Management, compliance & auditing

What Does It Mean to Be DFARS-Compliant in 2018?

Introduction

In the cyber-threat landscape of today, the hacker is out to get all sorts of information and data and to exploit it for malicious purposes. For example, he or she might be after Social Security numbers, credit card numbers and other related banking information, intellectual property and even the internal data of a business or corporation.

But the corporate sector is just one facet upon which the cyber-attacker has their eye on. The other data gold mine that is in their crosshairs is the United States Federal Government. Obviously, given its gargantuan nature, it possesses a lot of information and data; thus, it must be made secure. Anything hijacked in this regard could prove to be a grave threat to national security.

The federal government has many internal legislations and mandates to protect their datasets. One such example of this is the “Defense Federal Acquisition Regulation Supplement” or simply DFARS for short. This is the focus of this article.

The Origins of DFARS

The CUI is a system that sets the standard for  the handling of unclassified information that cannot be released to the public and other related entities.

In other words, these are data sets that are not top secret in nature, but it does need to be protected from public view by implementation of the proper security controls. This was actually enacted into law by Executive Order 13556, which is also known as the “Controlled Unclassified Information” order. It was passed and signed into law on November 4, 2010. The specific details of this can be seen at this link.

The primary goal of this legislation was to create a set of best practices and standards for the management and safekeeping of the CUI datasets that cut across both civilian and defense agencies that reside within the federal government.

Before this legislation was enacted, many of these agencies were implementing their own sets of controls in order to ensure that the CUI datasets would not fall into the hands of the public, or even to a malicious third party.

As a result, this led to massive confusion as to how these datasets could be shared with the other agencies in the federal government. This legislation was thus viewed as being too restrictive and very inefficient. In order to resolve these issues and to provide a sense of uniformity, the NIST (which stands for the National Institute of Standards and Technology) Special Publication 800-171 requirement was established primarily for the Department of Defense (DoD) in an effort to protect CUI with a common set of security controls. The details of this can be seen here at this link.

This publication by NIST eventually became known as the “Defense Federal Acquisition Regulation Supplement” or “DFARS.” The primary objective of the DFARS is as follows:

“The protection of Controlled Unclassified Information (CUI) while residing in nonfederal information systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations.” (Source)

Put in simpler terms, compliance to DFARS is mandatory for any outside organization that conducts business with the DoD and generates a significant amount of revenue from the contracts and/or projects that they are awarded. Also, any CUI that they receive from the DoD must have specialized mechanisms in place so that any potential of accidental leakage is mitigated.

Who Must Be DFARS-Compliant?

Any business and corporation that does work for the DoD must be DFARS-compliant. Although this is a very broad category, it is typically the major defense contractors that do a bulk of the work DoD, and therefore, this can be considered the primary group that must come into compliance. Examples of the major defense contractors include the following:

• Lockheed Martin
• Boeing
• Northrop Grumman
• Raytheon
• General Dynamics
• United Technologies
• Science Applications International Corporation
• TRW
• L-3 Communications Holdings
• Honeywell, Inc.
• Hughes
• Rockwell
• Textron

The following defense contractor associations must also be DFARS-compliant:

• Aerospace Industries
• Electronic Industries Alliance
• National Defense Industrial Association

Of course, the DoD is obviously very selective when it comes picking defense contractors abroad, and at the present time, only the following are considered to be “DFARS countries.” In other words, only defense contractors from these countries can bid on projects and contracts from the DoD:

• Australia
• Austria
• Belgium
• Canada
• Czech Republic
• Denmark
• Estonia
• Egypt
• Germany
• Finland
• France
• Greece
• Israel
• Italy
• Japan
• Latvia
• Luxembourg
• Netherlands
• Norway
• Portugal
• Slovenia
• Spain
• Sweden
• Switzerland
• Turkey
• United Kingdom
• Northern Ireland

DFARS compliance is an absolute requirement under the following conditions:

