In August and December 2015, the Defense Federal Acquisition Register Supplement (DFARS) received updates that are crucial for the 10,000-plus defense contractors. If you have been following our blog, we first reported on the changes back in January. It is important to understand these changes and how they will affect your organization. If you haven’t read last week’s post, you can do that here.
This week’s post will discuss what these changes mean for your organization. If you haven’t read the first two posts, do so now, as this will try to un-muddy the waters and bring a little more clarity to the overall process. DFARS compliance is important for contractors, as the federal government requires your organization to safeguard covered defense information. If you missed it, covered defense information is a catch-all term that refers to Controlled Unclassified Information, Controlled technical information, operational support activity and a variety of other informational categories. Contractors must show the government how they are compliant with these safeguard requirements.
What Do These Changes Mean?
If your organization does business and holds contracts with the Department of Defense (DOD), you could be required to meet the DFARS clause 252.204-7012 information security requirements. As long as you process, store and transmit any information that falls under that Covered Defense Information umbrella, you will be required to protect that information. With the most recent changes to the DFARS clause as of August 2015, contractors use NIST 800-171 as a guide to implementing security controls around the following control families:
Contractors who are not currently compliant with these requirements are given time to implement the controls. However, it is a long process, and if an organization has minimal controls in place, it can seem like a daunting task to bring controls into compliance.
Information Categorization
With the expanded definitions and the umbrella Covered Defense Information, your organization will have to have a better understanding of where such information resides within the environment. Protecting a portion of your network that contains the information in question is a potential solution, where you can apply additional safeguards and controls that meet DFARS clause 252.204-7012 is a cost-effective way to meet compliance without redesigning your entire security program. Contractors should really look at how they categorize their information. Establishing a categorization scheme will help control access to the information because you can easily define roles that need access. As you can see in the table above, access control is a control family covered under NIST 800-171.
Flow down to Subcontractors
Another change that needs further explanation is the flow-down requirement. While the basic mechanics of the flow down requirement haven’t changed, meaning the same DFARS requirements for Prime Contractors apply to Subcontractors when in performance of the subcontract, handling, processing, storing, and transmitting covered defense information. Additionally, all subcontracts must include DFARS clause 252.204-7012. The only major change that will affect subcontractors is reporting. When reporting a cyber incident as defined in clause 252.204-7012, they must report directly to the DIBnet. In order to report to the DIBnet, subcontractors are required to obtain a Medium Assurance Certificate to access the reporting module on the DIBnet. According to the DFARS clause 252.204-7012, all cyber incidents must be reported within 72 hours from discovery. This is a quick response time and under the new DFARS regulations, is termed “rapid response.” Having a strong security program will help with this requirement, as tools designed to protect the environment.
Alternative Security Measures
Contractors may, and upon approval of the DOD CIO, propose to deviate from any of the NIST 800-171 security requirements. The explanation must be written and answer the following:
- Why a particular security requirement is not applicable; or
- How an alternative but equally effective, security measure is used to compensate for the inability to satisfy a particular requirement and to achieve equivalent protection.
Approval of the alternative security measure is granted after a DOD CIO authorized representative provides an assessment of the proposed deviation. While this seems like a lot, it is actually a little more flexible under the new DFARS regime. Flexibility for security is key to success. Organizations might not want to rip out existing security programs to satisfy requirements. Having the option to work with what is currently in place could potentially save a lot of money in the long run.
How Your Organization will be Impacted?
If you do business with the Department of Defense, your organization will be impacted in some way, whether you flow down the requirements to your subs, or you handle covered defense information, your organization and Subcontractor will have to protect the data. If you are like many organizations and don’t understand where you fall with DFARS compliance, there are some things you can do now to prepare to meet the requirements.
First, conduct a compliance assessment. A third party can evaluate your security controls by talking to individuals, observing your security tools at work and analyzing your implementation of the control. Second, prioritize what is important. Meeting compliance should be the priority, but not all security requirements are created equal. Some tools and processes may be able to satisfy multiple controls, while others may take significant investment. A third party can help you prioritize based on industry standards and best practices. Lastly, ensure your management team is well aware of what is at stake. Not being compliant with DFARS means not being able to bid on and win contracts with the DOD. Management should understand this and a compliance assessment will be the roadmap you need to get the security funding necessary to meet compliance requirements.