Businesses that work with the US Department of Defense (DoD) and collect, process, transmit, or store controlled unclassified information (CUI) must comply with Defense Federal Acquisition Regulation Supplement (DFARS) standards.
The DoD has responded to the growing threat of cyber incidents, including cyberattacks from cybercriminals and nation-states, by prioritizing cybersecurity best practices and insisting they are implemented throughout the DoD supply chain.
Initially published in December 2015 and in effect since New Year’s Eve 2017, DFARS is a set of regulations that describe the minimum cybersecurity requirements for companies that wish to do business with the DoD.
The regulation should be viewed in conjunction with the Federal Acquisition Regulation (FAR), which is the primary set of rules regarding government contracts. DFARS is specific to Defense contracts and aims to safeguard sensitive information from unauthorized personnel by having the supply chain acknowledge cybersecurity threats and remediate vulnerabilities.
Who Must Comply?
DFARS applies to any business that wishes to be awarded a DoD contract and handles CUI or covered defense information (CDI). This includes private defense contractors and nonfederal information systems and organizations working with the federal government. External suppliers and contractors are subject to DFARS.
Compliance is required for businesses that work with the DoD, both directly and indirectly. DFARS outlines umbrella requirements that all potential DoD contractors must adhere to during procurement. Service providers and subcontractors must be DFARS-compliant if CUI is stored in or moves through their information systems.
DFARS clause 225.872-1 lists compliant countries that may work with the DoD. These are as follows:
- Australia
- Austria (although procurements may be exempted from the Buy American Act)
- Belgium
- Canada
- Czech Republic
- Denmark
- Egypt
- Estonia
- Germany
- Finland
- France
- Greece
- Israel
- Italy
- Japan
- Luxembourg
- Netherlands
- Norway
- Portugal
- Slovenia
- Spain
- Sweden
- Switzerland
- Turkey
- United Kingdom and Northern Ireland
The Risks of Non-Compliance
DoD contractors that fail to prove full compliance with DFARS will not have their defense contracts renewed. Furthermore, they risk:
- The loss of current defense contracts
- Fines
- Inability to get future contracts with the DoD
If the DoD cannot trust the security of its partners, it must suspend or stop working with them entirely. Because DFARS is a legal and contractual obligation, the government may seek damages from non-compliant firms for breach of contract.
Overview of DFARS Compliance Requirements
DFARS introduces the new Cybersecurity Maturity Model Certification (CMMC) so businesses can demonstrate sufficient security measures to handle CUI and CDI.
CUI, or controlled unclassified information, is a somewhat broad term. It means any data that the government has generated or possesses — or that a third party has generated or possesses on the government’s behalf — and which needs to be protected.
While the data has not been marked as classified — i.e., it is not subject to Executive Order 13526 or a preceding or successive order to protect it against unauthorized disclosure — it must nonetheless be protected by agencies that can process, store, and transmit it.
There are two subsets of CUI: CUI Basic and CUI Specified. The latter subset requires more security measures and controls than the former. The full definitions are available in this CUI glossary.
While FAR is the regulation for federal acquisition, DFARS is the supplement adding details for agencies working with or wishing to work with the DoD.
Regulations Applying to Defense Contractors
Full DFARS / NIST SP 800-171 Implementation
DFARS demands adherence to the cybersecurity standards specified by the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.
At first, the minimum requirements for DFARS compliance may sound straightforward. However, meeting NIST SP 800-171 standards is not necessarily easy for a firm unused to such security controls.
As permitted by the DoD, which understands the challenges surrounding this regulation, many DoD contractors use external cybersecurity professionals to get their systems up to the required level of security.
Continuous DFARS Compliance Monitoring
To comply with DFARS, the organization must maintain its standards. Achieving DFARS compliance, therefore, is not a one-time event. DoD contractors need to appreciate that DFARS compliance is an ongoing requirement.
Any change in operations requires reevaluating the business’s cybersecurity and information systems. Operational changes notwithstanding, regular cybersecurity compliance assessments are required to ensure the security of government interests.
