Fundamental DFARS Compliance Checklist: Everything the DoD Contractor Needs to Know

What is DFARS?

This regulation requires defense contractors to meet particular cyber security conditions detailed in NIST 800-171. These requirements specify the proper manner in which CDI (covered defense information) or CUI (controlled unclassified information) must be managed and protected.

It applies to all contractors and subcontractors doing business with the Department of Defense, and they need to comply with DFARS and NIST 800-171.

What Type of Information Does It Secure?

DFARS compliance is designed to secure sensitive government information as it’s processed, stored, and transmitted through non-government systems. Data is most vulnerable when it’s moved off its secured storage. There are 3 types of information protected under this regulation supplement:

• CDI: Covered Defense Information – These are government policies identified by the DoD (Department of Defense) as sensitive or pivotal in the implementation of a current government agreement. It also involves information found, received, or stored by a contractor;
• CUI – It covers any information that has been classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any previous or future orders, not excluding the Atomic Energy Act of 1954, as amended (NIST 800-171);
• CTI: Controlled Technical Information – Any technical information that includes the use in any capacity of space or military application.

Minimum DFARS Requirements

Despite the increasingly complex sector of data security, the DoD has kept the requirements for the contractors straightforward and reasonable. These are the minimum requirements:

• Give adequate security to safeguard covered defense information that resides in or transits via the internal unsorted information systems from unauthorized access and disclosure;
• Quickly report cyber incidents and collaborate with the Department of Defense to respond to these security threats, including access to affected data and submitting malicious software.

To be compliant, non-federal and contractor information organizations/systems must pass a preparedness assessment following NIST SP 800-171 guidelines:

• Access control – Restricts system access to authorized users;
• Awareness and training – Give awareness of the security risks related to user’s activities, and training them on applicable policies, standards, and procedures, so they can perform their duties;
• Audit and accountability – Creation, protection, control, and review of system logs;
• Configuration management – Production of baseline configuration and use of robust change management operations;
• Identification and authentication – Identify/authenticate the information system’s users and devices;
• Incident response – Develops operations to discover, analyze, contain, recover from, and respond to incidents;
• Maintenance – Executes timely maintenance on organizational information systems;
• Media protection – Provides the protection, sanitation, and destruction of media containing CUI;
• Personnel security – Screens individuals before authorizing their access to information systems and ensure such systems stay secure upon the termination or transfer of individuals;
• Physical protection – Limits physical access to, defends, and maintains the physical facility and supports infrastructure for the information systems;
• Risk assessment – Assesses the operational risk associated with processing, storage, and transmission of CUI;
• Security assessment – Assesses, supervises, and fixes deficiencies, as well as reduces/, eradicates vulnerabilities in organizational information systems;
• System and communications protection – Monitors, controls, and protects data at the boundaries of the system, and use architectural designs, software development methods, and system engineering principles that promote efficient information security;
• System and information integrity – Detect, report, and fix information system flaws in a timely way, safeguard the information system from malicious code at appropriate locations, and supervise information security alerts/advisories and take appropriate action.

Key Technical Requirements

• DFARS 3.12.1 & DFARS 3.12.3: Security assessment – You need to assess the environments containing CUI regularly. It’s recommended to involve upper management and employees who take part in processes/environments that store, transmit, or process CDI or CUI. It’s best to do an assessment twice a year or every quarter;
• DFARS 3.5.3: Identification and authentication – It’s mandatory to have MFA (multifactor authentication) or 2FA (two-factor authentication) for all local and network access. Research and review your budget before you start looking for viable options to incorporate MFA. Options like Google Authenticator is a great choice, or you can ask your trusted MSP (managed services provider) for other solutions.
• DFARS 3.6.1: Incident response – Ensure that you can prepare, detect, contain, eliminate, recover, and learn from incidents such as a ransomware attack or data breach. Having a proper incident response plan will prevent data loss, damage, and related penalties or fines. Your incident response plan needs to be updated in order for you to be compliant and adaptive to new technologies also.

Important Clauses to Consider

As we’ve explained, DFARS was created in response to the growing threat of cyber-attacks around the globe. It encompasses the operation, dissemination, processing, and storing of any sensitive government info. Here are a few vital clauses that you should note:

DFARS 252.204-7012: Defense Information Protections & Procedures For Incident Reporting – This refers to the implementation of NIST SP 800-171 controls, particularly concerning “covered contractor information systems.” They’re unclassified systems or any systems utilized by a contractor or subcontractor that deals with covered defense information in any way;

DFARS 252.204 – Protocol for Covered Defense Information & Proper Safeguards – It substantially limits the ways contractors may exploit CDI. It also adds the responsibility to the contractor to educate their employees and subcontractors of their duties with delicate information;

DFARS 252.239-7010: Cloud Computing Protocol – This protocol issues all the security requirements and necessary controls for cloud computing services. As cloud computing continues to grow and progress, the security requirements must also modify. It also includes the reporting processes for any and all incidents.

Who Must Be DFARS Compliant?

Any business and enterprise that works for the DoD must be DFARS compliant. Even though this’s a very broad category, it’s typically the big defense contractors that do plenty of the work for the Department of Defense. Thus, this can be considered the primary line up that must come into compliance.

Examples of major defense contractors are:

• Boeing;
• Lockheed Martin;
• Northrop Grumman;
• General Dynamics;
• United Technologies;
• L-3 Communications Holdings;
• Raytheon;
• Science Applications International Corporation;
• Hughes;
• TRW;
• Textron;
• Rockwell;
• Honeywell, Inc.

These defense contractor associations also need to be compliant:

• Aerospace Industries;
• National Defense Industrial Association;
• Electronic Industries Alliance.

Obviously, the DoD is quite selective when it comes to choosing defense contractors abroad, and today, only the following are regarded as “DFARS countries.” In plain English, only defense contractors from these countries can bid on contracts and projects from the DoD: Australia, Austria, Belgium, Canada, Czech Republic, Denmark, Estonia, Egypt, Finland, France, Germany, Greece, Israel, Italy, Japan, Latvia, Luxembourg, Netherlands, Norway, Portugal, Slovenia, Spain, Sweden, Switzerland, Turkey, United Kingdom, Northern Ireland.

DFARS compliance is an ultimate requirement under the following conditions:

• If you’re a subcontractor of one of the major defense contracts mentioned above (this even involves subcontractors who are working with a non-major defense contractor);
• If your project/contract with the DoD includes the use of CUI, or UCTI (Unclassified Controlled Technical Information);
• If the bid you’re proposing involves language found in DFARS Provision 252.204-7008;
• If you’re awarded a contract, and it includes language found in DFARS Clause 252.204-7012.

Does My Business Need a DFARS Compliance?

All contractors/subcontractors processing, storing, or transmitting CUI (Controlled Unclassified Information) have to meet minimum security standards specified in this regulation. Failing to satisfy these conditions may end up in the loss of contracts with the DoD.

There’re a few other instances that your company may also need it, including:

• If you’re a DoD contractor, subcontractor or involved with the Department of Defense in a business arrangement;
• If DFARS provision 252.204-7008 contained within the language of a contract you’re offering;
• If DFARS provision 252.204-7012 contained within the language of a contract you’re offering.

How to Become DFARS Compliant?

While there aren’t many steps to get this compliance, each one may be somewhat included. Be prepared to take your time, so you can gain all the benefits of a DoD contract.

1. Do you need this compliance

Of course, if you don’t have to be DFARS compliant, there’s no need to put in the effort. Still, if you want to earn any extra income for your company through the Department of Defense contracts, then you’ll need to ensure compliance.

All businesses that earned via the DoD are expected to be DFARS-compliant. Therefore, if you’re preparing for such an agreement, you should follow these conditions to get started.

2. Fill out the cyber security survey

Check with the Department of Defense to get a DFARS cybersecurity questionnaire. It’ll help them see that you’re in a position to guard any sensitive information you’ll come into contact with.

Anyway, this questionnaire alone is not enough to prove DFARS compliance, which is why you’ll have to follow the 3 three steps too.

3. Perform a self-assessment

There are more than 100 controls you need to utilize to assess your business for compliance. Check each one to ensure you’re prepared to be compliant. You’ll also employ these in the next step.

4. Create a system security plan

The other way of proving your compliance with the DoD is creating an SSP (system security plan). This plan should show the exact steps you’re already using and will be applying to become DFARS-compliant.

5. Implement security plan

Once you make the roadmap, you need to implement it automatically. Once it’s incorporated, you can exhibit how it’s working to the Department of Defense to get contracts with them.

At this stage, you may also have to go back and do another self-assessment or get an external assessment done to demonstrate that your system security plan is working as it should be.

How to Conduct Security Breach Protocol?

Regardless of the government’s best intentions while making the DFARS compliance checklist, they aren’t bulletproof. Even if you have met the DFAR requirements, there’s still the chance for a security breach.

One of the novelties from the most recent DFARS update relates to the reporting of prospective security threats. The government now demands fast response reporting, which means notifying the authorities within 72 hours of detecting the potential danger.

They also added a useful link for reporting. Anyway, you’ll still need a cybersecurity expert on hand in order to pass along the proper technical details.

What Are the Consequences of Non-Compliance Business?

The consequences of non-compliance are serious and efficient – denial and disqualification for any and all Department of Defense agreements, current/moving forward. The U.S. government takes its defense very seriously, and as cyber-attacks rack up in quantity and intensity, the authorities will take a hardline approach.

Note – Any contractors who outsource their DoD work to subcontractors must confirm that their contacts are also DFARS compliant.