DFARS Cybersecurity Requirements Growing Clearer

By Eric Noonan • July 7, 2015

In November of 2013, the Department of Defense released DFARS clause 252.204-7012, which required defense contractors and subcontractors to provide adequate security to safeguard DoD unclassified controlled technical information resident on or transiting through their unclassified information systems from unauthorized access and disclosure.

Since the publication of the regulations, some defense contractors have struggled to define how to comply.  Is there an assessing or auditing entity in the government?  Is there a “passing” score?  Can I be certified as compliant?   All of these questions remained somewhat unanswered and it was up to the organization to do their best to show some kind of evidence to their prime contractors and customers that they were satisfying the DFARS regulations.

CyberSheath was one of the first independent security consultants to offer an assessment that measures and documents a company’s DFARS compliance, providing pragmatic recommendations and a clear roadmap to obtain compliance.  And we know that basing an organization’s compliance program on only the 51 DFARS controls is not enough.  We have always considered the full list of NIST 800-53 Low and Moderate controls to be the standard by which organizations should measure their maturity, and we specifically call out the DFARS 51 controls during a larger NIST assessment effort, demonstrating adherence to the regulation while also gaining a true picture of the security posture of the company.

On June 18, 2015, NIST also released the final version of SP 800-171, which provides guidance for protecting the confidentiality of Controlled Unclassified Information (CUI) residing in nonfederal information systems.  This is exactly the kind of additional, focused guidance defense contractors have been looking for since the concept of CUI was defined.  The 800-171 controls are still a subset of the full list of 800-53 controls, but this additional guidance is really going to help prioritize security efforts, spending, and resources for defense contractor’s compliance programs.

The government anticipates establishing a single Federal Acquisition Regulation (FAR) clause in 2016 to apply the requirements of NIST Special Publication 800-171 to the contractor environment as well as to determine oversight responsibilities and requirements.  Although it’s not yet mandated, CyberSheath has already integrated the requirements laid out in NIST 800-171 into our security assessment process that included all NIST 800-53 controls and in-depth reporting on the DFARS-specific controls.  Defense contractors undergoing security assessments today are benefiting from the clearest direction and best-defined requirements to date.

Compliance with DFARS is emerging as a business discriminator for defense contractors.  Organizations that can demonstrate the implementation of the required controls can gain a competitive advantage over other companies that do not assess and document their security posture.  Similarly, if companies pay close attention to the new 800-171 controls and integrate them into a security program that includes the full list of 800-53 controls, they can see measurable, actionable results that can be implemented to show compliance, stop attacks, and build a world-class security organization.

* Since this post we have written an update with the latest DFARS requirements as of December 30, 2015.

Cybersheath Blog

3 Reasons Why You Need a Privileged Access Risk Assessment

A privileged account is one used by administrators to log in to servers, networks, firewalls, databases, applications, cloud services and other systems used by your organization. These accounts give enhanced permissions that allow the privileged user to access sensitive data or modify key system functions, among other things. You can…

Incident Response – Learning the Lesson of Lessons Learned

“Those who do not learn from history are condemned to repeat it.” Over the years, variations of this famous quote have been spoken by everyone from philosophers to world leaders. The message — that we must learn from our mistakes or continue to repeat them — is also highly relevant…

What is DFARS 252.204-7012 and NIST SP 800-171?

With the Department of Defense (DoD) promising the release of an update to NIST Special Publication 800-171, it is imperative defense contractors understand what DFARS 252.204-7012 and NIST SP 800-171 Clause is and how noncompliance with the Clause will impact their business.  Compliance is mandatory for contractors doing business with…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Trace Security