Contracts with governmental agencies can be extremely valuable for businesses. This is especially true for contracts with the Department of Defense (DoD), which has abundant resources to offer its vendors. The catch is that the DFARS compliance requirements are among the most complex cybersecurity regulations for any US industry. Any company working with the DoD needs to be fully compliant. Nonetheless, resources spent meeting them are guaranteed to provide optimal ROI.
Guide to DFARS Cybersecurity Compliance Requirements
With a budget over $740 billion dollars, the DoD is about far more than just defense; it’s a strategic partner to many companies. However, there is a wall of different DFARS security requirements blocking the path toward preferred contractor status.
This guide will break down everything you need to know into four major sections:
- An overview of basic DFARS requirements, including who needs to comply
- An overview of the NIST SP 800-171 framework and all of its requirements
- An overview of the CMMC framework and all of its domains and controls
- An overview of professional services that help with DFARS compliance
By the end of this article, you’ll know everything it takes to be DFARS compliant and what challenges lie ahead in its two major components, and how to overcome them.
DFARS Protections at a Glance
Like other cybersecurity frameworks and regulatory documents, DFARS exists primarily to protect select categories of sensitive data. Just as HIPAA exists to safeguard protected health information (PHI), DFARS covers a wide range of what is referred to as covered defense information (CDI). This breaks down into two primary classes of protected data:
- Controlled Unclassified Information (CUI) – Technical defense documents, such as training manuals and repair or maintenance guides, which do not carry classified status but are still protected by laws, regulations, executive orders, or other legal requirements
- Federal Contract Information (FCI) – Information of or about contracts between governmental agencies and third-parties, especially those critical to defense operations
These aren’t the only forms of data protected by DFARS. By extension, it also covers any data that could compromise these classes, such as user credentials and any information that could be used to access systems illegitimately. DFARS requirements lend themselves to various controls across National Institute of Standards and Technology’s Special Publication 800-171 and the Cybersecurity Maturity Model Certification (CMMC) to protect this information.
The sections below will break down exactly what each of these frameworks requires. But first, let’s take a closer look at exactly which companies need to comply with them.
Which Companies Do DFARS Govern?
Companies that contract with the DoD make up a critical supply chain known as the Defense Industrial Base (DIB). This supply chain consists of vendors and suppliers, including service providers from nearly every industry. Over 100 thousand companies, not including their sprawling networks of contractors and subcontractors, make up the DIB.
Companies that make up the DIB are the main parties to whom DFARS applies.
As a Critical Infrastructure Sector, defined by the Cybersecurity and Infrastructure Security Agency (CISA), the DIB is one of 16 sectors essential to the safety and security of all US citizens. These sectors control the defense, agriculture, water, power grids, and other infrastructure that, if compromised, would have immediate and long-term consequences on the economy and the day-to-day lives of all Americans—as such, protecting these sectors is vital.
NIST SP 800-171 at a Glance
The full title for NIST Special Publication (SP) 800-171 is “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” In many ways, NIST SP exists to flesh out DFARS’ academic requirements into actual cybersecurity controls that companies can implement.
It’s not the only NIST guide that does this, as others such as SP 800-53 and SP 800-60 perform the same function with fewer controls. As with all other NIST publications, NIST SP 800-171 draws heavily from NIST’s baseline document, the Cybersecurity Framework (CSF).
NIST SP 800-171 is focused primarily on CUI, as its name implies. To fully protect this data class, DIB companies must also implement the other SPs named above and two Federal Information Processing Standards (FIPS): FIPS Publication 199 and FIPS Publication 200.
SP 800-171 Requirements by Family
At the core of NIST SP 800-171 are 14 “Requirement Families” and 110 controls or practices called “Requirements,” some “Basic” and some “Derived.” The scheme breaks down as follows:
- Access Control – This comprises 22 Requirements (two Basic, 19 Derived) that restrict users’ access to CUI through account management (see Authentication and Identification).
- Awareness and Training – This comprises three Requirements (two Basic, one Derived) that define scheduling and topic requirements for regular and special training at all personnel levels.
- Audit and Accountability – This comprises nine Requirements (two Basic, seven Derived) that define basic protocols for regular audits, audit logging, and audit logs protection.
- Configuration Management comprises nine Requirements (two Basic, seven Derived) that require immediate removal and replacement of default, vendor-supplied security settings.
- Identification and Authentication – This comprises 11 Requirements (two Basic, nine Derived) built on Access Control that further define user account responsibilities, rights, etc.
- Incident Response – This comprises three Requirements (two Basic, one Derived) that govern a company’s systematic short- and long-term response(s) to cybersecurity incidents.
- Maintenance – This comprises six Requirements (two Basic, four Derived) that govern all scheduling and protocols for routine maintenance and special, reparative procedures.
- Media Protection – This comprises nine Requirements (three Basic, six Derived) that govern physical and virtual media protection related to protected information classes.
- Personnel Security – This comprises Just two Basic Requirements that govern procedures for recruitment, hiring, onboarding, movement, and personnel termination at all levels.
- Physical Protection – This comprises six Requirements (two Basic, four Derived) that restrict physical and proximal access to protected spaces, workstations, and individual devices.
- Risk Assessment – This comprises three Requirements (one Basic, two Derived) that govern the organization’s approach to overall analysis and mitigation of identified risks and threats.
- Security Assessment – This comprises four Basic Requirements that govern scheduling and protocols for regular assessments (not mistaken for audits — see above).
- System and Communications Protection – This comprises 16 Requirements (two Basic, 14 Derived) that define protective measures for traffic, especially on unprotected networks.
