The Defense Federal Acquisition Regulation Supplement (DFARS) is a set of cybersecurity regulations that contractors and suppliers for the Department of Defense (DoD) must follow in order to be awarded new contracts. This guide provides detailed information on how DFARS applies to DoD contractors, their minimum requirements and the available options for meeting those requirements.
To succeed under CMMC, organizations who are unable to prove full DFARS / NIST SP 800-171 implementation and continuous monitoring of compliance will not be awarded new DoD contracts, could potentially face fines and loss of current contracts.
If your company provides services being sold to the Department of Defense (DoD) you are required to comply with the minimum security standards set by DFARS. CUICK TRAC by Beryllium InfoSec helps your organization implement the DFARS requirements you need to be DFARS 252.204-7012 compliant.
Schedule a free consultation online today or call 763-546-8354 to learn how your organization can meet the DFARS cybersecurity standards.
Cyber security technology continues to advance as the severity of security threats escalates. As a result, the federal government is increasing its priority for addressing those threats. Its enforcement of measures for protecting Controlled Unclassified Information (CUI) has become particularly intense for private defense contractors and other nonfederal information systems and organizations that work with the federal government. These entities are frequently required to update their security to meet new requirements.
The DoD published DFARS in December 2015, which will maintain cybersecurity standards specified by the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. The specific purpose of these standards is to protect CUI under the control of DoD contractors. NIST SP 800-171 went into effect on December 31, 2017, which is when contractors were required to meet the minimum standards for DFARS compliancy and demonstrate that compliance to the DoD. Failure to comply with the following limits can result in, fines, the loss of current DoD contracts and the inability to obtain a government contract in the future.
The following list shows the qualifying countries under DFARS, meaning these countries have a reciprocal defense procurement memorandum of understanding or international agreement with the United States:
Your company must comply with the minimum DFARS standards if it provides procurement for the DoD, whether directly or indirectly. This requirement also applies to DoD primary and sub-contractors that process, store or transmit CUI.
The minimum requirements of DFARS regulations are relatively straightforward, despite the increasing complexity of cybersecurity requirements. DoD contractors must provide adequate security for CUI that resides in or moves through their information systems. The purpose of these measures is to prevent unauthorized personnel from accessing and disclosing CUI. DoD contractors must also promptly report security incidents and cooperate with the DoD in responding to those incidents. This process includes allowing DoD personnel to access the affected media.
These requirements sound easy in theory, but the term “adequate security” is open to interpretation. NIST SP 800-171 guidelines group DFARS requirements into 14 categories, which affect many aspects of information security. This document also provides complete details on each requirement for safeguarding CUI. Contractors and other non-federal organizations must conduct a readiness assessment, while providing objective evidence as proof, that addresses all these requirements before they’re DFARS compliant. The categories of DFARS requirements are as follows:
Meeting these requirements with existing resources is often challenging for contractors who don’t have expertise in technical and security administration areas, like policy and procedure documentation creation. The primary reason for this difficulty is that meeting NIST SP 800-171 requirements is a continuous process of monitoring and assessment to achieve improvement, rather than a one-time fix. DoD contractors must therefore allocate significant resources on an ongoing basis to remain DFARS compliant, especially since these requirements are constantly evolving.
The DoD has been understanding about this challenge, realizing that even the most secure computing environments experience data breaches. Working with a third-party provider for NIST 800 171 compliance solutions can allow contractors to achieve the additional security that DoD requires without making the large capital investment that’s often needed to develop the necessary controls.
DFARS compliance requires organizations to pass a readiness assessment as specified in NIST Special Publication 800-171. Organizations typically require six to ten months to become compliant, depending on their current security posture available resources. Planning is a key requirement for success in this endeavor, as is the need to treat it as a major project. Contractors must ensure they allocate the funding and other resources ahead of time. They can also hire security specialists to expedite this process and avoid many mistakes.
The following four steps will help ensure your organization is DFARS compliant:
Document the gaps between your current security posture and your desired goal by using the controls listed in NIST SP 800-171. Review all of your contracts to identify the critical provisions with respect to DFARS requirements. Review clause 252.204-7012 of DFARS to identify the types of CUI that apply to your contracts. Check with your contracting officer as needed to determine your applicability. Define the parts of your infrastructure that fall within the scope of your NIST 800-171 compliance, including hardware, software, systems and processes.