Monitoring and maintaining compliance can require significant resources, including money and manpower. This is why defense contractors also lean on external cybersecurity professionals to ensure they maintain high standards suitable for the DoD, not only on the day of the assessment but all year round.
Incident Reporting
DoD contractors must report cyber incidents promptly. According to the policy, this means contacting the DoD within 72 hours of discovering a data breach or other cyber incident.
Firms can report a cyber incident on the DIBNET portal by emailing DC3.DCISE@us.af.mil or calling (410) 981-0104 or (877) 838-2174.
Furthermore, organizations must work with the DoD when responding to cyber incidents. This might include allowing DoD personnel to access the affected network and devices.
Readiness Assessment
A readiness assessment is obligatory for DFARS compliance, which must be performed by a third-party assessor. A self-assessment is insufficient for DFARS certification.
A readiness assessment is also specified in NIST 800-171. Organizations working with the DoD must provide evidence that they have addressed and met all the requirements stipulated by NIST 800-171.
These requirements are divided into 14 categories, listed here alphabetically:
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
Tips and Best Practices to Ensure DFARS Compliance
Implementing all of NIST 800-171’s security controls can be challenging for many businesses wishing to work or continue working with the DoD.
Developing the majority of these controls from scratch can be time-consuming and financially challenging but necessary for information security. Doing so benefits businesses, regardless of whether or not they have a government contract.
Another difficult aspect of DFARS compliance is the requirement for continuous monitoring to ensure continued compliance with all 14 categories of security controls. For this and other aspects of achieving compliance, asking cybersecurity professionals that provide DFARS consulting is an excellent idea.
Achieving DFARS compliance requires time. Implementing the following systems, strategies, and best practices as soon as possible will help a business upgrade its cybersecurity in readiness for a DoD contract.
Each security measure will be relevant to DFARS compliance, and there will be many that businesses can implement or begin to implement to make immediate security posture improvements.
Identify Whether DFARS Applies to the Organization
Before committing resources to the implementation of security controls, it’s wise to focus first on identifying CUI, the extent of that CUI, and how the business handles it. Reviewing contracts and identifying CUI is a good first step. The defense industrial base can also contact its contracting officers for clarification.
Risk Assessment
Before developing security controls, a business needs to know its security posture. When business leaders understand their security posture and any gaps, they can continue the information risk management process, identifying which controls to prioritize to maximize data security and thwart potential data breaches.
A thorough examination of business infrastructure should reveal the parts relevant to NIST 800-171. It’s necessary to consider systems, policies, procedures, hardware, and software.
This examination will reveal the gaps in a security posture. Identify these before focusing on remedial solutions. Consider how much work needs to be done and their priorities.
Third-Party Risk Management
Applicable businesses need to assess their subcontractors and business partners as they will also need to follow DFARS regulations to protect controlled unclassified information by enhancing security throughout the supply chain. This part of the DFARS compliance process can take months.
When considering that the faster compliance is achieved, the sooner the business can have its contract renewed, the help of an external cybersecurity team to manage third-party risk and ensure compliance with minimum cybersecurity standards can ease some of the burdens.
Continuous Compliance Monitoring
Once a firm has achieved compliance, maintaining those standards can be challenging. Just monitoring multiple security controls can be tough on resources.
Professional compliance monitoring can make this process much easier by organizing and managing it. They can ensure that businesses won’t be surprised by fines or the loss of a government contract, especially when there is a risk that no further contracts will be awarded due to non-compliance.
Furthermore, compliance monitoring services are also advantageous because they can provide evidence of compliance required by the DoD. Cybersecurity professionals can provide the legal documentation that proves to the DoD that the organization is DFARS-compliant.
Anyone that has worked with the DoD or federal agencies will know that regulations and security requirements are constantly changing. With much at stake for falling short of DFARS, businesses must be proactive and prepared to adapt to meet evolving regulations and standards.