• If you are a subcontractor of one of the major defense contracts listed (this even includes subcontractors that are working with a non-major defense contractor)
• If your contract/project with the DoD involves the use of CUI, or Unclassified Controlled Technical Information (UCTI)
• If the bid you are proposing contains language found in DFARS Provision 252.204-7008
• If you are awarded a contract and it contains language found in DFARS Clause 252.204-7012

The DFARS Requirements and Regulations

The DFARS Requirements and Regulations are detailed as follows:

1) Access Control: This stipulates on limiting logical access to authorized users (in other words, just giving them enough credentials to conduct their daily job tasks).

2) Awareness and Training: This states that adequate security training must be provided to all employees (which include managers, IT administrators, C-Level executives and so on) so that they are aware of the cyberthreat landscape.

3) Audit and Accountability: This ensures that the appropriate controls are in place in order to prevent, mitigate and investigate any malicious activity that is involved with the CUI.  

4) Configuration Management: An appropriate tool(s) must be implemented so that any “baseline configurations” of IT systems (which include both hardware and software) can be documented as they are used throughout their entire life cycle.

5) Identification and Authentication: This regulation mandates that any user who is trying to access any IT system (or even the CUI) must be positively authenticated.

6) Incident Response: A plan must be created, implemented, and practiced at regular time intervals so that any cyberattacks to an IT infrastructure can be quickly mitigated and processes restored as quickly as possible.

7) Maintenance: This regulation mandates that all IT systems must be properly maintained and running in optimal condition, and that the IT Staff has the tools they need to conduct these tasks.

8) Media Protection: This primarily involves the usage of portable devices, such as those of USB flash drives. It is required that they are adequately protected.

9) Personnel Security: This regulation mandates that before an employee is hired, they must pass an extensive background check. This will happen before they are allowed access to any IT system that contains the CUI.

10) Physical Protection: This involves the protection of the actual physical premises (as it relates to any IT assets) both from the outside and inside, and any critical infrastructure (such as the data center).

11) Risk Assessment: This regulation stipulates that all IT systems must be audited on a regular basis in order to examine their vulnerabilities to cyberthreats as the system relates to the CUI (as that would be a prime target).

12) Security Assessment: This involves conducting a regular audit on all IT controls that are designed to safeguard the CUI. Through this, it must be determined if these controls are still effective.

13) System and Communications Protection: This regulation ensures that all lines of communication, both internal and external to the business entity, are secure with adequate layers of protection.

14) System and Information Integrity: This involves making sure that the IT Staff is fully alert of and cognizant of any alerts and notifications that they receive, especially from those Security tools that are deployed at the perimeter.

Conclusion: How to Prove and Maintain Your DFARS Compliance

The question often asked is once your organization has achieved DFARS compliance, how do you maintain it? There are three ways that this can be accomplished:

1) The establishment of a governance program: This involves conducting a thorough gap analysis of your existing IT Infrastructure and identifying/correcting any hidden weaknesses that have been discovered. This should be an ongoing process, which must also include all of the DFARS Regulations and Requirements detailed in the last section.

2) The implementation of a data classification strategy: Once you get access to the CUI that the DoD shares with you, it would be a great advantage to your organization to deploy some sort of classification scheme for it, as it relates to the unique project requirements that you have been awarded. Also, you need to prove that the proper security controls have also been implemented to safeguard the CUI.

3) Cloud Usage: The DoD does not exactly state where the CUI should be stored once it is shared with you, so you even have the option of storing it in the cloud. But if you do this, you must show and prove to the DoD that you have a well-crafted security plan here as well.

Sources

What is CUI?, National Archives

What is DFARS and NIST SP 800-171?, Cybersaint

Executive Order 13556 -- Controlled Unclassified Information, obamawhitehouse.archives.gov

Subpart 204.73, acq.osd.mil

United States Weapons Manufacturers, Federation of American Scientists

Roadmap to DFARS Compliance, Aronson LLC

Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST