After a two-year delay, the US Defense Department is finally implementing the data security requirements of Defense Federal Acquisition Regulation Supplement (DFARS). The new security requirements will go into effect as of December 31, 2017. Any Defense Department bidding from any potential contractor from that point on will have to comply with these new regs, whether materiel is being purchased or leased by the government. Read on for an overview of these regulations.
So, what are they and how do bidders comply?
Step One: Do You Need to Comply?
First, you should already have some notion of this. Check your current contracts and solicitations. The DFARS data security requirements have been included in all of them for the last year or so.
The upcoming deadline are controls that DoD has in place specifically for controlled unclassified information (CUI), which basically is any sensitive data that a contractor meets and stores or transmits during the course of fulfilling a contract.
That sensitive data can include credit card data, healthcare data, anything to do with storing information in the cloud, or anything to do with developing weapons or communications.
It also includes information on any mission-critical physical and virtual infrastructure whose failure could cause security and other problems.
A full readout of what constitutes DFARS’ CUI is here. Read through it and determine if you handle any of that data as a DoD contractor. If you do:
Step Two: If You Need to Comply, how do you do it?
If you’ve read the readout and you’re a DoD contractor who works with any of that data, then you have to conform to the National Institute of Standards and Technology (NIST) Special Publication 800-171 data security provisions that are compiled here: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.
That document begins: The protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully conduct its assigned missions and business operations.
So you as a contractor have to prove to the DoD that you are complying with these standards in a way that indicates to DoD that you understand and prioritize that paragraph.
The document covers 14 specific data security areas:
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
The standards themselves are really a set of best practices and are performance-based, so the only thing that a contractor must prove is that their CUIs are secure. Most businesses probably have some of these checks in place, but, as you can see, this is complicated stuff that requires the presence of cybersecurity professionals to make sure that your company is compliant with these new standards.
There is some flexibility built in to these standards that will allow data security professionals like Kimmell Cybersecurity to design and implement personalized solutions to SP 800-171 conformance.
Let us look at your system and make sure that you’re in full compliance with DFARS.