DFARS Cybersecurity Requirements Growing Clearer

By Eric Noonan • July 7, 2015

In November of 2013, the Department of Defense released DFARS clause 252.204-7012, which required defense contractors and subcontractors to provide adequate security to safeguard DoD unclassified controlled technical information resident on or transiting through their unclassified information systems from unauthorized access and disclosure.

Since the publication of the regulations, some defense contractors have struggled to define how to comply.  Is there an assessing or auditing entity in the government?  Is there a “passing” score?  Can I be certified as compliant?   All of these questions remained somewhat unanswered and it was up to the organization to do their best to show some kind of evidence to their prime contractors and customers that they were satisfying the DFARS regulations.

CyberSheath was one of the first independent security consultants to offer an assessment that measures and documents a company’s DFARS compliance, providing pragmatic recommendations and a clear roadmap to obtain compliance.  And we know that basing an organization’s compliance program on only the 51 DFARS controls is not enough.  We have always considered the full list of NIST 800-53 Low and Moderate controls to be the standard by which organizations should measure their maturity, and we specifically call out the DFARS 51 controls during a larger NIST assessment effort, demonstrating adherence to the regulation while also gaining a true picture of the security posture of the company.

On June 18, 2015, NIST also released the final version of SP 800-171, which provides guidance for protecting the confidentiality of Controlled Unclassified Information (CUI) residing in nonfederal information systems.  This is exactly the kind of additional, focused guidance defense contractors have been looking for since the concept of CUI was defined.  The 800-171 controls are still a subset of the full list of 800-53 controls, but this additional guidance is really going to help prioritize security efforts, spending, and resources for defense contractor’s compliance programs.

The government anticipates establishing a single Federal Acquisition Regulation (FAR) clause in 2016 to apply the requirements of NIST Special Publication 800-171 to the contractor environment as well as to determine oversight responsibilities and requirements.  Although it’s not yet mandated, CyberSheath has already integrated the requirements laid out in NIST 800-171 into our security assessment process that included all NIST 800-53 controls and in-depth reporting on the DFARS-specific controls.  Defense contractors undergoing security assessments today are benefiting from the clearest direction and best-defined requirements to date.

Compliance with DFARS is emerging as a business discriminator for defense contractors.  Organizations that can demonstrate the implementation of the required controls can gain a competitive advantage over other companies that do not assess and document their security posture.  Similarly, if companies pay close attention to the new 800-171 controls and integrate them into a security program that includes the full list of 800-53 controls, they can see measurable, actionable results that can be implemented to show compliance, stop attacks, and build a world-class security organization.

* Since this post we have written an update with the latest DFARS requirements as of December 30, 2015.

CyberSheath Blog

How to Safeguard Your Company from Phishing

Email is so ubiquitous in our everyday lives that it can be a challenge to always be on guard when receiving messages. Each day it’s not unheard of for each member of your team to have hundreds of messages land in their inbox. How do you make sure that none…

3 Tools to Help Defend Your IT Infrastructure from Threats

With the continually evolving threat landscape and the prevalence of team members working from home, it is more important than ever to be proactive with how your company is protecting itself from cyberattacks.  CyberSheath can help. We offer services to build on all the great work you have already done…

DNS Filtering for Additional Protection of IT Systems

Phase one of securing your IT infrastructure should include protecting your endpoints and safeguarding your employees from phishing attempts. After you have implemented these controls, the next logical step is to launch a DNS filtering solution.   What is DNS filtering and why do you need it? Domain name server…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO