What Government Contractors Need to Know About NIST and DFARS Compliance Rules

For those government contractors looking for an IT consultant who can help you keep in line with DFARS federal acquisition regulations, Spade Technology won’t fail you. We’ll advise you on all you’ll need to know and do to keep in line with the NIST-DFARS compliance regulations and remain DFARS compliant always.

NIST Special Publication 800-171, otherwise known as DFARS (Defense Federal Acquisition Regulation Supplement) stipulates that any organization or contractor that holds or processes unclassified Department of Defense (DoD) data must ensure that they comply with the new DFARS clause.

As with other compliance mandates, DFARS requires ongoing attention and due diligence in the area of cyber security. But first, it’s critical that security and DevOps teams understand the requirements of implementing the mandate; anticipating a six- to eight-month ramp up period would be wise.

Here we’ll share a general overview of DFARS, as well as a pragmatic approach to ensuring your organization (at the very least) meets the December 31, 2017 deadline.

The Necessity of DFARS Compliance

In addition to DoD data in your possession, DFARS clause 252.204-7012 will also apply to any subcontractors you may use to fulfill your obligations to the DoD. Failure to be compliant with the DoD and its Defense Pricing/Defense Procurement and Acquisition Policy (DPAP) will leave you in breach of contract and subject to criminal, civil, administrative, and contractual actions in law and equity for penalties, damages, and other appropriate remedies by the United States.

It will also leave you open to civil actions for damages and other appropriate remedies by any third parties that report a cyber incident, as a third-party beneficiary of this clause.

Organizations working with the DoD may already be used to applying stringent controls to systems that manage classified data, but with the DFARS compliance mandate, this now extends to unclassified systems that are owned, operated by, or for a contractor, and which process, store, or transmit covered (or classified) defense information.

Important Note: This can have wide-reaching consequences for the contractor who now must extend the security controls across a larger number of systems than in the past.

The DFARS FAQs illustrate the requirements for protecting covered defense information, controlled unclassified information, and Federal contract information when processed or stored on a contractor’s internal information system, or on a DoD system, as diagrammed here:

The good news is that the controls specified within DFARS are within normal best practices that any organization should be following, and implementing them will improve the overall security posture of your organization anyway.

Key DFARS Concerns

The key areas that DFARS addresses are the ensuring of adequate security, cyber incident reporting, and subcontracts.

Adequate Security

Adequate security is defined as being compliant with, at a minimum, the following security controls:

For on-premises systems:

For cloud-based systems:

  • DoD Cloud Computing Security
  • DFARS Clause 252.239-7010
  • NIST SP 800-171
  • Unless you have received written approval from the contracting officer, cloud computing services should be located within the United States or outlying islands (Spade Technology is located in Boston, MA);
  • You must also have the ability to support applicable system-wide search and access capabilities for inspections, audits, and investigations.

The contractor must also ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline (With Spade – Check.).

Additionally, the cloud service provider must comply with requirements in paragraphs (c) through (g) of this clause for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment.

Government contractors can turn to Boston IT services provider Spade Technology for a complete security vulnerability and compliance risk assessment.

Cyber Incident Reporting

Cyber incidents that impact a system within the scope of DFARS must be reported within 72 hours of detection. To report cyber incidents, you must have a medium assurance certificate.

A review must be conducted so that the scope of the compromise can be understood. At a minimum, this review must cover:

  • Identification of affected systems
  • Affected users accounts
  • Affected data
  • Other systems that might have been compromised

The DoD has the right to request further information to enable it in investigating the cyber incident. To this end, the contractor should:

  • Take images of affected systems and any relevant monitoring/packet capture data for at least 90 days from the submission of the cyber incident report to allow DoD to request the media or decline interest.
  • Provide access to the DoD to allow them to carry out forensic analysis.
  • Work with the DoD and provide any additional information that they require to complete the investigation.

Subcontracts

If you subcontract any work that is in the scope of the DFARS, you must ensure that your subcontractors are compliant. They, too, must report cyber incidents directly to the DoD and the primary contractor within 72 hours.

Microsoft First in DFARS Compliance with Azure Government Cloud

Changes to the Defense Federal Acquisition Regulation Supplement put yet another set of compliance requirements on cloud service providers that want to work with Department of Defense customers. CSPs have until the end of the year to meet the DFARS requirements; Microsoft announced on April 11, 2017, that its Azure Government platform is the first to comply.

DFARS compliance requirements were finalized in 2016 and described in the National Institute of Standards and Technology Special Publication 800-171.  Meeting the DFARS requirements will allow DOD’s partners to host Covered Defense Information in Microsoft’s Azure Government cloud.

As a Certified Microsoft Partner, Spade Technology can facilitate Azure cloud computing for DFARS-compliant government contractors.

December 31, 2017 is the ultimate deadline by which to prove compliance, so action is recommended as soon as possible.

Identify Security Vulnerabilities with a DFARS Compliance Risk Assessment

Those government contractors (and other covered entities) looking to remain DFARS-compliant can no longer simply install some anti-virus software on their computer and feel safe. Cybercrime grows worse every day, it seems, and many business networks are already compromised!

Is your sensitive data safe? You must know exactly where you are vulnerable, then strengthen your defenses to stay safe from a compliance violation.

Most networks have vulnerabilities like third-party applications that need patching, or have improperly configured firewalls – not to mention risks associated with using mobile devices and wireless networks!

Government contractors throughout New England can turn to Spade Technology for a complete security vulnerability and compliance risk assessment that includes:

  • Analysis of existing security products and policies to find vulnerabilities that cybercriminals will exploit.
  • Penetration tests to discover weaknesses using the same methods advanced hackers will use to breach your network.
  • Network-wide assessments to eliminate devices that contain exploitable hardware that’s impossible to protect.
  • Business process assessments to ensure compliance with industry-specific regulations.
  • Creation of a custom protection policy to safeguard against data breaches and vulnerabilities caused by misinformed employees.
  • Initial & ongoing training on safe computing practices to eliminate mistakes that create vulnerabilities within your network.

The Spade Technology pros are standing by and await your call!

Get Your DFARS Compliance Management Risk Assessment and Rest Assured

Spade Technology offers Total Security and Data Protection with our full-service technology consulting in the Nashua NH, Providence RI, and Boston MA areas.

Schedule a complete security vulnerability and DFARS compliance management and risk assessment now – contact us at (508) 339-5163 or info@spadetechnology.com to get started right away and ensure you’re always DFARS compliant!