We've seen the Department of Defense DFARS regulation (DFARS 252.204 7012) in action, and we now know that DFARS Compliance has no limit on who it can affect. From R&D to Biotech to Manufacturing, it's clear that even if you haven't heard from your DoD-related customers, you need to get ahead of the NIST 800-171 requirements sooner rather than later to keep up those contracts and report cyber incidents effectively.
Can you identify existing or future customers of yours within the Department of Defense, or that generate DoD-related revenue? If you do, it's paramount that you go through a DFARS assessment and comply with NIST Special Publication 800-171, "Protecting Controlled Unclassified Information in Non-Federal Systems and Organizations." Here's a blog post with a quick overview of what you need to know if you have or plan to have a customer base associated with the DoD requiring you to adhere to DFARS 252.204 7012.
What is DFARS Compliance?
NIST SP 800-171: The DFARS document defines adequate security as “protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information.” The compliance documents, including a Plan of Action and Mitigations (POAM) and a System Security Plan (SSP), are required to ensure compliance.
The DoD stated that information systems that process, store, or transmit CDI must implement security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”
The cybersecurity controls that make up NIST 800-171 were derived from the NIST SP 800-53 moderate security control baseline. These controls outline the procedures for handling defense information and implementing cybersecurity best practices associated with controlled unclassified information (CUI), as well as safeguarding covered defense information throughout your business and supply chain.
Who Must Ensure DFARS Cyber Compliance?
This mandate requires compliance with NIST 800-171 if you generate DoD-related revenue, regardless of your industry, including R&D, Chemicals, Defense, Aerospace, Manufacturing, Biotech, and other sectors. If you cater to those in the DoD Supply Chain, you fall under the Defense Federal Acquisition Regulation Supplement.
We've encountered organizations in all industries who have to comply with DFARS, and we can say from experience, either using CyberStrong to get these organizations conformant or by watching organizations do it manually, that it can either be a heavy lift or you can have a clear plan of action, depending on which method you choose. CyberStrong also automates your DFARS compliance documents in real time as you quickly walk through your DFARS assessment.
Important Action Item: Cyber Incident Reporting
The DFARS 7012 regulation defines cyber incidents as “actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.” If your organization experiences a cyber incident that touches Controlled Unclassified Information or Covered Defense Information (CUI or CDI), then you must:
- Perform an analysis of the incident and detail the evidence.
- Determine if specific CUI or CDI was compromised.
- Report out --within 72 hours-- the cyber incident. Use a medium-assurance certificate.
- Preserve and protect images and other evidence that you may gather.
You must have an incident management plan and the proper procedures ready to implement in the event of an incident - make sure to conduct thorough testing as well.
Key DFARS 252.204-7012 Requirements
DFARS 3.3.5 and DFARS 3.3.6: Audit and Accountability
Ensure that for every security system and process, you can have a detailed audit trail of who worked on that control, when, and in what environment. DFARS requirements 3.3.5 and 3.3.6 outline the steps for building the audit report and provide details on how to ensure the correct data is gathered.
Reports will likely be sent out, and you'll need to address them. Issues may be identified, and you'll have to understand how to move forward. Therefore, be familiar with the information in the audit records as they are reviewed and analyzed during the audit process of the covered contractor information systems. Understand the actual auditing capabilities of your systems, configure them as needed, and identify and develop your baseline, all before the technical implementation required in DFARS clause 252.204-7012.
DFARS 3.5.3: Identification and Authentication
Suppose you don't already have multi-factor authentication enabled. In that case, you must do so, either via multi-factor authentication or two-factor authentication (MFA or 2FA), for all local and network access. You need to invest a little time to research and a small amount of capital (there are many inexpensive options) to implement two-factor or multi-factor authentication. For any system that transmits, processes, and stores CUI or CDI, you must have MFA/2FA enabled to be consistent with law regulations.
The key to this requirement is ensuring that the solution doesn't frustrate your employees or make it more difficult for you to complete your tasks. Quick and easy 2FA solutions include Google Authenticator, among others.
DFARS 3.6.1: Incident Response
The requirement ensures that you can prepare, identify, contain, eradicate, recover from, and learn from cyber incidents. Incident handling isn't just something that is set aside with other procedures; you need to utilize your team's technical skills and operational expertise to establish incident response controls. Incident response planning involves upper management, those conducting the forensics on the exposed information, the cyber incident itself, and everyone in between.
You need to make sure that you're constantly updating and practicing your incident response plan, especially as you adopt new technologies and as the makeup of your team changes -- you're putting a lot at risk if you let things change in your organization, but don't have a plan on how to respond to a cyber incident in new settings.
DFARS 3.12.1 and DFARS 3.12.3: Security Assessment
These requirements require you to assess environments containing CUI or CDI periodically. If possible, implement a continuous compliance platform or a cyber risk management methodology within your existing cybersecurity program. Include everyone who works in your organization — both upper-level management and employees at every level who participate in processes or environments that store, transmit, or process CUI or CDI. They should be aware of the assessment process and understand their role in it. The NIST SP 800-171 controls don't definitively specify the frequency of assessments. Still, it's known that in higher-risk areas, assessments of applications, systems, or other environments should be conducted more frequently.
Automate the Assessment Process and Be Ready for Audit, Review, and Reporting.
If you aren't compliant with DFARS 225.204-7012, you are at risk of losing business with the DoD and those within the DoD supply chain.
The compliance process can be a heavy lift. Still, you can utilize a continuous compliance platform to automate much of the manual work and assess yourself quickly and continuously for review. CyberStrong also gives you the lowest cost vs. highest impact plan of action to achieve DFARS compliance, and automates the System Security Plan (SSP) and Plan of Action and Mitigations (POAM) in real-time for export... have these DFARS compliance documents ready for upper management, governance, or compliance officers or customer review.