Government contracts must ensure compliance with supplemental regulations under the Federal Acquisition Regulation (FAR) when dealing with specific contracts awarded by certain agencies, such as the Defense Federal Acquisition Regulation Supplement (DFARS).
Let’s explore DFARS compliance consulting for contractors.
Table of Contents
An Introduction to DFARS
DFARS is the supplemental regulation for the procurement of goods, services and commodities for prime and subcontracts awarded by the Department of Defense related to cybersecurity and confidential information.
Note that all agencies working on federal contracts are still subject to FAR standards. DFARS only comes into play when agencies are working on DOD-awarded contracts under the Controlled Unclassified Information (CUI) program.
Additionally, DFARS provisions take precedence when a contractor experiences conflicts or discrepancies between the FAR and DFARS clauses in their contract.
What Is the CUI Program?
Established through Executive Order 13556, CUI standardizes the protection of information, such as the Privacy Protection Act, controlled technical information and attorney-client privileged information.
While unclassified, CUIs require control to prevent the leak of critical information, especially those associated with defense missions or exploitable information that may give adversaries an advantage.
What Are DFARS Compliance Requirements?
The basic requirements for DFARS compliance are to:
- Provide adequate security — Contractors must safeguard hidden defense information during transit and restrict unauthorized access to internal information systems to avoid leakage.
- Report cyber incidents promptly — Contractors must report cyber incidents immediately to the DOD and take appropriate actions, such as providing access to the affected areas and submitting malicious software.
In addition to these basic requirements, contractors must follow a number of rules for DFAR-based contracts. These rules include:
Collaborating with Third-Party Organizations
Working with third-party contractors may seem contradicting given that the point of DFARS compliance is to protect private information from outsiders.
However, hiring third-party organizations can bolster cybersecurity by providing DFARS compliance consulting services on auditing capabilities that certify that a contractor meets all requirements.
It’s worth noting that contractors must ensure adherence to FAR and DFARS standards when hiring third-party vendors to accelerate cybersecurity processes.
Verifying DFARS Compliance Through NIST SP 800-171
Contractors must follow the National Institute of Standards and Technology Special Publication (NIST SP) 800-171 guidelines as a crucial part of their DFARS compliance.
NIST SP 800-17 is the backbone of DFARS compliance. Failure to abide by these guidelines can result in contract severance, failed audits, financial penalties and sanctions for breach of agreements.
NIST SP 800-171 guidelines include:
1. Access Control
Organizations must restrict system access to authorized users to prevent data from getting breached or exploited by outsiders.
2. Awareness and Training
This area assesses an organization’s awareness and proficiency in handling sensitive information, mitigating security risks and performing cybersecurity duties.
3. Audit and Accountability
Contractors must implement audit analysis and review annually to trace unauthorized actions and hold violators accountable. This includes checking whether contractors are capable of creating, reviewing and retaining information and identifying violators.
4. Configuration Management
Contractors must establish a baseline configuration and change management process to identify, create and authenticate networks and safety protocols.
5. Identification and Authentication
Organizations must identify and authenticate all users and devices in their information systems. One way they can do so is by verifying employees’ authorization to access CUIs via passwords that reset with every login attempt and by employing multifactor authentication.
6. Incident Response
Contractors must create a thorough process for detecting, containing, examining and responding to cyber systems incidents. This process includes reporting such incidents to the DOD to address issues accordingly.
7. Maintenance
Contractors must practice timely maintenance and upkeep of their systems to minimize threats. Best maintenance procedures include the following:
- Management of IT system maintenance tools
- Placement of control limits on the tools and employee access
- Monitoring all activities of maintenance personnel
8. Media Protection
Contractors must manage the protection and destruction of CUI media. They must document workflow, data access controls and the media policies enforced to ensure proper access command.
Moreover, organizations must review the storage, backups and sanitization of these electronic records before disposal.
9. Personnel Security
Contractors must implement systems to safeguard and regulate access to CUIs. These systems should screen users before granting access and revoke all credentials within 24 hours if personnel is deemed unauthorized.
10. Physical Protection
Protecting the hardware is as important as protecting the software. Contractors must monitor the condition of all physical infrastructures housing their systems.
Physical protection methods include:
- Designating areas strictly for these infrastructures
- Limiting physical access to these areas
- Engineering physical security protection systems, such as locks, cameras and card readers
- Hiring guards to patrol and safeguard the areas
- Assigning authorized personnel to guide and escort visitors
11. Risk Assessment
Despite iron-clad physical and cybersecurity measures, risks and vulnerabilities can still seep through these information systems. With that, organizations must implement risk management policies such as:
- Carrying out incident simulations to gauge risk management proficiency
- Scanning systems periodically to detect new vulnerabilities and anomalies in the processing, transmission and storage of CUIs
- Executing action plans for remediation, acceptance, avoidance and transference of vulnerability risks
12. Security Assessment
In relation to risk assessment, organizations must prove that they can hold periodic security assessments to ensure that cybersecurity standards are met and security controls are implemented properly.
Security assessments include addressing newly identified deficiencies and vulnerabilities, implementing risk management action plans and assigning an assessor to ensure compliance to security requirements regularly.
13. System and Communications Protection
To create effective system security, organizations must implement software development updates, architectural designs and system engineering principles.
In addition, organizations should also prevent remote or outside devices from establishing access within their systems. This minimizes outside communication and stops unauthorized or uncontrolled parties from using contractors’ communication paths.
14. System and Information Integrity
Organizations must take extra measures to prevent the introduction of malicious code and software into their systems. Should they find suspicious activities, they should report, identify and correct these vulnerabilities immediately.
Additionally, such malicious software should be thoroughly cleansed before being deleted. Contractors should also install system software that would update malicious code protection mechanisms, as well as generate directives, advisories and security alerts.
Checklist for DFARS Compliance
DFARS compliance may seem straightforward, but it can take up to eight months to be authorized to work on CUI-based contracts.
To ease this process, below is a checklist that can help contractors become DFARS-compliant:
Calculate Organization’s Applicability
NIST SP 800-171 has provisions that help contractors document any gaps in their current security posture. One method they can do is review all of their contracts to identify crucial provisions that align with DFARS and amend those that don’t.
Additionally, clause 252.204-7012 of DFARS contains the types of CUI applicable for specific contract types, making it easier for contractors to determine their applicability to perform DOD contracts and meet all DFARS standards.
Create and Implement a Remedial Plan
Contractors should build a remedial plan with a control gap analysis. This analysis can reveal inadequate system setups, procedures, storage processes, control implementations and incident responses that don’t meet DFARS requirements.
A remedial plan also enables organizations to develop new controls, revisit old systems and modernize obsolete or inadequate ones.
Continuously Monitor DFARS Compliance Status
Contractors need to continuously monitor their DFARS compliance status to ensure that their workflow and processes adhere to standards and stakeholder requirements. Additionally, contractors need to organize monitoring activities and report current statutes for investors and stakeholders as part of their accountability and compliance.
Work with a DFARS Compliance Consulting Service
Working with a DFARS consultant is an effective way for small DOD contractors to meet DFARS requirements. Through DFARS compliance consulting, contractors can save time and money crafting their remedial plans and gap analyses as consultants have the standard document templates required for compliance submissions.
Moreover, DFARS consultants have the tools and resources that allow contractors to remain compliant and execute remediation plans required by the DOD.
You might also want to read: Beginner’s Guide to Becoming a Government Contractor
