Years ago, governments defended themselves through espionage and military engagement. Today, there are still plenty of both. However, the form they’ve taken has changed drastically. Physical spies have given way to higher levels of digital reconnaissance. To defend against these threats, the U.S government created the Defense Federal Acquisition Regulation Supplement (DFARS) in 2017.
Without getting too deep into how DFARS functions as an organization, and what countries need to be aware of DFARS compliance, here we’ll cover go through a complete step by step breakdown of how to become DFARS compliant.
Naturally, a government mandate tasked with protecting sensitive information is going to be extremely comprehensive and (at times) exhausting. The NIST SP 800-171 is essentially all the inputs, outputs, regulations and requirements for any businesses looking to complete their DFARS compliant statement.
Your DFARS Compliance Options
If your business needs to be DFARs compliant, you have two basic options. The first is to choose an experienced partner, like RSI security, that will take care of your compliance advisory services and help make your DFARS compliance journey significantly less frustrating. A compliant partner will have considerable experience with the NIST SP 8000-171, the ridiculously dense “treasure map” to the end goal of DFARS compliance.
Partners also have relationships with the Department of Defense (DoD) and other government agencies and contractors that will help streamline the compliance process. The second option is to take a do it yourself approach. In that case, you’ll need a copy of the NIST handbook 162, which is a helpful self-assessment roadmap for DFARS compliance. Either way, it’s important to read on to get a firm grasp on all of the important steps required for sufficient DFARS compliance.
Step One: Conduct Initial Assessment
As with any technical certification process, the first step assessing your current state and getting a sense of how much work you have ahead of you. To do that, you’ll need to assess all aspects of your technical system. Remember that the main purpose of DFARS is to protect any and all sensitive information at all times.
That means all information, whether it is being processed, stored, transmitted or anything in between, must be properly under lock and key. That also includes any information that you share with subcontractors and associates.
Below is the short version of what you’ll need to do before beginning the assessment phase:
- Educate personnel to ensure that all adequate security policies are on record and understood by employees.
- Institute specific objectives and scope for the assessment.
- Develop a timeframe for assessment completion.
- Establish an assessment team, communication channels and collect all applicable DFARS compliant material(s) such as: designs, manuals, documents, agreements, legal records, specifications and more.
Once you have a team, a timeline and all pertinent information, you can begin the assessment. Here are some good starting points:
- Learn the intricacies of your company’s operations and how the information system supports those operations. Educate yourself on the information system, its structure, the inputs and outputs, controls etc.
- Meet and learn from the personal who established the system and those in charge of maintaining the system.
- Ensure everyone understands the assessment objectives.
- Gather any data, information or records from any previous assessment, cross reference with the current plan and shift through what can be reused and what needs to be updated.
- Develop and document your assessment plan
Step Two: Map System Deficiencies
One tried and true method for finding and planning the improvements required for your information system starts with questions posed by the NIST SP 800-171 handbook. For every question, you should have an answer with a detailed explanation. These are called “assessment results,” and go something like this:
- For every “Yes” answer, there should be an accompanying detailed explanation as to how your information system meets the requirement.
- For every “No” answer, there should be an explanation for why the requirement hasn’t been met. There should also be a plan for how to rectify the issue, the timeline for its completion and how the planned resolution will be implemented.
- There will be times your answer won’t be a “Yes” or a “No.” In that case, fill in “Partial” along with an explanation as to why it’s partial and the plan for changing it from “Partial” to “Yes.”
- There will also be times (although typically few) that your answer will be “Does not apply.” As before, there should also be an explanation as to why this particular security question doesn’t apply to your information system.
- The last possible answer you may record during your assessment will be “Alternate approach.” As before, you will have to explain what the alternative approach is and why it is just as effective as the one required in the handbook. It should also explain how the information system uses the alternative approach effectively.
Step Three: Decide What Needs Protection
Now that you have your assessment prepared, you can use it to review the cybersecurity requirements and components set forth for DFARS compliance. DFARS was created to protect sensitive information or “Controlled Unclassified Information” (CUI) in whatever form it takes. To make it “easy,” the DoD categorized the security requirements into 14 “Families.” These 14 families are what you must apply your assessment toward to ensure you are DFARS compliant. The 14 families are as follows:
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Cyber Incident Response
- Media Protection
- Personnel Security
- Risk Assessment
- Security Assessment
- Systems and Communications Protection
- System and Information Integrity
Each of these families has their own protocols that must be met in order to be DFARS compliant. Some families have many security requirements; others may only have a few. Regardless of how many DFARS requirements each family has, each and every one must be checked off. Otherwise you risk losing DFARS compliance as well as any DoD and government contracts that go along with it. Luckily, the DFARS Compliance Checklist can help simplify this process. We will briefly define and discuss each family, giving you an idea of what is required. For a full list, check out the DoD’s self-assessment handbook.