Awareness Training
DFARS compliance will require vigilance. This regulation will likely evolve as cyber threats and the DoD’s understanding of them evolves. Awareness training is a key practice to implement to create a business that can adapt to changing regulatory demands and be resilient in the face of emerging cyber threats.
While innocent staff members are not to blame for the existence of hackers and cybercriminals, it must be acknowledged that human error plays a massive part in the world’s data breaches.
Social engineering is the fastest-growing area of cybercrime, encompassing business email compromise, spoofing, and phishing, which is an attack vector for ransomware.
Cybercriminals use various tactics to manipulate or intimidate people into sharing access credentials or personally identifiable information with which they can then imitate the victim to spread malware, including ransomware, or create more targeted, convincing, and effective phishing attempts, including spear phishing and whaling.
According to the World Economic Forum’s Global Risks Report 2022, 95% of cybersecurity incidents are linked to human error. Human error might mean negligence, lack of attention due to tiredness or stress, or a total unawareness of cyber risks.
Awareness training from onboarding throughout the employee lifecycle is essential to raise cybersecurity consciousness company-wide and reduce the risks of a data breach and of missing out on a DoD contract.
Incident Response Plan
An incident response plan is critical for businesses aiming for DFARS compliance. Prompt reporting is a clear DFARS requirement, facilitated by preparing and maintaining an incident response plan.
This written document should detail the names, contact details, and roles of all the incident response team members. Furthermore, it needs to outline the steps to be taken during cyber incidents.
In order of priority, a plan should exist for each risk according to likelihood and impact. Each should be written clearly enough to be followed by anyone in the organization, not only those with cybersecurity knowledge and technical expertise.
Firms with incident response plans spend less money on remediation following a data breach. They can also respond more quickly, limiting damage and preventing further unauthorized access to sensitive data.
Prompt reporting keeps businesses in line with DFARS and allows them to get the assistance needed to end a security breach more quickly. With defined roles, responsibilities, and routines for contacting law enforcement, businesses can demonstrate a professional response to a cyber incident. This can go some way to limiting reputational damage.
Information Security Policies
Meeting cybersecurity regulations necessitates documented information security policies. Even if a business already has effective information security procedures and systems, these must be documented so employees can follow them and regulators, assessors, and business partners have physical evidence to show decision-makers.
Multi-Factor Authentication (MFA)
Requiring two or more different forms of identification for access to a system increases security significantly. If a hacker manages to guess or crack a password, they cannot access an account or network without further proof of their identity.
While it’s not a foolproof system, organizations can implement MFA relatively quickly and dramatically improve security, making it a key cybersecurity practice to adopt.
Encryption
Encrypted files are extremely difficult to read without the associated decryption key. If hackers manage to intercept or otherwise steal encrypted data, it will be unreadable without employing very sophisticated methods.
Encryption, therefore, is necessary for all sensitive and confidential information. Furthermore, it is required constantly — while the data is stored and while it is being transmitted or processed.
Physical Security
Businesses often neglect physical security measures in favor of less visible but more renowned technological controls. Physical safeguards, however, can often be implemented relatively quickly and make a massive difference to a firm’s security posture.
Physical security includes access control and monitoring, and surveillance. An example of physical access control might be using ID cards or biometric scans to restrict access to a building or parts of that workspace. This way, access can also be monitored so that security staff always know who is in secure areas and has access to critical hardware and data.
Surveillance systems include CCTV, burglar alarms and detectors, and security guards. Security lighting and recording license plates also increase security, deterring crime and creating a record of people’s movements. Businesses wishing to win or renew a defense contract should be prepared to address these missing elements.
Controls in and around a building can reduce the risk of data theft, data leaks, and insider threats. Businesses must consider the safety and security of their physical locations and how they can mitigate cyber risks such as power outages or other geographically specific incidents.
Physical safeguards extend to the disposal of hardware, too. Hard drives cannot be deleted and discarded, for example. They must be shredded or otherwise destroyed securely to prevent the possibility of data being recovered. Backup systems must be maintained to ensure they will work during a cyber incident and are safe from a cyber attack.
