If you do business with the Department of Defense (DoD), get ready! After a two-year extension, the deadline for complying with the Defense Federal Acquisition Regulation Supplement (DFARS) data security requirements is fast approaching—December 31 of this year.
To maintain this book of business, it is critical that you take this deadline seriously. If you don’t, you won’t be doing business with the DoD anymore.
If you aren’t sure DFARS affects you, check your contracts. The DFARS data security clause has been included in all solicitations issued and awarded by the DoD for at least the last year, except for commercial off-the-shelf items.
But don’t worry—there is still time to comply, and we can help.
DFARS and CUI Defined
For those of you not familiar with DFARS, it is the DoD’s supplement to the Federal Acquisition Regulations for government agencies to purchase or lease goods from contractors.
While DFARS covers a broad range of contractor rules, the most immediate concern for you is the upcoming deadline to have in place basic security controls to protect controlled unclassified information (CUI) handled by DoD information systems.
CUI is sensitive federal government information routinely processed, stored, or transmitted by a contractor in the course of its work providing essential products and services to federal agencies.
CUI covers a range of information, including credit card data; financial data; web and electronic email services; background investigative data for security clearances; healthcare data; data required to provide cloud services; and data associated with developing communications, satellite, and weapons systems.
However, CUI doesn’t just include digital information. For example, critical infrastructure CUI includes “systems and assets, whether physical or virtual, so vital that the incapacity or destruction of such may have a debilitating impact on the security, economy, public health or safety, environment, or any combination of these matters.”
For a more detailed discussion of CUI, check out the CUI Registry.
If you are a DoD contractor or subcontractor that handles this type of data, DFARS requires you to comply with the data protection standards contained in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, titled Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.
According to SP 800-171, federal contractors “routinely process, store, and transmit sensitive federal information in their systems to support the delivery of essential products and services to federal agencies….The protection of sensitive federal information while residing in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations.”
To achieve this objective, NIST SP 800-171 outlines best practices for securing sensitive information. It is up to you as the contractor to prove that your IT systems comply with these security best practices.
The standards are performance-based, so contractors can implement alternative security measures as long as they satisfy the DoD’s CUI security requirements.
The standards cover such things as limiting information system access to only authorized users, devices, processes, transactions, and functions; protecting backup CUI at storage locations; and preventing reuse of identifiers.
There is a good chance that your company has already implemented many of the controls. But to ensure compliance, you must take an organized and disciplined approach with the right partners and modern identity and access management tools.
Achieving compliance should just be the start, though. Truly embracing security requires additional processes, technologies, and focus.
In Part 2 of our discussion of DFARS, we will examine in greater depth the 14 “families” of security controls covered by NIST SP 800-171 and how Identity Automation can help you meet the DFARS security requirements in plenty of time for the end-of-year deadline.