In January and February, hackers from the Chinese government breached a Navy contractor. The data that they stole covered undersea warfare. One of the most troubling pieces of information taken in the breach was supersonic anti-ship missile plans. More than 600 GB total of sensitive and secret data was compromised in this attack.
The Navy contractor failed to follow DFARS regulations for the storage and protection of the data it was working with. Similar attacks conducted by Chinese hackers also focus on contractors supporting US military branches, rather than attacking federal government agencies directly.
How DFARS Compliance Could Have Prevented This Breach
The information taken in this recent attack was stored on an unclassified network. DFARS requires that government contractors have security controls in place on this type of network, which may have thwarted the hackers’ efforts in this situation.
Many DFARS requirements fall under cybersecurity best practices that the contractor should follow automatically.
It covers these areas:
- Access control for the authorized users of the system
- Training employees and making them aware of cybersecurity measures
- Auditing the security of the system and key areas
- Putting together incident management plans
- Getting accountability in place, how to configure the network to keep data safe
- Identifying and authenticating users
- Maintaining the systems
- Protecting media
- Establishing personnel security
- Implementing physical protection
The Liability of Non-compliance
Failing to comply with DFARS leads to one or more consequences for the government contractor. At the basic level, the business is failing to adhere to the contract between it and the government agency. The security requirements are laid out in DFARS, so there is no lack of clarity in what they need to do.
Other consequences of not complying with DFARS includes:
- Liquidated damages: If a contractor loses sensitive information, that can lead to substantial problems for the government agency. It may choose to penalize a company up to $5,000 per affected person, which can add up quickly in a data breach.
- Terminating the contract: The government agency may choose to dissolve the agreement with the contractors. This situation could lead to financial ruin for the company, as it loses a steady contract and it has its reputation sullied for other clients.
DFARS Compliance Resources
Becoming compliant with DFARS requirements may involve more than the in-house IT staff. The regulations cover everything from how users access the system to the procedures around physical access to the servers. The cybersecurity requirements can get even more complicated if a contractor uses a hybrid infrastructure with public and private clouds alongside on-premises systems.
A DFARS compliance consultant has an extensive amount of experience with these regulations. They have worked with multiple contractors to ensure that every business is compliant with the cybersecurity requirements.
This skilled assistance is particularly helpful when a government contractor is first going through the compliance process or following a non-compliance problem. Their entire job revolves around making sure that contractors are following the rules, as well as staying on top of any changes to them. They are an invaluable asset to keep on hand.
DFARS compliance could have lead to a much different outcome in the cyber attack mentioned at the beginning of this article. Cybersecurity best practices make it more difficult for hackers to find vulnerable attack surfaces or gain access through social engineering. Government contractors should check their compliance and bring in additional help as needed to remain up-to-date on the latest regulations.