Ultimate DFARS Compliance Checklist

What is DFARS?

The regulations listed in the FAR provide a broad picture of requirements needed for working with federal agencies, departments and bureaus.

However, working with the Department of Defense requires an additional layer of security. This is where we need DFARS.

So, what does DFARS stand for?

DFARS stands for Defense Federal Acquisition Regulation Supplement, and it represents a security set of standards set by the DoD.

That said, any business that holds Controlled Unclassified Information (CUI) needs to meet the rules defined by DFARS in order to be qualified for being the DoD contractor or subcontractor.

What is the Goal of DFARS?

Despite its efficiency and accessibility, the Internet represents a goldmine for diverse malicious activities and the development of hacking science. A protected digital environment is vital for performing any federal job since it involves sensitive information, which shouldn’t be exposed to anyone else.

In the past couple of years, the cases of digital espionage and cyberattacks tremendously increased, which is why many countries, including the United States, decided to bring their digital security to the next level.

Accordingly, the law introduces DFARS. Its goal is to set the guidelines every federal contractor and subcontractor should follow to make sure their IT department can provide a high level of security to safeguard the sensitive data.

If contractors fail to perform such action, they will lose their contracts.

What Type of Information is Secured with DFARS?

Another goal of DFARS compliance is to protect sensitive government information as it’s processed, stored and transmitted using non-government systems. You should know that all the information shared out of its secured storage is quite vulnerable.

The three types of information secured with DFAR are:

• Covered Defense Information (CDI): These are the information given to the contractors by the DoD so that they can perform the stipulations of the contract. CDI can also refer to information that’s collected, developed, received, transmitted, or used by a contractor who needed them to perform the terms of the contract.
• Controlled Unclassified Information (CUI): All the information that requires protection consistent with applicable law, regulations, and government-wide policies fall under the category of CUI.
• Controlled Technical Information (CTI): CTI is every information that includes the use, reproduction, modification, release, or disclosure of any military or space application.

What are the Most Common DFARS Cyber Security Clauses?

All the businesses that want to collaborate with federal agencies and departments should be aware of the growth of cybercriminal, whose malicious intentions go beyond the limit.

That said, they all should be familiar with the following DFARS clauses that explain the use, operation, processing and storing of any sensitive data:

• DFARS 252.211-7003 (Item Unique Identification and Valuation): This clause refers to a system aimed at marking and valuing items delivered to DoD.
• DFARS 252.204-7012 (Safeguarding Covered Defense Information & Cyber Incident Reporting): This DFARS cyber security clause limits the way contractors may use CDI. Besides, DFARS 7012 requires that contractors educate their employees and subcontractors about their responsibilities regarding dealing with sensitive information.
• DFARS 252.239-7010 (Cloud Computing Services): Since the terms of cloud computing always change, all the security requirements necessary for managing it must be well known. According to this clause, all the security sets must keep pace with all the changes present in cloud computing settings.

What are the DFARS Regulations and Requirements?

To become DFARS compliant, you need to follow the requirements and regulations provided by the act. Those regulations are:

• Access Control: It refers to limiting access to authorized users. Therefore, not everyone should have unlimited access to sensitive information. Still, contractors will be given enough credentials that will help them perform their daily tasks.
• Awareness and Training: Employees should be well-trained to handle CUI and aware of the potential risks that could occur. Security training must be provided to all the staff, especially to managers, IT administrators, C-level executives and others.
• Audit and accountability: It ensures that all the adequate controls for preventing, mitigating, and investigating malicious activities that are involved with CUI are implemented.
• Configuration Management: All the hardware and software programs that are part of IT systems must be documented as they are used. That should be done by using either one or various tools.
• Identification & Authentication: Any user who’s trying to access the CUI or any other IT system must be positively authenticated.
• Incident Response: According to this regulation, a plan must be created, implemented, and practiced so that any cyberattack that threats to affect an IT infrastructure can be quickly mitigated.
• Maintenance: All the IT systems must be adequately maintained, running in optimal condition. Besides, IT staff should have all the tools they need to complete the task successfully.
• Media Protection: All the portable devices, including USB flash drives, must be entirely protected. Before inserting any mobile device to a computer used for federal purposes, make sure you scan it first.
• Personnel Security: Before they’re hired and allowed to access any IT system, all the employees must pass the extensive background check. If they have no violations or accusations, they will be allowed to enter any IT system that contains the CUI.
• Physical Protection: Any critical infrastructure, such as data centers, as well as any IT assets, must be protected from both outside and inside.
• Risk Assessment: Risk assessment includes regular system audits that will detect potential vulnerabilities that exist inside of it. They will help determine how the system would react in case of a cyberthreat, whose primary goal is accessing CUI.
• Security Assessment: This regulation stipulates that all the IT controls that safeguard the CUI must pass through regular audits that will determine if the security controls still work properly.
• System and Communications Protection: According to this regulation, all the lines of communication, both internal and external to the business entity, must be secured with proper layers of protection.
• System and Information Integrity: The entire IT staff should be fully alert and aware of any notifications they regularly receive, especially when they come from the essential security tools.

All the DoD contractors must meet these DFARS requirements in order to be considered compliant with all the regulations listed there. Also, they must do the following:

• Provide proper security: It’s essential to provide enough protection to safeguard CDI that resides in your internal CUI systems, in order to prevent any unauthorized access and disclosure.
• Report cyber incidents immediately: Cooperation with the DoD requires you to respond to events quickly, which includes reporting them as soon as they occur.

Still, that’s not all.

