If you contract for the Department of Defense, you need to follow strict cybersecurity rules known as DFARS or face losing business. Here’s what you need to know.
What is DFARS?
DFARS stands for Defense Federal Acquisition Regulation Supplement. It’s a wide range of requirements for Department of Defense contractors that covers everything from labor practices to sourcing components domestically. Since 31 December 2017, DFARS has included cybersecurity standards designed to make sure government information remains confidential where necessary.
Contractors must not only meet the rules, but prove they have done so before they get a contract. The DoD can also audit companies mid-contract. If a company isn’t following the rules, the DoD could order it to stop work until it fixes the problem; cancel the contract immediately; or even ban the company for applying for future contracts.
The rules cover “Controlled Unclassified Information”. That’s a category for information that’s a step short of being Classified (where government security clearance is needed) but is still sensitive and has restricted access.
What do I have to do?
While the detail of the rules is complex, they are based on two simple principles. The first is having adequate security to prevent the relevant information being accessed or passed on to people who aren’t authorized to see it. “Adequate” security includes:
- physical protection of computer equipment and removable media;
- proper screening of staff who will have access to computer systems;
- controls such as passwords and encryption to limit who can access data;
- procedures to check security hasn’t been compromised;
- staff training to make sure people understand the rules; and
- regular audits and maintenance to make sure the security set-up is still effective.
The second principle is that companies must report any breach of security to the DoD as quickly as possible and then cooperate with any investigation. This could involve giving physical access to computers and removable media.
How DoD Contractors Can Comply
In theory, you can run your own checks using a government “Self Assessment Handbook” to make sure you meet (and continue to meet) the DFARS cybersecurity rules. In practice this can be tricky if you don’t have the relevant expertise; it can also suck up valuable resources. Another problem is that you may still be unsure you’ve definitely met the rules.
Another option is to use a service provider who specializes in DFARS consulting. They’ll have the experience and resources to audit your system, identify any shortfalls and put things right in the most efficient manner possible. They’ll also be able to give you peace of mind that you’ve met all the rules and even help out with the paperwork needed to prove your compliance when bidding for DoD contracts.