The Defense Federal Acquisition Regulation Supplement, or DFARS, is a set of security standards created by the Department of Defense to protect information handled by external contractors. These rules apply to all contractors with the DoD who “process, store or transmit” Controlled Unclassified Information (CUI).
Cybersecurity Requirements of DFARS
The two foundational points of DFARS are adequate security of information and rapid reporting of any breach.
Information security standards are broken down into 14 areas of focus:
- Access Control Media
- Awareness & Training
- Audit & Accountability
- Configuration Management
- Identification & Authentication
- Incident Response
- Maintenance
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System & Communications Protection
- System & Information Integrity
Each of the points above is detailed and explained in an 83-page document entitled NIST Special Publication 800-171. This document, in turn, references two other documents that explain each point in greater detail.
With respect to incident reporting, time is of the essence. Any data breach must be reported to the DoD within 72 hours of its discovery. The fine print of the law specifies exactly what constitutes a reportable incident, including any unauthorized access to information or any loss of control of information. There are detailed transparency guidelines that govern how such a business is required to cooperate with a DoD investigation.
Compliance Procedures
All contractors who have any exposure to CUI must be very familiar with the full detailed set of rules and requirements. Within 30 days of being awarded a contract, the company must produce a written report of any areas in the DFARS standards that they are not fully in compliance with. Through the contracting officer, these companies have the right to propose alternate security measures, as long as these measures are at least as stringent as those required by DFARS.
Guidelines Permit Outsourcing of Cybersecurity
The DoD is well aware that many small manufacturers aren’t equipped to comply with highly detailed cybersecurity requirements in-house. Therefore, they specifically allow these functions to be outsourced. Costs incurred in meeting these requirements may sometimes be recoverable, and details about this possibility are also available from the DoD. Cloud data storage providers must meet a set of standards called the FedRAMP “moderate” security requirements. They must also comply with all incident reporting and other requirements.
If you’d like to learn more about outsourcing your DFARS compliance to a cybersecurity company, get a Free Compliance Assessment.
Sources:
https://www.nist.gov/mep/cybersecurity-resources-manufacturers/dfars800-171-compliance
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r1.pdf