Throughout its history, the Department of Defense (DOD) has relied on contractors, these are individuals or non-federal companies that supply services, supplies, or construction. Almost all of these relationships involve the sharing of sensitive information which could present some sort of risk.
In November 2010, due to the rise in observed cyber security incidents and attacks by the Defense organizations an Executive Order, 13556, was issued, which focused on determining whether contractors were able to control and/or protect the sensitive data needed to deliver on their obligations.
What is DFARS?
FARS, The Federal Acquisition Request System, is a set of rules and principles that apply when the United States government procures goods and services from non-federal organizations. DFARS is a set of additional principles that apply when selling to defense agencies e.g. Army, Navy and Air Force.
DFARS is specifically focused on the relationships where Controlled Unclassified Information (CUI) is accessed by the non-federal organization.
What is CUI?
CUI is a level of classification given to data / information that needs to be protected but can be shared with parties outside of the government such as to third party partners, contractors or venders.
Additional, and higher, government data classifications include Top Secret, Secret, Confidential and Public Trust.
What does DFARS say about third parties?
The third parties that receive CUI must demonstrate that they safeguard the classified data that has been shared with them and that they limit use to the COI information. The other component of DFARS is that they must disclose or share cyber security incident information back to the DOD ie the Department of Defense.
How does a vendor know whether DFARS apply's to them?
Vendor compliance with DFARS, it begins with determining if they store, process, transmit or *create* controlled unclassified information (CUI). Usually, organizations will know if they have such information as it is likely present in contractual language and stipulations. If organizations are unsure of whether or not they have CUI, we recommend performing a review of current contracts to determine if such data exists within their environment.
I need to be compliant to DFARS.. How do I get started?
In order to support those organizations that would receive CUI data. The Department of Defense partnered with the National Institute of Standards and Technology created a framework, NIST Special Publication 800-171. to provide this guidance.
In order to get started, the vendor should perform an assessment against 800 171 and be able to demonstrate whether it is meeting the requirements, or controls, stated in the framework. This could be performed by a 3rd party auditing firm or you could quickly self assess using JustProtect!
Once the assessment is complete what happens next?
Once the vendor understands their posture, they have likely identified many areas that they must implement controls against. These range from technical, administrative, and operational controls that affect people, processes, and technologies.
The ultimate goal of this is to become compliant with each control within NIST 800-171, have a fully-developed System Security Plan (SSP), a Plan of Actions and Milestones (POA&M), and a gauge of the CMMC maturity.
At this point, the organization has a defensible position in the eyes of a DFARS auditor.
Where could companies fail?
Vendor risk management is one area that can trip up the most mature companies. DFARS requires that covered entities flow-down the requirements to any business or organization that may also inherit CUI from them, access systems that have CUI, store, process, or transmit CUI.
Essentially, this process involves assessing whether vendors if they are in compliance with DFARS and NIST 800-171. If they are not, your company must be prepared to decide whether or not to work with them. Ultimately their failure could be your downfall.
Once the process has started, what do they need to do?
NIST 800 171 is an ongoing, or continual framework that requires care and feeding, it enables organizations to demonstrate that they meet a level a certain level of cybersecurity not only within their own organization but also at their 3rd parties.
What now?
If your company is having issues working out whether it needs to comply with DFARS contact us and our team can talk you though the process.
However, if you know that DFARS apply's to you your first assessment is right around the corner! Contact us and we'll be happy to get you going!