Building a remedial plan that’s compliant with NIST SP 800-171 requires you to conduct a control gap analysis against the standards described in that document. You’ll also need to develop solutions for the gaps that you identify. Your subcontractors and other business partners will need to perform these steps to ensure they’re in compliance as well.
Implementing your remediation plan will provide you with the peace of mind in knowing you won’t be subject to fines, new contract opportunities, or other penalties. This process includes developing new controls or revising existing ones as needed to remedy the control gaps you identified in the previous step. You’ll also need to repeat the validation testing after implementing the remediation plan to confirm the controls are operating effectively. This step will require the approval of your contracting officer.
Developing a plan for continuously monitoring your DFARS compliance requires you to use a variety of templates and other tools to obtain the necessary metrics. You’ll also need to organize monitoring activities and provide current statuses for investors and other stakeholders. This step is needed for the accountability that many stakeholders require.
DoD contractors are likely to receive a stop-work order if a DoD audit determines they’re in non-compliance with DFARS or NIST 800-171. This action requires contractors to suspend its work for DoD until they implement security measures that provide adequate protection for CUI. The DoD can also impose financial penalties, including damages for false claims and breach of contract. Contractors can also lose their contracts with the DoD. In the worst case, the DoD can suspend or even bar the contractor from ever working with the DoD again. NIST SP 800-171 guidelines provide more information on the importance of compliance to the DoD.
CUICK TRAC is a cost-effective turn-key solution from Beryllium that helps DoD contractors and subcontractors receive, process and transmit CUI. Contractors that currently work with the federal government or want to do so can use this solution to become compliant with DFARS requirements.
CUICK TRAC is especially beneficial for contractors that lack the bandwidth and other resources to implement and manage the controls of NIST 800-171 that DFARS 252.204-7012 requires. These contractors have a particular need for a low-cost solution they can implement in a short period of time. Beryllium also offers other services that can help contractors become DFARS compliant and stay that way if CUICK TRAC isn’t the right solution for them.
DFARS requires contractors to report cyber incidents within 72 hours of their occurrence, which can be a challenge. Many contractors lack the personnel and other resources needed to continually monitor their security information and event management (SIEM) solution. CUICK TRAC meets this requirement within their virtual enclave, in a shared responsibility with the contractor.
The Cybersecurity Maturity Model Certification (CMMC) serves as a single cybersecurity standard for all future DoD acquisitions. It requires DoD contractors to become CMMC certified beginning in 2021, with renewals every three years. CMMC requires companies to achieve third-party certification for best practices in cybersecurity, which will eventually determine if the DoD can award a contract to that company. CMMC includes five levels of maturity, which are based on multiple frameworks, like FAR clause 52.204-21, NIST SP 800-171, NIST SP 800-172, and others
To become CMMC certified, Certified Third Party Assessment Organizations (C3PAOs) must conduct a formal assessment of DoD contractors to demonstrate their compliance with their target CMMC level. Prime contractors can use CUICK TRAC as a CUI Vendor Risk Management solution for their supply chain and lower tier suppliers looking to achieve CMMC Level 3. Sub-contractors can also use CUICK TRAC to prepare for CMMC in a much shorter time period, at a fraction of the cost of doing it themselves, due to their Infrastructure as a Service (IaaS) and continuous monitoring of compliance program offering.
CUICK TRAC has a highly favorable return on investment (ROI), resulting an average savings of more than $100,000. It’s also quick to implement and can bring an organization into DFARS compliance within weeks, not months. CUICK TRAC helps contractors satisfy all 110 NIST SP 800-171 controls over 14 domains. Furthermore, it provides proof of compliance for contractors that store, process and transmit CUI.
DFARS compliance requires DoD contractors to establish security controls for their current information systems and the data they move, store and process. They also need to ensure they remain compliant as they acquire new systems and data. Contractors often implement these controls effectively, but reduce their vigilance once they’re up and running.
Continuous monitoring is a requirement for DFARS compliance, especially when it comes to applying controls to new systems and data. Contractors must therefore devote the same level of attention to maintaining DFARS compliance as they do when obtaining that compliance in the first place.
CUICK TRAC can help you achieve and maintain DFARS compliance. Schedule a free consultation with our cybersecurity experts to learn more about CUICK TRAC and Beryllium’s other services for helping you avoid fines or the loss contract award opportunities. Call today at 763-546-8354 or contact us online.