Home | Our Services
Request a FREE Consultation here:
MORE ON SECURITY COMPLIANCE:
Why should Contractors care about DFARS Compliance?
Our increasingly digitized world has provided many avenues for innovation and creativity to flourish, but with it comes numerous risks and dangers. More frequently these days, we hear news about a new exploit or security compromise that has caused irrevocable damage to a company’s reputation, finances, or in some cases; its ability to function at all. With this growing concern, the government has begun requiring its contractors to maintain an effective and compliant security environment for doing business. Because of this, Information Security goes beyond just IT or legal concerns, but rather, encompasses an operational challenge required to conduct business at all. In this era, it has become increasingly important to consider the cyber security infrastructure of your company, and ensure it is adequately prepared for any trials the future possesses. For many government contractors, this preparation is combined with a business need, as the Department of Defense introduced an information security requirement through DFARS.
The Department of Defense has mandated through DFARS 252.204-7012 that all contractors in possession of Controlled Unclassified Information (CUI) must meet the minimum-security requirements outlined in NIST SP 800.171. These controls must be implemented at both the contractor and subcontractor levels in order to be considered compliant with DFARS or risk losing contracts for failure to comply.
In order to maintain your organizations current contracts and ensure you are well prepared for future regulations and threats it is important to pay attention to and implement the controls outlined in the NIST SP 800.171 requirements. The future is uncertain and new threats are always hiding around the corner – be prepared to handle them so your organization can continue to prosper.
What are DFARS Requirements?
The main things to consider when striving for compliance with DFARS are the NIST SP 800.171 controls, the Cyber Incident Reporting requirements, and what to do when an incident occurs as as it pertains to record keeping of all information that may be required for a DoD investigation.
NIST Standards – The security controls themselves are detailed in the NIST Special Publication 800.171 “Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations.” NIST SP 800.171 contains a wide variety of controls covering many different aspects of cybersecurity practice that can ensure your company is well protected against cyber threats and has the capability to handle them when they occur. With the publication of DFARS 252.204-7012, NIST SP 800.171 was made the core backbone of DFARS security control enforcement.
In addition to the security controls, DFARS has many requirements for how to properly report incidents when they occur. Covering everything from the required isolation of malware, to preserving images affecting information systems – all the way through network monitoring records and how to submit them to the DoD – these are just some of the essential practices needed to demonstrate compliance to the DFARS regulation..
In addition to requiring the implementation of NIST SP 800.171 there are many specific procedural requirements that need to be followed in order to properly report security incidents when they occur. These include the security incident report itself, as well as how to handle any malware or media preservation requirements to ensure they are available should the DoD need to investigate further. Some details about these requirements are included below.
Cyber Incident Report
- Must conduct an evidence review of compromised covered defense info (identify compromised computers, servers, specific data, user accounts, etc. or anything that affects ability of contractor to provide support)
- Rapidly report incidents to DoD at http://dibnet.dod.mil
- Incident Report must be treated as info created by/for DoD and include at a minimum, requirements from http://dibnet.dod.mil
- To report incidents a Medium Assurance Certificate is Required
Malicious Software – When Malware is discovered/isolated in connection with a security incident, it will need to be submitted to the DoD Cyber Crime Center in accordance with instructions provided by DC3 of the Contracting Officer. DO NOT send malicious software to the Contracting Officer.
Media Preservation and Protection – Upon discovery of the security Incident, preserve images of all known affected information systems (those identified in Incident Report) and all monitoring/packet capture data for at least 90 days following submission of the Cyber Incident Report to allow DoD to request media or decline interest.
WE WORK IN PARTNERSHIP WITH YOU
WE USE AN INNOVATIVE APPROACH
- Platform Security – The processes and infrastructure of MS datacenters to keep information safe
- Secure Access and Sharing – The access management and share settings to ensure sensitive data is not inadvertently disclosed
- Awareness and Insights – Complete visibility to make informed decisions, track, and account for all file activity to include full transparency with reporting and alerts
- Information Governance – The ability to govern the lifecycle of data, including deletion and retention policies, eDiscovery, Mobile Device Management, Single Sign-On, Multi-Factor Authentication and Legal Holds
- Compliance – A service that meets the latest security compliance standards in the industry