DFARS Cybersecurity Requirements Growing Clearer

In November of 2013, the Department of Defense released DFARS clause 252.204-7012, which required defense contractors and subcontractors to provide adequate security to safeguard DOD unclassified controlled technical information resident on or transiting through their unclassified information systems from unauthorized access and disclosure.

Since the publication of the regulations, some defense contractors have struggled to define how to comply.  Is there an assessing or auditing entity in the government?  Is there a “passing” score?  Can I be certified as compliant?   All of these questions remained somewhat unanswered and it was up to the organization to do their best to show some kind of evidence to their prime contractors and customers that they were satisfying the DFARS regulations.

CyberSheath was one of the first independent security consultants to offer an assessment that measures and documents a company’s DFARS compliance, providing pragmatic recommendations and a clear roadmap to obtain compliance.  And we know that basing an organization’s compliance program on only the 51 DFARS controls is not enough.  We have always considered the full list of NIST 800-53 Low and Moderate controls to be the standard by which organizations should measure their maturity, and we specifically call out the DFARS 51 controls during a larger NIST assessment effort, demonstrating adherence to the regulation while also gaining a true picture of the security posture of the company.

On June 18, 2015, NIST also released the final version of SP 800-171, which provides guidance for protecting the confidentiality of Controlled Unclassified Information (CUI) residing in nonfederal information systems.  This is exactly the kind of additional, focused guidance defense contractors have been looking for since the concept of CUI was defined.  The 800-171 controls are still a subset of the full list of 800-53 controls, but this additional guidance is really going to help prioritize security efforts, spending, and resources for defense contractor’s compliance programs.

The government anticipates establishing a single Federal Acquisition Regulation (FAR) clause in 2016 to apply the requirements of NIST Special Publication 800-171 to the contractor environment as well as to determine oversight responsibilities and requirements.  Although it’s not yet mandated, CyberSheath has already integrated the requirements laid out in NIST 800-171 into our security assessment process that included all NIST 800-53 controls and in-depth reporting on the DFARS-specific controls.  Defense contractors undergoing security assessments today are benefiting from the clearest direction and best-defined requirements to date.

Compliance with DFARS is emerging as a business discriminator for defense contractors.  Organizations that can demonstrate the implementation of the required controls can gain a competitive advantage over other companies that do not assess and document their security posture.  Similarly, if companies pay close attention to the new 800-171 controls and integrate them into a security program that includes the full list of 800-53 controls, they can see measurable, actionable results that can be implemented to show compliance, stop attacks, and build a world-class security organization.

* Since this post we have written an update with the latest DFARS requirements as of December 30, 2015.