Are you a Department of Defense contractor? Have you heard of DFARS? If you work with Controlled Unclassified Information, or CUI, you probably have. If you do work with CUI and you haven’t heard of DFARS — listen up. This information is important, and it impacts what you’ll need for high-compliance IT support.
All Department of Defense contractors who work with CUI must meet the Defense Federal Acquisition Regulation Supplement (DFARS) minimum security standards. If you don’t meet the required standards, you risk losing your DoD contract. While technically this took effect on December 31, 2017 the DoD is starting to crack down. And if you get caught, your business, reputation, and livelihood could all suffer immensely.
How do you know if you’re up-to-date with the DoD cybersecurity requirements? NIST MEP has developed a self-assessment handbook that allows small manufacturers to better understand the requirements. The NIST handbook is broken down into 14 different sections called families. Each section has a series of questions and answers that will identify the weak points in your cybersecurity system. Before answering the questions, read the brief overview of each requirement carefully.
Keep in mind that there is no single solution to each security issue, and alternative security measures are allowed as long as they satisfy the security requirement. However, the handbook assumes that DoD contract manufacturers already have IT infrastructures in place that handle CUI.
Let’s take a look at why it’s important to implement each family.
Access control is what allows or prevents certain users from accessing different types of information. The most privileged information has the smallest number of authorized users and the least privileged information has the most authorized users.
Implementing access control is a crucial internal security measure for DFARS copmliance. It prevents employees with malicious intent from accessing important information and also provides another security measure against hackers.
Data access isn’t the only crucial type of access to protect. Physical access to company facilities is also important. Controlling physical access to your facility protects your employees, equipment, hardware, software, networks and data from burglary, theft, vandalism, and terrorism.
Oftentimes system users are the weak link in your security. Providing continuing training and raising security awareness strengthens this weak link by teaching correct practices. DFARS supports individual accountability through training is also important as it increases prompt responses to security issues.
System users need to understand necessary security measures and how to use them. It’s crucial to protect important data from your own employees through awareness and training.
An audit is the independent review and examination of records and activities to assess the adequacy of system requirements and ensure compliance. DFARS requires it, because without an audit trail, you risk your company’s ability to monitor and investigate behavior.
A company without proper audit trails loses its ability to quickly provide comprehensive reports of unlawful, unauthorized, or inappropriate system activity. Users’ actions need to be able to be uniquely traced to each user in order to hold the correct people accountable.
Configuration management is a collection of activities focused on maintaining the integrity of information technology products and systems by controlling configuration processes. In order to have the appropriate configuration management system, you need to determine and document the appropriate settings for each system, conduct security impact analyses, and manage changes through a change control board.
Without this documentation, a change on one system could have a negative effect on another mission-critical system. Knowing what settings each system needs to have prevents adverse changes from happening and allows you to review settings from a security point-of-view.
Correctly identifying users and then allowing appropriate access for each user is your company’s first line of defense. Without these technical measures, unauthorized individuals could gain entry to important systems.
The appropriate identification system does not extend only to initial log-in processes, but also includes knowing whether the individual who originally authenticated is still using the system. It’s important to use several different identification/authentication methods in order to create the most secure system.
If your company cannot appropriately respond to an incident event, you risk the event spreading, escalated damage, and serious harm to your organization. This is the last thing DFARS wants. Your incident response process needs to include adequate preparation, detection, analysis, containment, recovery, documenting user response activities, and report incidents to authorities.
Establishing the correct maintenance procedures keeps systems in good working order and minimizes risks from hardware and software failures. Corrective maintenance needs to occur when a system fails. However, controlled maintenance needs to be performed regularly on a schedule in accordance with the manufacturer’s recommendations.
This requirement addresses both digital and non-digital system media including external hard disk drives, flash drives, compact disks, magnetic tapes, paper and microfilm. Media protections perform the crucial function of restricting access to authorized personnel only and providing instructions on how to remove information so that it cannot be reconstructed.
Without proper media protection, your digital and non-digital media are unprotected and open to unauthorized users who may have malicious content. Information may not be properly disposed of leading to unauthorized media access.
Personnel security minimize the risk that your company’s staff can pose to company assets through the malicious use or exploitation of their legitimate access to resources. Without personnel security, a company’s reputation can be damaged by employee’s actions and secure information may be used inappropriately.
Companies need to be cautious when hiring new employees. Personnel requirements can include screening, termination, transfer, access agreements and sanctions.
Physical and environmental security refers to measures taken to protect infrastructure against physical threats. This includes the physical facility, its geographic operating location, and supporting facilities that maintain operation of the system.
Physical protection is crucial to prevent infrastructure shut downs, inappropriate physical access of systems, and increases awareness of natural threats including earthquakes or flooding.
The more information technology products used in one’s organization, the greater the risk of cybercrimes. Companies should periodically assess the risk to operations, assets, and employees which may result from the operation of company systems and the processing of company information.
Risk assessments are crucial in prioritizing risks, informing company decision makers, and supporting risk responses.
A security assessment evaluates the management, operational, and technical security requirements to determine whether they are correctly implemented, operating correctly, and producing results.
Without a security assessment, your company could be spending money on processes that aren’t effective or cost-efficient. In a worst case scenario, your systems could have vulnerabilities that aren’t being solved. A proper security assessment can help you evaluate your systems for better operations.
This family addresses system safeguards at large but focuses on the confidentiality of information. Without proper safeguards, information could be stored confidentially, but be vulnerable in transit or vice versa.
One way to better safeguard your information is by separating user functionality and system management functionality. This prevents non-privileged users from being able to see system management-related functionality on their interface. Safeguards such as this can protect company communications at external and internal system boundaries and promote effective information security within company systems.
System and information integrity is the assertion that data can only be accessed or modified by authorized employees. Without integrity, confidential information could be meddled with or damaged by an error in the system. These errors include flaw remediation, malicious code protection, security function verification, information input validation, error handling, non-persistence, and memory protection.
The DFARS NIST Handbook 162 is a great way to self-assess your security. Each family is crucial in creating a manufacturing process that protects controlled unclassified information. Without meeting these requirements, you’re opening up your employees, clients, and reputation to serious risk. Not only could the Department of Defense terminate your contract, but you’re putting confidential information at risk.
The DoD cybersecurity requirements are great to implement, even for those manufacturers who do not have DoD contracts. The DFARS requirements keep data safe and are a great way to streamline your business processes.
If you want to keep your systems secure and your business processes streamlined, call Swift Systems today. We’ll help you get back on track, meet DFARS requirements and guide you through the process. Remember, these requirements don’t only protect your contract with the Department of Defense. They protect the sensitive information you work with and your company’s entire manufacturing ecosystem.
IT systems are foundational to modern businesses. Too often, that foundation is unsteady. Unpredictable outages, insecure networks, and unreliable performance from mission-critical systems can jeopardize your entire business.
There’s a better way. Learn how.