As discussed in our previous blog post, the December 31 deadline for complying with data security requirements in the Defense Federal Acquisition Regulation Supplement (DFARS) is looming.
If you do business with the Department of Defense (DoD) and handle controlled unclassified information (CUI), you had better get moving to ensure compliance or face losing that business altogether.
This warning also applies to your subcontractors and all parts of your supply chain. You are responsible for ensuring they too comply with the DFARS rules.
The DFARS rules don’t just cover businesses. They include state and local government agencies, colleges and universities with government partnerships, and independent research organizations that have access to CUI.
The data security requirements are enshrined in DFARS clause 252.204.7008 in your contracts. If you fail to comply with this clause, you will not be able to do business with the DoD beginning next year, and you will not be able to bid on or win new contracts.
A Deeper Dive into NIST
DFARS requires you to comply with the data protection standards contained in the National Institute of Standards and Technology’s (NIST) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations special publication (SP) 800-171.
According to NIST, companies need to have a system security plan in place that “describes the system boundary; the operational environment; how the security requirements are implemented; and the relationships with or connections to other systems.”
That plan should explain how the company is complying with 14 “families” of security requirements contained in SP 800-171. These families are:
- Access controls
- Security awareness and training
- Audit and accountability
- Configuration management
- Identification and authentication
- Incident response
- Security maintenance
- Media protection
- Personnel security
- Physical protection
- Risk assessment
- Security assessment
- Systems and communications protection
- System and information integrity
As an example, under access controls, NIST requires companies to limit system access to only authorized users, devices, processes, transactions, and functions and to employ the “principle of least privilege” in determining access to security functions and privileged accounts.
While 14 “families” might seem like a lot of security areas to worry about, the good news is that the risk management and security principles included in the NIST data security standards are likely already familiar to you. And the NIST standards are performance-based, so contractors can implement alternative security measures as long as they satisfy the CUI security requirements.
We Can Help
To help you with DFARS compliance, Identity Automation partners with a number of cybersecurity consulting firms to provide a comprehensive suite of professional services in addition to our identity and access management products.
These firms offer training, consulting, and services to help educate you on NIST requirements in detail, assess where you stand relative to compliance, and then provide a roadmap to achieve compliance quickly and cost-effectively.
Identity Automation can fill any technology gaps or even completely replace your existing identity management system with RapidIdentity. Plus, our comprehensive multi-factor authentication (MFA) platform, RapidIdentity MFA offers the broadest range of online and offline authentication method to help you meet all NIST 800-171 MFA requirements and use cases.
- Automated (and consistent) provisioning/attestation and identity lifecycle management, which closes the security gaps in your current user identity and access controls.
- Certification via workflows, which ensures entitlements are always up to date, while reducing the cost, complexity, and workload associated with remaining compliant.
- Role-based access controls and attribute-based access controls for strict control of access to data and systems.
- Detailed security auditing with the ability to send audit data to other security information systems.
- Multi-factor authentication with an extra layer of protection for all access entry points, including on-premises applications, cloud applications, offline desktop, employee and customer portals, and remote access using virtual private networks and other technologies.
- Time- and location-based access controls, which enable you to control and manage access at the granular level to meet changing security and compliance requirements.
- Self-service capability with configurable challenge and response (aka Knowledge-Based Authentication) and robust password complexity.
We are currently helping a number of large defense contractors cross the finish line to DFARS compliance. And we can help you too.
It’s not too late. But the time to take action is now.