What is the DFARS Checklist?
DFARS stands for Defense Federal Acquisition Regulation Supplement. Despite its best intentions, the acronym doesn’t give the layman much of a hint to its actual purpose. In simpler terms, the DFARS checklist is a security standard set forth by the Department of Defense (DoD).
Any business or entity that holds Controlled Unclassified Information (CUI) is required to meet the DFARS minimum security standards or runs the risk of losing all of their DoD contracts. This supplemental regulation summary comes from NIST Handbook 162. A complete breakdown of cybersecurity requirements and a step-by-step guide is available for your perusal. Be forewarned that the NIST handbook 162 is not the easiest read. However, it is very useful.
Companies with defense contracts may be interested to know that within NIST Handbook 162 is also information regarding NIST SP 800-171. NIST SP 800-171 and DFARS compliance are closely related but have separate requirements that all must be met in order to maintain DoD contracts.
The most recent DFARS compliance update deadline was the last day of 2017. Due to the nature of digital security, continual updates of DFARS are to be expected every few years.
DFARS are complicated security requirements that involve following some confusing instructions. RSI Security has been helping businesses of all sizes with all types of security obligations. Read on to learn how you can cross off the DFARS checklist or contact us today for more personal help.
What is the Purpose of the DFARS Checklist?
The world is changing at a rapid rate and no, we aren’t talking about global warming. The digital age has come and it is definitely here to stay. Sensitive information, worth of billions of dollars, is sent and secured around the world every day.
The internet, full of useful and helpful information, has also become a battleground for hackers and countries alike. Each is aiming to protect their own information and infiltrate the systems of their “enemies.”
Whether it is the increased intensity of government-sanctioned Chinese hackers or Russian hackers probing at everything from power grids to elections, digital espionage and cyber attacks are part of the new normal. That is why countries all over the world, including the United States, are beefing up their digital security and tightening any potential leaks of sensitive government information.
That is where the DFARS compliance checklist comes in. DFARS is the United State’s response to the increased aggression of state-sponsored as well as “rogue” hackers. The DFARS checklist has dozens of stipulations and conditions that can be difficult to follow if you aren’t well-versed in its nuances. However, there are two main fundamental requirements for all entities holding Controlled Unclassified Information:
- The fulfillment of the National Institute & Technology (NIST) Special Publication (SP) 800-171 controls.
- The formation of increased cyber incident reporting procedures.
Does My Company Require a DFARS Compliance Checklist?
Any company that processes, stores or transmits Controlled Unclassified Information absolutely needs to pass DFARS compliance. There are a few other instances that your business may also need it. They are as follows.
- Are you a DoD contractor, subcontractor or involved with the DoD in a business arrangement? Then yes, very likely you will also need to complete a DFARS checklist.
- Is DFARS provision 252.204-7008 contained within the language of a contract you are offering? Then absolutely, you do need to comply with DFARS.
- Is DFARS provision 252.204-7012 contained within the language of a contract that you are offering? Then yes, you do need to comply with DFARS.
What are the Consequences of Non-compliance?
The consequences of non-compliance are swift and straightforward: denial and disqualification for any and all Department of Defense contracts, current and moving forward. The United States takes its defense very seriously and as cyber attacks increase in intensity and quantity, the Government will take a hard-line approach.
Any contractors who outsource their DoD work to subcontractors should confirm that their contact are also DFARS compliant.
What Type of Information Does DFARS Secure?
DFARS compliance checklists are designed to secure sensitive government information as it is processed, stored and transmitted through non-government systems. Information is most vulnerable when it is moved off its secured storage. There are three types of information covered under DFARS:
- CDI: Covered Defense Information. These are government policies that have been identified by the DoD as sensitive or vital in the performance of a current government contract. This also includes information found, received or stored by a contractor in the service of a contract.
- CUI: Controlled Unclassified Information. We have covered CUI previously. However, in more detail CUI includes under any information that has been classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any previous or future orders, not excluding the Atomic Energy Act of 1954, as amended (NIST 800-171).
- CTI: Controlled Technical Information. Any technical information that involves the use in any capacity of military or space application.
- Other Guidelines Covered by DFARS Assessment:
- Media Coverage
- Personnel Security
- Configuration Management
- Access Control
- Audit & Accountability
- System & Information Integrity
- Communication Security
- Accountability & Training
Important Clauses to Note:
As we have covered, DFARS was created in response to the growing threat of cyber criminals around the world. It extensively covers the operation, dissemination, processing and storing of any sensitive government information. Naturally, DFARS is very wide-ranging and comprehensive. Here are few important clauses that all businesses should understand:
- DFARS 252.204-7012: Defense Information Protections & Procedures For Incident Reporting. This clause refers to the implementation of NIST SP 800-171 controls, specifically in relation to “covered contractor information systems.” “Covered Contractor Information Systems” are unclassified systems or any systems used by a contractor or their subcontractor that touches covered defense information in any way.
