DFARS (Defense Federal Acquisition Regulation Supplement) is a recent addition to the Federal Acquisition Regulation, with which all DoD contractors must comply. The aim of DFARS is to ensure that contractors handle all DoD data securely.
DFARS Requirements for DoD Contractors
DFARS requires all DoD contractors to take steps to ensure their security systems are adequate in accordance with NIST SP 800-171. They must also report all cyber incidents to the DoD. Failure to comply with DFARS can result in financial and other penalties.
DFARS does not specify what measures businesses should take to ensure DoD data is secure. Instead, it simply requires that contractors have adequate security systems in place. DFARS insists that the level of security must be “commensurate with the consequences and probability” of a data breach.
To ensure their security systems are adequate for this purpose, contractors must identify the threats that could affect their business and put appropriate measures in place to reduce the risk of them occurring.
DFARS also requires DoD contractors to report all cyber incidents promptly to the DoD. First, the contractor must gather evidence of the incident that has taken place and assess whether it has resulted in the loss or theft of any covered defense information (CDI). There is then a deadline of 72 hours to report the cyber incident using a medium assurance certificate. Finally, contractors must keep evidence of the cyber incident for at least 90 days.
Options for DFARS Compliance
DoD contractors have a couple of different options for ensuring their DFARS compliance. One option is to manage all the compliance requirements in house, although this can be difficult. Not all DoD contractors have in-house cybersecurity staff with the right skills and experience to meet the requirements of DFARS. Therefore, a second option would be to consult a cybersecurity company. This type of company specializes in protecting businesses and their data from cyber attacks. For many DoD contractors, outsourcing is by far the easiest, most efficient, and most cost-effective way of meeting their obligations under DFARS.
Become Compliant Yourself
For DoD Contractors looking to take on DFARS compliance themselves, The National Institute of Standards and Technology has created a Self Assessment Handbook for assessing NIST SP 800-171.
Work With a Managed Cybersecurity Company: What to Expect
Each managed cybersecurity company has its own procedures for ensuring the security of its clients’ data. However, most follow a process that consists of three stages: gap analysis, remediation, and monitoring.
Gap analysis is the process that a cybersecurity consultant uses to find gaps in a DoD contractors’ current security systems. The process involves assessing the differences in performance between the contractors’ systems and policies and those required by DFARS. Gap analysis allows cybersecurity consultant to sketch out a plan to get the business’s security situation from where it is now to where it needs to be to comply with DFARS.
Once a gap analysis has been completed, remediation is the process of improving a contractor’s security systems and reporting procedure until they comply with DFARS. Remediation could include setting up security software and training employees within the business to identify threats. The purpose of this step is to put the contractor in a position to comply with DFARS over both the short and long term.
In addition to helping businesses identify the holes in their current security systems and put in place better policies and procedures, a managed cybersecurity company can also monitor a contractor’s systems to identify security incidents and respond to them quickly. This monitoring service is invaluable for many DoD contractors, as it lets them know they are always protected against current cybersecurity threats.
When a Breach Occurs: What DoD Contractors Need to Do
DoD contractors who have partnered with a good managed cybersecurity company are in a good position to deal with a data breach. The managed cybersecurity company should notice the breach and let the contractor know what they have to do to secure their systems. The next steps will be to restore any lost data from backups and assess the extent of the breach to work out whether any covered defense information has been stolen. The contractor then has 72 hours to report the cyber incident to the DoD using a medium assurance certificate. For DoD Contractor undertaking compliance themselves, they can report breaches online by following this link.
DFARS Compliance: How DoD Contractors Can Ensure They Are Safe
Every contractor that handles DoD data has no choice but to comply with DFARS. Failure to comply with the new supplementary regulations can result in loss of DoD contracts, as well as financial penalties if a data breach occurs. As choosing to simply ignore the regulations is not an option, all DoD contractors must think about how they will respond to the demands of DFARS if they want to continue to work with the DoD.
As many DoD contractors are not in a position to guarantee they are compliant with DFARS using a DIY approach, the best solution is generally to work with a managed cybersecurity company. The professional security consultants working for such companies are experts in protecting businesses from the latest generation of cyber threats. They can therefore give businesses the guarantee that they are doing everything they can to keep all covered defense information safe and secure.