odd behavior, slow processing to security-related issues.
Conduct vulnerability scans and penetration testing to make sure you address any cybersecurity gaps that may exist.
-
Employee Security Awareness Training
Cyber threats like phishing, ransomware, and social engineering attacks are at an all-time high and they are constantly evolving.
With regular and comprehensive training, (which doesn’t equate to long investments of time), employees can become your first line of defense against existing and emerging cyber threats, adding an effective layer of protection for your infrastructure.
Related Article: Employee Security Awareness Training: A Cost-Effective Cybersecurity Tool
What Is The Relationship Between DFARS and NIST 800-171?
You may be aware of the National Institute of Standards and Technology (NIST) Special Publication 800-171 (SP NIST 800-171) and be wondering how it ties into DFARS compliance?
Related Article: What Is NIST 800-171? What Do I Need To Do? How Is It Tied To CMMC?
Here’s how DFARS and NIST 800-171 work together to protect CUI. You can think of DFARS as a handbook of cybersecurity best practices that all companies who work with the DoD and deal with CUI must follow.
NIST 800-171 acts as a guide within this handbook and provides a framework for companies to follow to ensure that they are implementing the necessary security measures to protect CUI and implement the cybersecurity best practices required by DFARS.
Following NIST 800-171 helps companies comply with DFARS and shows the government that they take data security seriously and can be trusted with sensitive information.
What Steps Can I Take To Achieve DFARS Compliance?
1.Conduct a Self-Assessment
Use the controls outlined in the NIST 800-171 framework as a guide to evaluate your current cybersecurity posture
2. Identify and Address Gaps
Conduct a self-assessment and identify areas where your cybersecurity protocols maybe lacking and develop a plan to address these gaps. This may involve implementing new security controls and updating policies and procedures.
Related Article: What To Expect From A NIST 800-171 Gap Analysis
3. Develop a System Security Plan (SSP) and NIST POAM
A System Security Plan (SSP) is an essential requirement for both NIST 800-171 and CMMC. This document will help you outline your plan for protecting CUI, including details on access controls and incident response. Additionally, develop a NIST Plan of Action and Milestones (POAM).
This document will have details about the specific tasks you will complete to address the gaps identified in your self-assessment.
What’s The Bottom Line?
After reading this article, you now have a thorough understanding of what DFARS is, what it requires for compliance, who needs to comply with it, and how following the cybersecurity framework outlined in NIST 800-171 helps you be DFARS compliant.
We also outlined what key steps you can take to get started with compliance.Your organization may or may not need help implementing these steps. Only you can decide if you have the internal resources you need for success.
Our experience has shown that companies that are successful at implementing the steps required for NIST 800-171 using internal staff typically have the following characteristics:
- a large enough internal IT team that several of them can pull away for an extended period to hyper-focus on the POAM without impacting your internal IT support needs, and certified cybersecurity experts on staff who have prior cybersecurity compliance experience.
If your company doesn’t fit the above criteria, working with an outside managed IT services provider may offer advantages by avoiding common mistakes that could compound the time and cost involved in reaching compliance. Managed IT support helps organizations like yours adopt many of the requirements outlined in NIST 800-171 and DFARS.
We know managed IT services isn’t right for every organization. We publish articles like this one so that business leaders like you have the information you need to keep your data and infrastructure safe, whether you choose to work with us or not.
Use the button below to start a conversation with us about any questions you may have about DFARS or NIST 800-171 compliance.
