The US government handles vast volumes of sensitive data, including citizens’ personal information, intellectual property, and state secrets. And that makes various government agencies and departments prime targets for internal and external hackers looking to steal valuable information or perpetrate cyber espionage acts.
The federal government does not take cyber threats lightly. It spends billions of dollars on cybersecurity every year and has internal legislation and mandates for managing information that requires safeguarding. The Defense Federal Acquisition Regulation Supplement (DFARS) is one such legislation that also applies to civil entities.
What is DFARS?
DFARS is a regulation that requires all contractors working with the Department of Defense and all entities connected to the DoD supply chain to meet particular cybersecurity requirements. DFARS encompasses the processing, operations, dissemination, and storage of sensitive government data under the NIST 800-171 framework and compliance standards.
What is the scope of DFARS?
The DoD established DFARS compliance to ensure the safety of sensitive government data stored, processed, or transmitted through non-government, third-party systems. There are three types of data sets covered under DFARS:
- Covered Defense Information (CDI) – This is government data identified by the DoD as sensitive or pivotal to the current government agreement.
- Controlled Unclassified Information (CUI) – This covers any information under Executive order 13526, Classified National Security Information.
- Controlled Technical Information (CTI) – This encompasses both CDI and CUI data categories. It is generally defined as any technical information with military or space applications.
Important DFARS clauses
DFARS compliance touches on three main areas of data protection. First, it calls for regular security assessment (at least twice a year) of all systems handling sensitive information. Second, it’s mandatory to have a robust identification and authentication system, preferably multi-factor authentication. And, lastly, every DoD contractor should have a proper incident response strategy that includes plans for detecting, containing, eliminating, and reporting breach incidents. To build on that, here are three essential DFARS clauses you should consider:
- DFARS 252.204-7012 (Defense Information Protections and Procedures for Incident Reporting): It requires contractors and subcontractors dealing with CDI to implement NIST 800-171 controls as the minimum cybersecurity standard. It also includes guidelines for reporting cyber incidents.
- DFARS 252.239-7010 (Cloud Computing Protocol): It defines modified security protocols, requirements, and controls for DoD contractors utilizing cloud computing services.
- DFARS 252.204 (Protocol for Covered Defense Information and Proper Safeguards): It limits the various ways contractors may exploit CDI. It also requires contractors and subcontractors to understand their security responsibilities and pass the same down to their employees through training and sensitization.
Who should comply with DFARS, and why is it important?
Any business, organization, or company that works for the DoD as an independent contractor or subcontractor must comply with DFARS. In fact, DFARS compliance is one of the vetting criteria for DoD contractors’ bids. In other words, if you do business with the DoD or a DoD contractor, you must be DFARS-compliant. As the main contractor, you must also ensure the subcontractors under your banner are all fully compliant.
Usually, most DoD contractors are giant, international brands. But the DoD also considers small businesses that subcontract for the big players. And that’s partly why the government developed the Cybersecurity Maturity Model Certification (CMMC) as a way for small businesses to affordably implement acceptable cybersecurity strategies. The CMMC basically builds upon DFARS 252.204-7012 and brings a multi-level verification component to DFARS compliance.
The DoD and the government at large take security compliance very seriously. Non-compliance with DFARS can result in termination of contract and may even attract heavy financial and legal penalties.
The bottom line, if you’re working directly with the DoD or any of its contractors, you should build your cybersecurity framework around DFARS compliance. If you’re unsure about which regulations you should be following or need help with compliance regulations in general, IND has a team of compliance experts that are here to guide you. Get in touch with us to learn more.