DFARS certification is a fairly long and complex process, and now mandatory if you do business with the DoD or most defense contractors. GDF has helped OEM, Tier 1 and Tier 2 suppliers complete the necessary steps towards full DFARS compliance.
We’ve prepared this webpage to make the roadmap to DFARS compliance as clear as possible. Please contact us at 1 (800) 868-8189 if you have any questions.
DFARS Certification at a Glance
What is DFARS
DFARS (Defense Federal Acquisition Regulation Supplement) is a set of cybersecurity regulations that govern acquisitions and contracting procedures when dealing with the United States Department of Defense (DoD). Specifically, DFARS is laid out by a National Institute of Standards and Technology document known as NIST Special Publication 800-171, or more simply, NIST 800-171.
Who needs to comply
If your company is a defense contractor doing work for the DoD, or if you’re a subcontractor to a business doing defense work for the DoD, you must be in DFARS compliance. Please note that even if you’re selling equipment or parts to 3rd party DFARS compliant businesses, there is a good chance that your company also must be DFARS compliant.
Getting DFARS compliant
Currently, to be certified DFARS compliant, a business must pass a readiness “self-assessment” that proves compliance to NIST 800-171. Typically, it takes an organization anywhere from 6-10 months to complete the process and requires submission of documentation to the DoD as well as the possibility of a DoD audit. On the horizon, however, is a new, tiered certification system that will function similarly to ISO certification procedures involving 3rd party auditing, etc.
The Origins of DFARS
When working with the DoD, there is data involved that isn’t classified as top secret but is still deemed important enough that it needs to be kept from public view. This data is called Controlled Unclassified Information (CUI). Initially, there were no clear-cut regulations regarding the handling of CUI. Organizations did whatever was thought prudent for security. Consequently, transmission of data between contractors and subcontractors was a haphazard mess. The DoD finally addressed the situation and in 2010 legislation was passed defining a set of best practices and standards for the safekeeping of CUI.
These best practices and standards are contained in NIST (National Institute of Standards and Technology) Special Publication 800-171. This publication eventually became known as the Defense Federal Acquisition Regulation Supplement or DFARS.
DFARS Compliance Checklist
DFARS compliance is issued to companies that prove meeting NIST 800-171 via an extensive self-study. When the self-study is completed, the document is submitted to the DoD. The DoD can might also perform an audit at random as well. There are 14 requirements that must be met and properly documented:
- Regulate Access Control: Access must be limited to authorized users. This simply means that you are giving your employees just enough access to CUI to conduct their daily job tasks, nothing more and nothing less.
- Ensure Awareness and Training: Adequate security training to all employees must be provided on a regular basis, by following a regimented time schedule, such as monthly, quarterly, or semi-annually. Obviously, the more training you can provide, the better. The training must include everybody, from C-Level Executives down to administrative assistants.
- Ensure Audit and Accountability Controls: Have appropriate controls in place in order to prevent, investigate and mitigate any malicious activity. This would include monitoring Firewalls, Network Intrusion Devices, Routers, and other security devices you have deployed to fortify your cyber defense, as well as responding to warnings or alerts from such systems.
- Maintain a Configuration Management System: All “baseline configurations” of IT systems must be documented. For example, when you deploy any new security tools, the IT security staff must document the initial configurations. Over time, this is expected to change, and any new configuration updates must be included in this documentation as well throughout the lifecycle of the security tools.
- Implement Adequate Identification and Authentication Systems: Any user trying to gain logical access must be positively authenticated. In other words, you must make sure that an employee requesting access is who they claim to be. This is done by deploying Multi-factor Authentication (MFA) systems, such as passwords, challenge response questions, RSA tokens, Biometric Technology, etc.
- Enforce an Incident Response Plan: Your company must implement a plan detailing how potential incidents will be documented and mitigated, and practice this plan at regular time intervals. The timing of this can be either quarterly or semi-annually at the minimum.
- Establish a Regular Maintenance Schedule: All IT systems must be properly maintained and operating in optimal condition. Checks should be done daily, using software automation packages and IT staff monitoring that keeps track of the health of your entire IT infrastructure in real time.
