DFARS Checklist: How to Comply with DFARS Regulations
Make alignment with DFARS compliance regulations easier!
The Glossary of DFARS Compliance Terms
What is DFARS?
DFARS, or Defense Federal Acquisition Regulation Supplement, was written to provide basic security controls that government contractors and subcontractors should have in place on their information systems. The scope of DFARS is defined as:
“... DFARS provides a set of “basic” security controls for contractor information systems upon which this information resides. These security controls must be implemented at both the contractor and subcontractor levels based on the information security guidance in NIST Special Publication 800-171 ‘Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations.’”
In short, DFARS outlines the security controls you need to have in place on any information system that’s storing data.
Why Was DFARS Compliance Implemented?
Today, cybersecurity breaches pose a greater threat to organizations than ever before. The amount of sensitive data generated by the U.S. government and its contractors increases every minute, and it’s vital that these entities know how to protect data from threats that grow increasingly more sophisticated. Hackers are now using methods like Advanced Persistent Threat (APT) attacks, which use prolonged, targeted methods to break into information system. In an effort to combat these types of attacks, DFARS outlines security steps that organizations should take.
What Does DFARS Cover?
DFARS compliance helps you protect two types of data, Controlled Unclassified Information (CUI) and Covered Defense Information (CDI). CUI covers all data that may be sensitive but is not classified. CDI is controlled defense related information that could be used by the military.
Here are some basic DFARS-related terms you should know:
- Adequate Security - The implementation of protective measures that mitigate the potential for unauthorized access to data.
- Contractor Attributional/Proprietary Information - Any information that identifies a contractor or could be traced back to a contractor, or identifies individuals, trade secrets, financial information, or sensitive proprietary information.
- Controlled Technical Information (CTI) - Technical information with military or space application subject to security controls. (Does not apply to publicly accessible information.)
- Covered Contractor Information System - Unclassified information systems owned or used by government contractors to store or share defense information.
- Covered Defense Information (CDI) - Controlled technical information that is unclassified; a type of CUI.
- Enhanced Security Controls - Security controls required in specific circumstances beyond those outlined for contractors and subcontractors in NIST SP 800-171.
- Government Data - Any data, document, technology, or media used by government entities or contractors for government purposes.
- Information System - A solution used for the processing, storage, sharing, or organization of data.
- Media - Physical devices on which data is housed (USB devices, tablets, discs, printed documents, etc.)
- Multi-Factor Authentication (MF) - Using multiple methods of authenticating a user’s identity, generally using something you know (password) in combination with something you have (one-time password or biometric identifier).
- Operationally Critical Support (OCS) - Supplies or services critical for transportation or logistical support for the mobilization, deployment, or sustainment of the Armed Forces in a contingency operation.
- Procedures, Guidance, and Information (PGI) - A companion resource to DFARS outlining internal DoD procedures.
- Plan of Action & Milestones (POA&M) Document - A document that should be created in conjunction with the System Security Plan to address any required security controls that have not yet been implemented, including projected compliance date and actions that you plan to take to meet compliance requirements.
- Rapidly Report - The timeframe within which cybersecurity incidents should be reported - 72 hours after discovery.
- Risk Management Framework (RMF) - The information security framework government agencies and their contractors are required to use.
- Supply Chain Risk Management (SCRM) - Strategies designed to mitigate supply chain risk using continuous risk assessments.
- System Security Plan (SSP) - A document outlining how each NIST 800-171 required security control has been implemented. This document should be regularly updated to reflect changes in your security controls or DFARS compliance efforts.
- Technical Information - Any data or software that falls under DFARS’s Rights in Technical Data-Non Commercial Items.
The following agencies play a role in DFARS compliance:
- Department of Defense (DoD) - Provides military forces needed to protect the country and deter war.
- Defense Security Service (DSS) - Provides security for the Department of Defense, including security and oversight for government contractors.
- Defense Contract Management Agency (DCMA) - Provides contract management for the DOD and other government agencies, and works to ensure contracts are fulfilled on time and on budget cost.
- Federal Risk and Authorization Management Program (FedRAMP) - Provides guidelines on cybersecurity and cloud security.
- National Archives and Records Administration (NARA) - Preserves government records, and publishes laws, regulations, and other documents.
- National Institute of Standards and Technology (NIST) - Promotes innovation by standardizing measurements.
Federal Acts and Regulations
The following acts and regulations are essential for DFARS compliance:
- Federal Acquisition Regulation (FAR) - Offers guidelines regarding the procurement of goods and services by the United States government.
- DFARS clause 252.204-7012 - Outlines procedures on safeguarding CDI and reporting cybersecurity incidents.
- FAR Final Rule 52.204-21 - Covers how to secure contractor information systems.
- False Claims Act (FCA) - Explains the liability of government contractors who defraud the government.
- NIST 800 - A series of documents explaining government information security policies and procedures.
- NIST SP 800-53 - Outlines security controls for government information systems.
- NIST SP 800-171 - Outlines required protections government contractors should have in place for CUI.
14 Families of NIST SP 800-171 Security Controls
The following security controls must be implemented to maintain DFARS compliance:
- Access Control - Addresses limiting system access to authorized users and authorized functions.
- Audit and Accountability - Addresses generating and preserving audit data ensuring unauthorized actions can be traced to specific users.
- Awareness and Training - Ensures all personnel understand their role in promoting data security and are trained in best practices.
- Configuration Management - Addresses creating information system configurations and inventories, and maintaining those configurations.
- Identification and Authentication - Ensures identification methods are established for all users (i.e., username and password), and users are authenticated before gaining access to information systems.
- Incident Response - Ensures cybersecurity incidents are detected, contained, and reported to the appropriate internal and external parties.
- Maintenance - Ensures regular maintenance is performed on your information systems, with the appropriate maintenance controls in place.
- Media Protection - Addresses how to protect physical and digital CUI by limiting access to authorized users and sanitizing or destroying CUI media before disposal or reuse.
- Personnel Security - Ensures employees are properly screened prior to granting access to sensitive data, and ensures sensitive data is protected during and after personnel changes, like terminations or transfers.
- Physical Protection - Ensures physical solution access is limited to authorized individuals, including the protection of the facility where your solution is housed.
- Risk Assessment - Addresses how to periodically assess risk associated with organizational operations, assets, and individuals handling CUI.
- Security Assessment - Ensures current security controls are assessed, plans are implemented to minimize vulnerabilities, and systems are constantly monitored.
- System and Communications Protection - Addresses how to monitor, control, and protect organizational communications.
- System and Information Integrity - Ensures system flaws are identified, reported, and addressed in a timely manner. Also, addresses how to protect solutions from malicious software, and take action on security issues as they occur.
Do you want to learn more about DFARS compliance? Download this DFARS compliance checklist now.
About Martin Horan
Founder of FTP Today and an expert in secure file transfer and Internet protocols. A software and IT geek since a young age, Martin has successfully led his companies through the digital age by spotting market niches and filling them with quality IT services.