For those government contractors looking for an IT consultant who can help you keep in line with DFARS federal acquisition regulations, Spade Technology won’t fail you. We’ll advise you on all you’ll need to know and do to keep in line with the NIST-DFARS compliance regulations and remain DFARS compliant always.
NIST Special Publication 800-171, otherwise known as DFARS (Defense Federal Acquisition Regulation Supplement) stipulates that any organization or contractor that holds or processes unclassified Department of Defense (DoD) data must ensure that they comply with the new DFARS clause.
As with other compliance mandates, DFARS requires ongoing attention and due diligence in the area of cyber security. But first, it’s critical that security and DevOps teams understand the requirements of implementing the mandate; anticipating a six- to eight-month ramp up period would be wise.
Here we’ll share a general overview of DFARS, as well as a pragmatic approach to ensuring your organization (at the very least) meets the December 31, 2017 deadline.
In addition to DoD data in your possession, DFARS clause 252.204-7012 will also apply to any subcontractors you may use to fulfill your obligations to the DoD. Failure to be compliant with the DoD and its Defense Pricing/Defense Procurement and Acquisition Policy (DPAP) will leave you in breach of contract and subject to criminal, civil, administrative, and contractual actions in law and equity for penalties, damages, and other appropriate remedies by the United States.
It will also leave you open to civil actions for damages and other appropriate remedies by any third parties that report a cyber incident, as a third-party beneficiary of this clause.
Organizations working with the DoD may already be used to applying stringent controls to systems that manage classified data, but with the DFARS compliance mandate, this now extends to unclassified systems that are owned, operated by, or for a contractor, and which process, store, or transmit covered (or classified) defense information.
Important Note: This can have wide-reaching consequences for the contractor who now must extend the security controls across a larger number of systems than in the past.
The DFARS FAQs illustrate the requirements for protecting covered defense information, controlled unclassified information, and Federal contract information when processed or stored on a contractor’s internal information system, or on a DoD system, as diagrammed here:
The good news is that the controls specified within DFARS are within normal best practices that any organization should be following, and implementing them will improve the overall security posture of your organization anyway.
The key areas that DFARS addresses are the ensuring of adequate security, cyber incident reporting, and subcontracts.
Adequate Security
Adequate security is defined as being compliant with, at a minimum, the following security controls:
For on-premises systems:
For cloud-based systems:
The contractor must also ensure that the cloud service provider meets security requirements equivalent to those established by the Government for the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline (With Spade – Check.).
Additionally, the cloud service provider must comply with requirements in paragraphs (c) through (g) of this clause for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment.
Government contractors can turn to Boston IT services provider Spade Technology for a complete security vulnerability and compliance risk assessment.
Cyber Incident Reporting
Cyber incidents that impact a system within the scope of DFARS must be reported within 72 hours of detection. To report cyber incidents, you must have a medium assurance certificate.
A review must be conducted so that the scope of the compromise can be understood. At a minimum, this review must cover:
The DoD has the right to request further information to enable it in investigating the cyber incident. To this end, the contractor should:
Subcontracts
If you subcontract any work that is in the scope of the DFARS, you must ensure that your subcontractors are compliant. They, too, must report cyber incidents directly to the DoD and the primary contractor within 72 hours.
Changes to the Defense Federal Acquisition Regulation Supplement put yet another set of compliance requirements on cloud service providers that want to work with Department of Defense customers. CSPs have until the end of the year to meet the DFARS requirements; Microsoft announced on April 11, 2017, that its Azure Government platform is the first to comply.
DFARS compliance requirements were finalized in 2016 and described in the National Institute of Standards and Technology Special Publication 800-171. Meeting the DFARS requirements will allow DOD’s partners to host Covered Defense Information in Microsoft’s Azure Government cloud.
As a Certified Microsoft Partner, Spade Technology can facilitate Azure cloud computing for DFARS-compliant government contractors.
December 31, 2017 is the ultimate deadline by which to prove compliance, so action is recommended as soon as possible.
Those government contractors (and other covered entities) looking to remain DFARS-compliant can no longer simply install some anti-virus software on their computer and feel safe. Cybercrime grows worse every day, it seems, and many business networks are already compromised!
Is your sensitive data safe? You must know exactly where you are vulnerable, then strengthen your defenses to stay safe from a compliance violation.
Most networks have vulnerabilities like third-party applications that need patching, or have improperly configured firewalls – not to mention risks associated with using mobile devices and wireless networks!
Government contractors throughout New England can turn to Spade Technology for a complete security vulnerability and compliance risk assessment that includes:
The Spade Technology pros are standing by and await your call!
Spade Technology offers Total Security and Data Protection with our full-service technology consulting in the Nashua NH, Providence RI, and Boston MA areas.
Schedule a complete security vulnerability and DFARS compliance management and risk assessment now – contact us at (508) 339-5163 or info@spadetechnology.com to get started right away and ensure you’re always DFARS compliant!