We've seen the Department of Defense DFARS regulation (DFARS 252.204 7012) in action, and we now know that DFARS Compliance has no limit on who it can affect. From R&D to Biotech to Manufacturing, it's clear that even if you haven't already heard from your DoD-related customers, you need to get ahead of the NIST 800-171 requirements sooner rather than later in order to keep up those contracts and report cyber incidents effectively.
Can you identify existing or future customers of yours within the Department of Defense, or that generate DoD-related revenue? If you do, it's paramount that you go through a DFARS assessment, and comply to NIST Special Publication 800-171 "Protecting Controlled Unclassified Information in Non-Federal Systems and Organizations". Here's a blog post with a quick overview of what you need to know if you have or plan to have a customer base associated with the DoD requiring you to adhere to DFARS 252.204 7012.
So, What is DFARS Compliance?
NIST SP 800-171: The DFARS document defines adequate security as “protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information.” The compliance documents, a Plan of Action and Mitigations (POAM) and System Security Plan (SSP) are required to ensure you're conformant.
The DoD stated that information systems that process, store, or transmit CDI must implement security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”
The cybersecurity controls that make up NIST 800-171 were derived from the NIST SP 800-53 moderate security control baseline. These controls cover how to handle defense information and cyber security best practices associated with controlled unclassified information (CUI) and safeguarding covered defense information across your business as well as your supply chain.
Who Must Ensure DFARS Cyber Compliance?
This mandate outlines that compliance with NIST 800-171 is a requirement if you generate revenue that's DoD-related, whether you're in R&D, Chemicals, Defense, Aerospace, Manufacturing, Biotech, or other. If you cater to those in the DoD Supply Chain, you fall under the Defense Federal Acquisition Regulation Supplement. We've encountered organizations in all sectors who have to comply to DFARS, and can say from experience either using CyberStrong to get these organizations conformant or by watching organizations do it manually, that it can either be a heavy lift or you can have a clear plan of action - depending on which method you choose. CyberStrong also automates your DFARS compliance documents in real-time as you quickly walk through your DFARS assessment.
Important Action Item: Cyber Incident Reporting
The DFARS 7012 regulation defines cyber incidents as “actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.” If your organization experiences a cyber incident that touches Controlled Unclassified Information or Covered Defense Information (CUI or CDI), then you must:
- Perform an analysis on the incident and detail the evidence.
- Determine if specific CUI or CDI was compromised.
- Report out --within 72 hours-- the cyber incident. Use a medium-assurance certificate.
- Preserve and protect images and other evidence that you may gather.
You must have an incident management plan and the proper procedures ready to go if anything happens - make sure to do thorough testing as well.
Some Key DFARS 252.204-7012 Requirements in Detail...
DFARS 3.3.5 and DFARS 3.3.6: Audit and Accountability
Make sure that for every security system and process, you can have a detailed audit trail of who worked on that control, when and in what environment. DFARS requirements 3.3.5 and 3.3.6 tell you how to build the audit report and give details on what to do to ensure you're gathering the correct data.
Reports will likely go out and you'll have to speak to them, issues may be identified and you'll have to understand how to move forward. Therefore, be familiar with the information in the audit records as they are reviewed and analyzed during the audit process itself of the covered contractor information systems. Understand the actual auditing capabilities of your systems, configure, and identify and develop your baseline, all prior to technical implementation that is required in DFARS clause 252.204-7012.
DFARS 3.5.3: Identification and Authentication
If you don't have multi-factor authentication enabled already, it's pressing that you do so either via multi-factor authentication or two-factor authentication (MFA or 2FA) for all local and network access. You need to invest a little time to research, and, a small amount of capital (there are many inexpensive options) to implement two or multi-factor authentication. For any system that transmits, processes, and stores CUI or CDI, you must have MFA/2FA enabled to be consistent with law regulations.
The key to this requirement is making sure that the solution doesn't frustrate your employees or make it more difficult for you to get your jobs done. Quick and easy 2FA solutions include Google Authenticator, among others.
DFARS 3.6.1: Incident Response
The requirement ensures that you can prepare, identify, contain, eradicate, recover and learn from a cyber incident. Incident handling isn't just something that is put away with other procedures -- you need to use your team's technical skills and your operational know-how to get the incident response controls in place. Incident response planning involves upper management and those doing the forensics on the exposed information and cyber incident itself, and everyone in between.
You need to make sure that you're always updating and practicing your incident response plan, especially as you adopt new technologies and as the make-up of your team changes -- you're putting a lot at risk if you let things change in your organization, but don't have a plan on how to respond to a cyber incident in new settings.
DFARS 3.12.1 and DFARS 3.12.3: Security Assessment
These requirements ask that you assess the environments containing CUI or CDI periodically. If you can, implement a continuous compliance platform or integrated risk management methodology into your existing cybersecurity program. Include everyone who works in your organization -- Both upper-level management and employees at every level who take part in processes or environments that store, transmit, or process CUI or CDI should be aware of the assessment process and know their part. The NIST SP 800-171 controls don't definitively say how much assessing needs to be done in terms of frequency, but it's known that in higher risk areas you should be assessing your applications, systems, or other environments more frequently.
Automate the Assessment Process and Be Ready for Audit, Review, and Reporting.
If you aren't compliant with DFARS 225.204-7012, you're are at risk of losing business with the DoD and those within the DoD supply chain.
The compliance process can be a heavy lift, but you can use a continuous compliance platform to automate a lot of the manual work for you, and assess yourself quickly and continuously for review. CyberStrong also gives you the lowest cost vs. highest impact plan of action to achieve DFARS compliance, and automates the System Security Plan (SSP) and Plan of Action and Mitigations (POAM) in real-time for export... have these DFARS compliance documents ready for upper management, governance or compliance officers or customer review.