DFARS Family Security Controls Defined
Finally, continue to familiarize yourself with the family security controls as defined by DFARS. Below is a helpful primer:
- Access Control: Access control is one of the more expansive security controls. It makes sense since its role is to govern and monitor all access to the security information system. Access controls define who gets access, records who has accessed the system, controls the flow of information and much, much more.
Access control is extremely complicated and requires hours of testing, reconfiguring and retesting until all security controls are operating as expected. Mobile device encryption, limiting unsuccessful login attempts, managing remote access points and authorization also fall under access control. Without strong access control, hackers can easily infiltrate a system, glean all the sensitive information they want and leave without a trace. The ultimate goal is to make any unauthorized access impossible.
- Awareness and Training: This security control is pretty self-explanatory, but the execution is important. All employees, subcontractors and personnel must be properly trained and briefed on proper security protocols. The largest most expensive security system on Earth isn’t worth much if employees leave the back door open for hackers.
- Audit and Accountability: In the case of a security breach, an audit system must be in place so a similar occurrence can be avoided. A proper audit and accountability system allows authorized users to track all movement within the system. The system must be able to generate reports on demand, including timestamps.
In the end, the system should provide exactly what the family security control is named, auditing and accountability, for everyone involved. Vital information is being trusted within your system. If you can’t provide an explanation for any missteps, you risk DFARS compliance.
- Configuration Management: The ecosystem of a security information system isn’t stasis. Information is moving in and out while other information is being stored. The key to strong security is simplicity. Configuration management is ensuring everything is as it’s supposed to be, even as everything is changing. Minimizing access controls to authorized users and only as it pertains to their job is an example of configuration management. Another would be tracking, reviewing all audit changes in the information system before approval or disapproval.
- Identification and Authentication: This family is of the “easy to explain harder to execute variety.” All users of an information system must be identified, tracked and authorized with the proper security protocol. That means two-step authentication, disabling non-active users, enforcing password security protocol and more.
- Incident Response: By becoming DFARS compliant, in essence, you have become a bank, a bank filled with valuable information. In the case of a robbery, the bank knows who to call, and the same must be true for you. It also includes proper tracking and documentation of the incident that is forwarded to the proper authorities. You also need to test your incident response team capabilities.
- Maintenance: Maintenance is required for just about everything, it becomes a little trickier when it is more an information system containing sensitive information. Naturally, all systems must be serviced, but by authorized persons, or unauthorized persons whose work is continually monitored. Any system that requires replacement must first be scrubbed of any vestige of sensitive information.
- Media Protection: In this case, media has nothing to do with the press. Instead, this family refers to the media stored on the information system both print and digital. Media that is marked CUI must have limited access to authorized users. If any media is to be removed from the system, it must be clean of CUI. There should also be tracking and documentation for media access, whether it is marked CUI or not. Essentially, you are responsible for all media contained within your information system, just as you are responsible for the access controls.
- Risk Assessment: The risk assessment family is one of the easier, less time-consuming security controls. To become DFARs compliant you must periodically test the security solvency of your information system for leaks or weak points. You must gauge how effective your controls are and if any improvements are required. If any deficiencies are detected, they must be addressed at once. Ultimately, your risk assessment should return with minimal to no vulnerabilities. Risk assessment also means continual monitoring, not just spot checks every few months.
- Security Assessment: Similar to the risk assessment except you aren’t testing your system for vulnerabilities as much as testing the controls themselves. You must ensure that all controls are working correctly and are adequately protecting the system from infiltration. Inevitably you will eventually find areas that must be marked for improvement. These deficiencies must be recorded and eliminated. Just like the risk assessment, continuous monitoring is required.
- System and Communications Protection: Whether it is internal or external communications, these are potential entry points for hackers. They can also be susceptible to the wrong type of person listening in, hoping to learn of vulnerabilities that they can exploit within the system. Other requirements of this family include segmentation of information spaces, especially relating to CUI, utilizing cryptographic keys to secure information transmissions and terminating network communications at the end of a session or after a predetermined period of activity.
- System and Information Integrity: In some ways system and information integrity is a combination of the previous three. Information systems develop bugs and flaws over time. In this control, you must report, record and correct all system flaws. There must be protections against viruses and damaging codes at the proper access points. These protections must be updated to ensure the safety of the system. Just like risk and security assessments, continual monitoring is required of inbound and outbound communications to deter attacks. There also must be periodic scans, including real-time scanning, as files are downloaded, shared, and opened.
The United States of America is one of the powerful countries in the world. With great power comes great responsibility and that is especially true when it comes to information systems. Becoming DFARS compliant is a high bar, only for those willing to accept the costs, risks and consequences associated with such sensitive information. The process is long, time-consuming and difficult. However, the rewards of DoD contracts are substantial and worth the investment if you are prepared. RSI security has been helping businesses big and small become DFARS compliant through provided support of cybersecurity solutions for more than 8 years. Check out our website for more information.