Understanding DFARS Compliance: What It Is and What You Need to Know
To say that cyber security is an important issue in the modern era is definitely something of an understatement. According to a recent study conducted by Ponemon Institute in association with IBM Security, the average cost of just a single data breach incident reached $3.62 million in 2017. That's just the consolidated worldwide cost, however - the average cost of a data breach in only the United States reached an all-time high of $7.35 million during the same period of time.
Because of this, the United States Department of Defense is taking cyber security and related issues very seriously - particularly as they concern government contractors and subcontractors. Understanding as much about DFARS NIST 800-171 as possible is one of the keys to not only staying protected in the increasingly dangerous digital age that we're entrenched in, but also for avoiding problematic and costly compliance violations moving forward.
What Is DFARS NIST 800-171 Compliance?
Short for "Defense Federal Acquisition Regulation Supplement", DFARS NIST Special Publication 800-171 applies to ANY organization or contractor that "holds or processes unclassified DoD data." This includes any and all subcontractors that you may be using to help fulfill any obligations that you may have to the Department of Defense. While it's true that many of the controls specified within DFARS likely fall within the boundaries of the best practices that you're already following them, there are still key areas involving security and cyber incident reporting in general that you will want to be aware of.
Compliance, at a minimum, involves NIST SP 800-171 for both on-premises and cloud-based systems and the addition of DoD Cloud Computing Security and Clause 252.239-7010 for cloud-based systems. Unless you have specific, written authorization from the contracting officer, ALL cloud computing services must be located within the United States and must support system-wide search and access for inspections, audits and investigations.
Cyber incident reporting is also a top priority, as all incidents that impact a system within the scope of DFARS must now be reported within 72 hours of detection. A review must be conducted to uncover the scope of the compromise (including affected data and user accounts, identification of affected systems and more).
DFARS compliance requires you to take images of the affected system and any relevant monitoring/packet capture data for at least 90 days after the incident, must allow the DoD to carry out a thorough forensic analysis and you must work directly with the DoD to provide any additional information they may need to complete their ongoing investigation.
Important Deadlines for DFARS Compliance
The DFARS deadline for total compliance was December 31, 2017 - meaning that if you have yet to address the aforementioned issues before the stroke of midnight on that date, you are in breach of contract and could be subject to criminal, civil, administrative and contractual actions. Not only that, but you will be open to civil actions for any and all damages that occur as a result of your inaction.
But obtaining compliance isn't something that will happen overnight - which is part of why the DFARS NIST deadline itself was so problematic. Indeed, experts recommend a six-to-eight month ramp up period - meaning that there were people with the best of intentions who still missed the December 31, 2017 deadline through no fault of their own.
Perhaps the most important thing to understand about all of this is that just because the December 31, 2017 deadline has passed does not mean the issue of DFARS compliance will go away. Far from it - this is something that will only get more important as time goes on, which is why you need to take steps to address this issue as soon as you can. Luckily, if you missed the deadline, there are a number of things you can easily do to get on track.
The Cima Approach to DFARS NIST Compliance
At Cima Solutions Group, we've designed many of the components of our managed IT services offerings with government contractors and issues like DFARS compliance firmly in mind. We can help you tackle issues like identification and authentication, incident response, maintenance, access control and others so that you can stop worrying about missed deadlines or compliance violations and you can focus on the most important thing of all: the critical work you're doing on a daily basis.
If you'd like to find out more information about DFARS NIST compliance and how it affects your life as a government contractor or subcontractor, or if you'd just like to find out more information about how a full managed security offering can help you not only become compliant but stay that way, please don't delay - contact Cima today.