- System and Information Integrity – This comprises seven Requirements (three Basic, four Derived) that ensure delivery and fidelity of security measures, as per plans and requirements.
All of these controls must be implemented simultaneously for NIST SP 800-171 compliance. But companies now have the opportunity to spread out implementation through CMMC adoption.
CMMC Framework at a Glance
To facilitate the adoption of all DFARS’ required practices, from NIST SP 800-171 and other texts, the Office of the Under Secretary of Defense for Acquisition and Sustainment developed CMMC. It allows for a slower, more gradual adoption of controls across five stages:
- Maturity Level 1 – This focuses on FCI safeguards, with the first 17 Practices constituting “basic cyber hygiene” and a Process maturity goal of simply “performed.”
- Maturity Level 2 – This focuses on the overall transition to Level 3, with 55 new Practices constituting “intermediate cyber hygiene” and a Process maturity goal of “documented.”
- Maturity Level 3 – This focuses on the shift of protections more toward CUI, with 58 new Practices constituting “good cyber hygiene” and a Process maturity goal of “reviewed.”
- Maturity Level 4 – This focuses on CUI, as well as Advanced Persistent Threats (APT), with 26 new Practices constituting “proactive” defense architecture and a Process maturity goal of “reviewed.”
- Maturity Level 5 – This focuses almost entirely on CUI and APTs, with 15 final Practices constituting “advanced” or “progressive” and a Process maturity goal of “optimizing.”
By Maturity Level 3, companies will have implemented all of NIST SP 800-171. Then, the final two levels focus on building out the most advanced controls to meet and exceed DFARS.
CMMC Domains, Capabilities, and Practices
The CMMC framework comprises 17 “Domains,” including all 14 Families from NIST SP 800-171 and three new areas. The Domains house 43 “Capabilities” along with 171 “Practices” analogous to NIST’s Requirements. They break down as follows:
- Access Control (AC) – This comprises four Capabilities and 26 Practices, overlapping with NIST, that further restrict access through account and access session management.
- Asset Management (AM) – This comprises two Capabilities and two Practices, independent of NIST that define inventory management procedures of all hardware and software.
- Audit and Accountability (AU) – This comprises four Capabilities and 14 Practices, overlapping with NIST, that further define user account specifications (along with AC).
- Awareness and Training (AT) – This comprises two Capabilities and five Practices, overlapping with NIST, that further develop breadth and depth of training program requirements.
- Configuration Management (CM) – This comprises two Capabilities and 11 Practices, overlapping with NIST, that specify more robust security controls to replace factory defaults.
- Identification and Authentication (IA) – This comprises one Capability and 11 Practices, overlapping with NIST, including more vital account management (MFA, encryption, etc.).
- Incident Response (IR) – This comprises five Capabilities and 13 Practices, overlapping with NIST, that further flesh out requirements for organization-wide response measures.
- Maintenance (MA) – This comprises one Capability and six Practices, overlapping with NIST, defining stronger and more nuanced routine and unique maintenance protocols.
- Media Protection (MP) – This comprises four Capabilities and eight Practices, overlapping with NIST, that build out more varied and specific protections for particular media types.
- Personnel Security (PS) – This comprises two Capabilities and two Practices, overlapping with NIST, that further define personnel procedures before, during, and after employment.
- Physical Protection (PE) – This comprises one Capability and six Practices, overlapping with NIST, that further restrict individuals’ access to protected perimeters and endpoints.
- Recovery (RE) – This comprises two Capabilities and four Practices, independent of NIST, that define best practices for short- and long-term recovery during and after a security incident.
- Risk Management (RM) – This comprises three Capabilities and 12 Practices, overlapping with NIST, that further specify the organization’s approach to risk analysis and mitigation.
- Security Assessment (CA) – This comprises three Capabilities and eight Practices, overlapping with NIST, defining scheduling and protocols for assessment (independent of AU).
- Situational Awareness (SA) – This comprises one Capability and three Practices, independent of NIST, that govern personnel’s understanding of environmental and incidental risk factors.
- Systems and Communications Protection (SC) – This comprises two Capabilities and 27 Practices, overlapping with NIST, that build on securing network traffic requirements.
- System and Information Integrity (SI) – This comprises four Capabilities and 13 Practices, overlapping with NIST, that further specify integrity and maintenance requirements.
Implementation across Maturity Levels is cumulative, so the new Practices and Process goals for a given Level build upon those from the previous ones (i.e., 130 total Practices at Level 3).
DFARS Compliance at a Glance
Across the DFARS cybersecurity requirements that companies need to meet, the DoD contracts you may be seeking can be quite challenging to secure. You’ll need to prove full protection for CUI and FCI through compliance with NIST SP 800-171 and other frameworks — CMMC is one way to streamline these requirements, but it presents its unique challenges.
RSI Security offers a suite of comprehensive DFARS services, focusing on NIST compliance, to help your company meet and exceed all these requirements. No matter your current security posture, we’ll begin with a thorough gap analysis and patch availability report to identify areas you need to address. Then, we’ll work with you to build out all the required infrastructure, practices, and other cyberdefense necessities to fully protect stakeholders in the DoD.
Benefits of CMMC Focused Advisory Services
If your company has already implemented some or all of the NIST SP 800-171 requirements, you may benefit more from our targeted CMMC advisory and certification package. RSI Security is verified by the CMMC Accreditation Body as a Certified Third-Party Assessment Organization (C3PAO). So, we can help you build what you need and finalize your certification.
Our team of experts has helped companies of all sizes with cybersecurity solutions for over a decade. Contact RSI Security today to see how easy DFARS compliance requirements can be.