The Government mandates that contractors provide “adequate security” for any “covered contractor information system.” “Adequate security” means security measures that are equal to the potential damage due to compromising of said information. Any instances of alterations of controls or utilizing of different controls must be submitted for approval.
- DFARS 252.204: Protocol for Covered Defense Information & Proper Safeguards for such Information. This clause essentially limits the ways contractors may use CDI. It also puts the onus on the contractor to educate their employees and subcontractors of their responsibilities with sensitive information.
- DFARS 252.239-7010: Cloud Computing Protocol. This clause lays out all the security requirements and necessary controls for cloud computing services. As cloud computing continues to expand and advance, the security requirements must also change. It also details the reporting processes for any and all incidents.
How Difficult is the DFARS Compliance Checklist?
We aren’t going to sugar coat it. The DFARS compliance checklist is long and very complicated. In NIST SP 800-171 there are approximately 110 different controls, all with a variety of requirements and specifications. For many companies completing all aspects of DFARS can be a overwhelming. However, for contactors that have the expertise and training to complete their own DFARS compliance checklist, the Government has provided the “Self Assessment Handbook – NIST Handbook 162.”
Therefore, if you have the time, patience and know-how to navigate the exciting waters of DFARS cyber security requirements, you may do it yourself! Otherwise, there are what are known as Managed Security Service Providers (MSSP), like RSI Security, to help you pass the DFARS examination stress free.
Ultimately, contractors and their subcontractors are solely responsible for meeting the DFARS requirements. There is no appeal process in which you can blame a failed DFARS examination on your MSSP. So it is vital to choose a MSSP that is trustworthy and reputable. The last thing you want is to have paid for help and still not pass the checklist.
That is why RSI Security helps all organizations ranging from tiny to conglomerates to pass these difficult checklists. We have a well-oiled system that will consistently ensure that your business is DFARS compliant. We understand that DoD and government contracts, for many organizations, are essential to their continued success. Our process works in four stages; they are as follows:
- Application Evaluation: The first step in any DFARs Compliance checklist, whether you do it yourself or hire a managed security service provider, is called a gap analysis.
A gap analysis is exactly what is sounds like: an assessment of a contractor’s current information system to determine the gaps and holes in your DFARS cybersecurity compliance. It’s like doing an audit on a building before you start the renovation. You need to know where your application fails to meet the requirements before you begin to fix it.
Gap analysis will review: the access to information systems, how information is stored and by whom, where data is stored, how security measures are enforced, incident response and reporting and much more! Any MSSP that doesn’t begin with a gap analysis deserves closer scrutiny.
- Remediation Plan: Once the gap analysis is complete, either you or your MSSP will need to come up with a plan of attack to fix any potential security leaks. The depth and complexity of the remediation plan will be directly related to how many problem areas were found during the gap analysis.
Some remediation plans can be as simple as tweaking some network controls and shoring up protocols. There’s also the distinct possibility that an entire overhaul will be necessary to get your system ship shape. Like any undertaking, the quality of the plan goes a long way in determining the efficiency of the update.
- Continual Monitoring: After your information has been updated and all controls and systems pass NIST inspection, constant vigilance is a requirement for DFARS Compliance. Yes, after analysis and restructuring it would be nice if that was it. Unfortunately, to receive DoD contacts proving your system is solvent is not quite enough. Your system must also be continually monitored for potential hacker threats.
- Keep Track of your Documents: This is not another step you need to worry about or pay for. Once your system has pass DFARS compliance you will receive documentation proving compliance. Make sure you store this away in a safe place. Those papers provide you legal cover in the event of litigation. It is unlikely but you could end up in court defending yourself and it’s always wise to have documentation in front of a judge.
Security Breach Protocol:
Despite the Government’s best intentions while creating the DFARS compliance checklist, they are not foolproof. Even if you have exceeded the requirements laid out by DFARS, there is still the possibility of a security breach.
One of the changes from the most recent DFARS update relates to the reporting of potential security threats. The Government now requires rapid response reporting, which essentially means notifying the proper authorities within 72 hours of discovering the potential threat.
They also have added a helpful link for reporting. However, you still need a cyber security expert on hand in order to pass along the right technical details. Here is another link to see their policy in its entirety.
RSI Security Offering:
RSI Security has been helping everyone from corporations to individual contractors pass the DFARS compliance checklist for 10 years. We are one of the leaders in digital security and consulting. We are well versed in all aspects of security compliance and will have you DFARS compliant in a timely manner. We also have a positive relationship with the DoD that can ease some of the hurdles that come such a complicated endeavor.
Our security and compliance advisory services are first class all the way, utilizing the best tools and practices to keep your company safe from disruptive security breaches. Effective vulnerability management programs and assessments, real-time behavioral monitoring, intrusion detection, sophisticated digital pattern tracking and an inherent understanding of how hackers operate are just a few of the reasons why RSI Security is a leader in digital security.