Department of Defense (DoD) contractors and suppliers must ensure they are compliant with Defense Federal Acquisition Regulation Supplement (DFARS).
What is DFARS?
In 2015, the DoD reported that hackers had stolen over 21 million personally identifiable records of government employees, contractors, and their families from The Office of Personnel Management. In response to this incident and the escalating wave of global cyber attacks, the DoD began ratcheting up its security requirements. Most recently, amending the Defense Federal Acquisition Regulation Supplement (DFARS) to require DoD contractors to provide “Adequate Security” for defense information on the contractor’s internal information system or network. (See DFARS Clause 252.204-7012 – “Safeguarding Covered Defense Information and Cyber Incident Reporting”)
And organizations that utilize cloud computing services will need to:
- Adhere to specified cloud computing requirements (See DFARS Clause252.239-7010)
- Implement certain security requirements (NIST SP 800-171), and
- Report any cyber breach within 72 hours of its discovery to the DoD.
If you are a defense contractor or sub-contractor (regardless of size or location) that processes, stores or transmits Controlled Unclassified Information (CUI) for the DoD, you must have complied, or reported delays by December 31, 2017.
1. Adequate Security
According to the DFARS Clause 252.204-7012, adequate security includes “protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information.” Simply put, the government expects all suppliers and contractors to comply with NIST 800-171.
While the implications are far-reaching; email is still the primary communication medium for most organizations. Over 250 billion emails circulate the globe every day, many of them containing sensitive or controlled information. To secure emails transmitting CUI, which typically have a direct military or space application and consist of items such as engineering data and drawings, technical reports, specifications, etc., contractors must restrict the ability to download, print or forward emails and attachments.
2. Cyber Incident Reporting
Contractors and suppliers must immediately report cyber incidents and cooperate with DoD to respond to these security incidents by providing access to affected media and malicious software.
Cyber Incident Reporting: DFARS 252.204-7012 defines a cyber incident as “actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.”
In the event of a cyber incident that impacts classified defense information (CDI), contractors must do the following:
- Perform an analysis and gather evidence to determine if specific CDI was compromised on contractor computers or servers.
- Rapidly report (within 72 hours) the discovery of the cyber incident. A medium-assurance certificate will be required to report the incident.
- Preserve and protect OS images and other forensic evidence (e.g. packet captures, logs, etc.) for 90 days.
What these requirements essentially mean for contractors is that they must have an incident management plan and procedures in place today.
What’s the bottom line?
Full compliance was required by December 31, 2017 for companies with prior contracts. For companies awarded contracts after the deadline, they must notify the DoD CIO within 30 days of contract award, of any security requirements not implemented at the time of contract award.
What happens if you aren't DFARS compliant?
A government contractor that is not compliant with DFARS 225.204-7012 is at risk of losing business with the government.
Messageware software provides security and analytics for on-premise Microsoft Exchange deployments. With Messageware products organizations using Microsoft Exchange and Outlook on the Web (OWA) can prevent data exposure by ensuring that no files are transferred to client devices, and apply a sophisticated set of access controls and real-time monitoring of potential risks to their OWA system.
NIST SP 800-171 can be found at:
SP 800-171 references another document (NIST Special Publication 800-53) which goes into more detail about the security controls. Also, NIST SP 800-37, “Guide for Applying the Risk Management Framework to Federal Information Systems”, Sections 3.3 to 3.6 may provide small manufacturers with a systematic, step-by-step approach to implementing, assessing and monitoring the controls.