The Defense Federal Acquisition Regulation Supplement, or DFARS, is a set of regulations governing cybersecurity matters put in place by the Department of Defense that all external contractors and suppliers must follow.
The Basics of DFARS Compliance
Cybersecurity is a pressing matter for all businesses, and government contractors are no exception. Cyber threats are becoming increasingly sophisticated, and cybersecurity technology is constantly evolving to stay on top of the latest threats. In response, the federal government is placing a heavy priority on addressing potential security threats.
The Department of Defense published the Defense Federal Acquisition Regulation Supplement in 2015 with the aim of maintaining cybersecurity standards according to the requirements listed in the National Institute of Standards and Technology. All DOD contractors must meet these requirements and prove they are compliant to obtain and maintain contracts.
DFARS Minimum Requirements
Although data security can be quite complex, the Department of Defense strives to keep contractors’ requirements relatively straightforward. To meet the minimum requirements, contractors are required to do the following:
- Provide adequate security that can protect any covered defense information that passes through or is stored on their internal information systems from any type of unauthorized access or disclosure.
- Quickly report any cyber incidents that take place and cooperate with the Department of Defense to respond to such incidents. This may include providing the DoD with access to any affected media and software.
To be considered compliant with DFARS, all contractor information systems and organizations must pass a readiness assessment that adheres to NIST SP 800-171 guidelines pertaining to 14 aspects of security. These include:
System and Information Integrity
This involves identifying, reporting, and fixing any information system flaws in a timely manner and protecting these systems from malicious code. It also includes monitoring information security warnings and acting on them appropriately.
System And Communications Protection
This entails monitoring, controlling, and protecting data within the system and using techniques for software development and system engineering principles that will promote successful information security.
This governs rules related to protecting and destroying media that contains controlled unclassified information.
This involves limiting physical access to the physical facilities and support infrastructure used by the information systems and protecting and monitoring these systems.
This entails assessing the operational risk that is associated with the storage, transmission, and processing of controlled unclassified information.
This refers to the assessment, monitoring, and correction of deficiencies in the organization’s information systems and reduction or elimination of any vulnerabilities.
Awareness And Training
This provides awareness of the security risks that are linked to a user’s activities and training users on the relevant policies and procedures.
This pertains to the creation of baseline configurations and the use of strong change management processes.
This involves carrying out timely maintenance on the information systems used by the organization.
Identification and Authentication
This involves identifying and authenticating the users and devices that use the information system.
Audit and Accountability
This entails creating, protecting, retaining, and reviewing system logs.
This limits system access to authorized users.
This involves screening users prior to granting them access to the information systems used by an organization and ensuring the systems remain secure when individuals are transferred or terminated.
This involves developing operations that prepare for incidents and responding to them, including detection, analysis, containment, and recovery.
What Are The Penalties For Noncompliance?
If the Department of Defense carries out an audit and finds that a contractor is not in compliance, they could be issued a stop-work order that suspends their work on behalf of the DOD until appropriate security measures have been implemented. The DoD might also place financial penalties on the contractor, including damages for false claims and breach of contract.
In some cases, the contract may be terminated and the contractor could be suspended or barred from working with the Department of Defense in the future.
How To Ensure Compliance
DOD contractors who have the expertise available in-house to become compliant can follow the NIST’s Self-Assessment Handbook. If they are unable to meet these requirements on their own, they can outsource compliance to DFARS consultants, who can help them reach and prove compliance.
How Can Contractors Handle Security Breaches?
Following the minimum DFARS requirements does not guarantee that breaches will not occur. In the case of a security breach, the DoD requires contractors to report the incident within 72 hours of its discovery. The Department of Defense has provided a link to facilitate this reporting, although it may be necessary to enlist the help of cybersecurity experts to compile and provide the required information.