Classified information is not the only type of data that is vulnerable to cyber breaches; the large volumes of information that flow through government contractors’ systems might also be compromised.
As cyber threats continue to increase and attacks become more sophisticated, the United States has established the Defense Federal Acquisition Regulation Supplement (DFARS) to keep the Department of Defense’s unclassified information safeguarded.
What Is DFARS?
The Defense Federal Acquisition Regulation Supplement (DFARS) is part of the Federal Acquisition Record (FAR) governing how the federal government acquires materials, services, and supplies. The DFARS supplement contains regulations and guidelines set out by the Department of Defense for managing their acquisition processes.
Who Must Comply With DFARS?
All Department of Defense (DOD) contractors who process, transmit, or store Controlled Unclassified Information (CUI) are required to comply with the DFARS minimum security standards or they risk losing their DOD contract. This applies to direct contractors as well as their subcontractors and suppliers.
What Is Controlled Unclassified Information (CUI)?
In carrying out a government contract, some contractors may possess Controlled Unclassified Information, or CUI. This is non-classified information that must be safeguarded because protecting this information is considered to be in the national interest. It may entail private information that could damage the person or entity it pertains to if it is disclosed.
What Are The DFARS Requirements?
The Department of Defense aims to keep the requirements for contractors as straightforward as possible despite the constant developments in data security.
There are two main requirements for DFARS compliance. First, contractors must provide adequate security protecting any of the covered defense information that they transmit or store from unauthorized access and disclosure. This involves following 110 controls across 14 families or groups outlined by the NIST 800-171, which is summarized below.
Second, they must quickly report any cyber incidents that occur and work with the Department of Defense to respond to these incidents. This might entail providing the DOD with access to their media and software.
These security controls must be implemented throughout every level of a contractor’s supply chain.
To be compliant and achieve these two main aims, organizations must pass a readiness assessment that is outlined in the NIST SP 800-171 guidelines.
The NIST Self-Assessment Handbook (Handbook 162) can help contractors assess their facilities to determine how close they are to achieving compliance and where efforts should be focused when it comes to making improvements. Each of the assessment questions in the guide provides an alternative approach option for those manufacturers who find that certain requirements do not apply to them.
There are 14 families of requirements that contractors must address:
- Configuration Management
- Incident Response
- Personnel Security
- Physical Protection
- Identification and Authentication
- Security Assessment
- Risk Assessment
- System and Information Integrity
- System and Communication Protection
- Audit and Accountability
- Media Protection
- Awareness and Training
- Access Control
What Should Be Done In The Event Of A Security Breach?
According to data published by Forbes, the average cost of a data breach as of 2020 was $3.86 million, underscoring the importance of ensuring that you take all the necessary precautions to avoid falling victim to a breach.
Despite your best efforts to ensure DFARS compliance, breaches may still occur. The Department of Defense requires that all contractors report security breaches no later than 72 hours after they are discovered. There is a form on the DOD’s website for reporting breaches.
What Happens if You are not Compliant?
A failure to follow some of the clauses in DFARS could result in a range of penalties depending on the situation, including early termination of the contract.
If an audit by the DOD reveals that a contractor is not in compliance, they could be issued a stop-work order requiring them to suspend work until the appropriate security measures have been put in place. The contractor might also face damages for breach of contract or false claims and other financial penalties. In some cases, the contractor could lose all their work with the DOD.
How Can You Ensure Compliance?
For many businesses that lack in-house expertise in cybersecurity, it can be helpful to enlist the services of government contracting consultants who are familiar with the DFARS requirements and can ensure full compliance.