- Protection of Media Devices: Any media device issued to or used by your employees must be adequately protected. For example, if you issue portable storage devices to your employees, the device must have enough layers of encryption embedded so that any CUI will be rendered useless (in an undecipherable format) if this device is lost or stolen, or somehow falls into the hands of a malicious third party.
- Conduct Extensive Background Checks: Potential new employees must pass an extensive background check. The level of background check should include at minimum a deep investigation into any previous criminal activity. Drug screenings should also be included in the background check.
- Enforce Adequate Physical Access Protection: Ensure that only authorized personnel and registered visitors are allowed onto the actual physical premises of the business. This includes securing all entrances to facilities, implementing a visitor registration system, etc. Like controlling logical access, this involves positively confirming the identity of the individual in question, whether through smart cards, Biometric Technology, etc.
- Maintain a Regular Risk Assessment Schedule: A schedule must be in place so that IT systems can be audited on a regular basis. The primary goal here is to scan for any vulnerabilities, gaps, or weaknesses that may reside in any information system, and if detected, action is taken to rectify the issues.
- Implement a Security Assessment Schedule: You must conduct regular audits on all IT controls that are in place to safeguard the CUI. The timeframe should be on a monthly, or at minimum, on a quarterly basis.
- Enforce a Communications Protection System: All lines of communication, both internal and external to the business, must be secure. For example, if you employ remote workers or third-party contractors, they should be issued equipment that already has safeguards in place in order to ensure that any information and data that is transmitted is encrypted. Also, there should be controls in place on this equipment that can confirm the integrity of any transmitted message after it has been sent to the receiver, and vice versa.
- Establish a System and Information Integrity Check: You must ensure that the IT Staff is monitoring and responding to any alerts and notifications. In other words, any warning messages that are transmitted from security tools should be addressed on a proactive basis, and any alerts that are deemed critical in nature must be attended to immediately, as well as any remediative efforts required to resolve the situation.
Further details on the above can be found here.
Maintaining your DFARS Certification
Once your organization has achieved DFARS compliance, steps must be taken such that compliance is maintained. This is accomplished by:
- The Establishment of a Governance Program: This involves conducting a thorough gap analysis of your existing IT Infrastructure and identifying/correcting any hidden weaknesses that have been discovered.
- The Implementation of a Data Classification Strategy: Once you get access to CUI that the DoD shares with you, your organization must develop a classification scheme for it.
- Cloud Usage: If you store the datasets in the Cloud, you must prove to the DoD that you have a well-crafted, implemented security plan.
DFARS Incident Response Procedures
If your organization is impacted by a cyberattack, it must be mitigated by following procedures set forth by DFARS 3.6.1: Incident Response.
Under DFARS, a cybersecurity incident must be reported to the DoD within 72 hours of discovery. If it is determined malicious software was present on the contractor’s system(s) it must be provided to the DoD Cyber Crime Center, and the affected system and monitoring data must be preserved and accessible for 90 days for forensic analysis. The contractor/subcontractor must also provide notice to any prime contractors.
The DoD will also likely want to do a “damage assessment” to determine the impact and potential ramifications of the event and the data which was compromised. This process would require the contractor/subcontractor to surrender any and all media and materials which could aid in carrying out that assessment.
The 5 major tenets of Incident Response
- Triage – Determine the level of compromise, set realistic expectations and consult on reporting and regulatory issues.
- Containment – The primary purpose of this phase is to quickly limit the initial damage and prevent any further damage from happening.
- Eradication or Remediation – Dear with the actual removal of malware and/or system damage and restore and re-secure any and all affected systems, devices, etc.
- Recovery – Bring affected systems back into the production environment carefully, as to ensure that no further incidents occur.
- Postmortem and Lessons Learned – The purpose of this phase is to complete any documentation that was not done during the incident, as well as any additional documentation that may be beneficial in future incidents.
GDF can assist your company at any stage of the DFARS compliance process, from initial examination of baseline security measures already in place, through development of plans, recommendations of processes, software and equipment, to final penetration testing if so desired.