All the contractors and subcontractors must be ready to comply with the guidelines stated in NIST SP 800-171. NIST guidelines represent a continuous assessment where you’ll need to devote a significant amount of time to ensure your business is compliant with all the security regulations and requirements.

How to Become DFARS Compliant?

The DoD contractors and suppliers have the opportunity to achieve DFARS compliance both by themselves and by hiring and outsourcing Managed Security Service Provider (MSSP).

How to Meet DFAR Requirements In-House?

Any DoD contractors or suppliers who have expertise and resources available can become DFARS compliant at home. Namely, the in-house learners can download the e-book provided by NIST, with the intention to help the U.S. contractors and suppliers that want to work with the DoD.

How Can MSSP Help You Become DFARS Compliant?

In case the contractors don’t have enough expertise to understand the regulations stated by the NIST handbook, they can outsource the task to a third-party consultant who possesses experience and knowledge in providing clients with the services regarding DFARS compliance.

Many qualified MSSPs specialize in DFARS consulting in the U.S., and all of them are able to assess and perform any work that’s necessary for achieving compliance.

By outsourcing the DFARS compliance task to the qualified and experienced provider, DoD contractors and suppliers can save a lot of time and money. Apart from delivering well-crafted plans for the gap analysis and system security plan, MSSPs will perform all the steps necessary for becoming compliant and prepare the legal documentation to prove compliance has been reached and is being maintained the way it should be.

This is what Managed Security Service Provider can do to help you reach the compliance:

A Comprehensive Gap Analysis

The first step in determining whether the contractors meet all the DFAR requirements is a comprehensive gap analysis done by MSSP. It’s aimed at discovering improper system setups and processes that may not be in line with the regulations, and they will do it by inspecting a company’s network and procedures in detail.

The gap analysis is vital because it delivers essential information about the changes that an organization needs to make before it entirely meets the DFARS rules. Its results may reveal the issues related to the following questions:

• How is access to the IT systems controlled?
• Are managers and IT system administrators well-trained?
• How are data records stored?
• How security controls and measures are implemented?
• How are incident response plans developed and conducted?

Gap analysis can help further remediation plan development, which can be performed by either an MSSP or a DoD contractor.

A Well-Developed Remediation Plan

Thanks to the results and findings provided by the gap analysis, an MSSP can develop a remediation plan, which is aimed at implementing small, usually inexpensive fixes to a network and its processes.

However, some remediation plans may require more extensive development of networks and processes that are in accordance with today’s NIST cybersecurity standards.

Overall, a remediation plan conducted by a qualified MSSP can make it easier for DoD contractors to make all the necessary changes to their systems.

Constant Cyber Security Monitoring and Reporting

After the successful implementations of the gap analysis and remediation plan, an MSSP will have all the tools essential for monitoring, detecting, and reporting cybersecurity breaches that could happen within the contractor’s systems.

When contractors don’t have an outsourcing provider, they can report breaches by themselves. Still, they must have all the tools available for completing the task.

Legal Documentation and Protection

In addition to helping the DoD’s contractors in the cybersecurity field, an MSSP will also provide legal documentation that proves the compliance.

Such documentation can save them from fines and risks of spending too much money on court costs.

How to Prove DFARS Compliance?

Although it might sound straightforward, proving DFARS compliance is not always an easy task. Even if the company has achieved it by becoming familiar with all the necessary security standards, it still needs to maintain compliance.

Here are some of the ways that can help you do it:

• Establish a governance program: It’s vital to conduct a comprehensive analysis of your existing IT infrastructure in order to identify and correct any hidden weaknesses and vulnerabilities that might exist in the system. When performing it, make sure you follow the fourteen DFAR requirements listed above.
• Implement a data classification strategy: When the DoD grants you access to the CUI, make sure your company implements a classification scheme that would help you prove that you have created the adequate security controls to protect the CUI.
• Pay attention to cloud usage: Once shared, the CUI must be stored somewhere, including the cloud. However, if you choose the cloud, make sure you have developed a strategic security plan for its storage.

Who Needs to Be DFARS Compliant?

All the companies that work closely with the DoD must be compliant with DFARS cyber security regulations. Although it encompasses a broad range of industries and companies, we can state the companies that are among leading examples of DoD contractors that need DFARS compliance:

• Lockheed Martin
• Boeing
• General Dynamics
• L-3 Technologies
• Honeywell Inc.

As you can see, each of the mentioned companies includes aerospace, ocean, and navigation products that can serve defensive purposes. Therefore, major defense contractors that work with the DoD are considered the primary group that must become compliant.

Having in mind that the DoD frequently collaborates with international contractors, you should know that only the countries that are DFARS compliant can be taken into consideration.

The “DFARS countries” that can bid the projects from the Department of Defense are:

• Australia
• Austria
• Belgium
• Canada
• Czech Republic
• Denmark
• Estonia

• Egypt
• Germany
• Finland
• France
• Greece
• Israel
• Italy

• Japan
• Latvia
• Luxembourg
• Netherlands
• Norway
• Portugal
• Slovenia

• Spain
• Sweden
• Switzerland
• Turkey
• United Kingdom
• Northern Ireland

What are the Consequences of Breaking the DFARS Regulations?

The United States takes its defense quite seriously, which is why the government won’t tolerate any form of non-compliance.

Contractors that fail to comply with each of the DFARS regulations will face severe consequences in terms of denial and disqualification from all the projects provided by the DoD.

Non-compliance can put your business and data at risk, which can later lead to another criminal, civil, administrative, or contract penalties.