The Top 5 Things You Can Do To Achieve DFARS Compliance
Before you set out to achieve DFARS compliance there are things you do within your organization to prepare. Download our Top 5 List Below.
What Does A DFARS Engagement From OCD Tech Entail?
Learn More About Our Targeted DFARS 3-Step Engagement
Our DFARS engagement approach is composed of three phases spanning the length of the project. Learn more about each phase and the approximate time it takes for completion.
About DFARS
Since 2010 the Department of Defense (DoD) has made a concerted effort to protect the Controlled Unclassified Information (CUI) being handled by government contractors and subcontractors. In 2010 President Obama issued Executive Order 13556 (Titled: Controlled Unclassified Information) establishing a universally accepted framework DoD contractors could use as a guide while handling CUI. Unfortunately, Executive Order 13556 did not motivate DoD contractors to improve their security postures, at least not to a degree that was deemed acceptable.
In response the DoD, NASA, and the GSA (General Services Administration) together published a new set of rules that required government contractors to implement cybersecurity controls that would sufficiently protect their information systems and the CUI stored within. The DoD, NASA, and GSA collaboration concluded with the creation of Defense Federal Acquisition Regulation Supplement (DFARS) clauses 252.204-7008, 7009, and 7012, instructing all DoD contractors that process, store or transmit Covered Defense Information (CDI) including CUI to protect their information systems by implementing the security controls included within NIST SP 800-171 as well as implement a cyber incident response and reporting capability.
About NIST SP 800-171 Revision 1
The National Institute of Standards & Technology (NIST) is a non-regulatory agency of the U.S. Department of Commerce whose mission is to promote innovation and industrial competitiveness.
Special Publication 800-171: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations is one of several security frameworks developed and maintained by NIST in recent years. DoD contractors were required to implement NIST SP 800-171 security controls no later than December 31, 2017.
The 125-page publication (Revision 1 updated on June 7, 2018) contains a total of 110 controls that are broken into 14 different families of controls. Copied within the table below is an overview of those 14 families along with an example of the sub-controls as well:
Limit information systems access to the types of transactions and functions that authorized users are permitted to execute
Provide security awarness training on recognizing and reporting potential indicators of insider threat
Ensure that the actions of individual information system users can be uniquley traced to those users so they can be held accountable for their actions
Track, review, approve/disapprove, and audit changes to information systems
Verify the identity of users, process, or devices as a prerequisite to allowing access
Test the organizational incident response capability
Verify the identity of users, process, or devices as a prerequisite to allowing access
Physically control and securely store system media containing CUI, both paper and digital
Screen individuals prior to authorizing access to organizational systems containing CUI
Maintain audit logs of physical access
Periodically assess the risk to organizational operations, assets, and individuals, resulting from the processing, storage, or transmission of CUI.
Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
Separate user functionality from system management functionality
Identify, report, and correct system flaws in a timely manner
DFARS Clauses Pertaining to NIST SP 800-171 Revision 1
DFARS clauses 252.204-7008 titled “Compliance with Safeguarding Covered Defense Information Controls” and 252.204-7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting” require organizations that process, store, or transmit Covered Defense Information to implement the 110 security requirements in NIST Special Publication 800-171r1. It’s also worth noting clause 252.204-7009 features a “flowdown” provision requiring DoD subcontractors to incorporate these DFARS clauses in their contract as well where the use of CDI is required.
Cybersecurity Clauses of DFARS
