DFARS Compliance Is Essential for Federal Defense Contractors
Compliance Team Lead – Timothy E. Allen | Former Special Agent (U.S. Secret Service & DOJ-OIG)
The Defense Federal Acquisition Regulation Supplement (DFARS) is a set of regulations that the U.S. Department of Defense (DOD) adopted to address cybersecurity risks in the federal defense contracting sector. While the main purpose of DFARS is to preserve the confidentiality of Controlled Unclassified Information (CUI), defense contractors have extensive obligations under DFARS, and DFARS compliance impacts many different aspects of defense contractors’ operations. Since noncompliance can lead to loss of federal defense contracts (not to mention threats to national security), compliance needs to be a priority, and federal defense contractors need to rely on experienced professionals to help them establish effective DFARS compliance programs and maintain compliance on an ongoing basis.
We Know DFARS Compliance Inside and Out
At Corporate Investigation Consulting, we know DFARs compliance inside and out. Not only do we work with defense contractors across the country to help them establish and maintain DFARS compliance, but we also have past experience in the area of DFARs compliance enforcement. Our DFARS compliance team is made up of former high-ranking federal agents, and it is led by Michael S. Koslow, a former Supervisory Special Agent at the DOD Office of Inspector General (DOD OIG).
Given the importance of DFARS compliance, this is one area in particular where defense contractors cannot afford to take chances. They need to make informed decisions, and they need to implement comprehensive compliance programs based on sound advice. With our former federal agents’ experience on both sides of DFARS compliance matters, we know what it takes for defense contractors to protect themselves, and we are able to help our clients avoid any questions regarding the sufficiency of their DFARS compliance efforts.
Put our highly experienced team on your side
Roger Bach
Former Special Agent (OIG)
Timothy E. Allen
Former Senior Special Agent U.S. Secret Service
Chris J. Quick
Former Special Agent (FBI & IRS-CI)
Maura Kelley
Former Special Agent (FBI)
Ray Yuen
Former Supervisory Special Agent (FBI)
Michael S. Koslow
Former Supervisory Special Agent (DOD-OIG)
Marquis D. Pickett
Special Agent U.S. Secret Service (ret.)
Critical Areas of DFARS Compliance
To ensure that federal defense contractors adequately protect CUI, DFARS establishes 14 critical areas of compliance. The National Institute of Standards and Technology (NIST) describes these as “families,” and notes that they “are closely aligned with the minimum security requirements for federal information and information systems described in FIPS Publication 200.” The Federal Information Processing Standards (FIPS) Publication 200 establishes cybersecurity requirements for most federal offices and agencies.
Within each of these 14 “families,” DFARS establishes extensive and detailed requirements for federal defense contractors. But some of the requirements are also quite broad in scope (i.e., “Control the flow of CUI in accordance with approved authorizations”). As a result, understanding defense contractors’ obligations can be difficult on its own, and addressing these obligations effectively can prove extremely challenging without a clear understanding of what is required.
Here are some examples of federal defense contractors’ obligations under each of the 14 DFARS “families”:
1. Access Controls
Basic Security Requirements
- Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
- Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
Derived Security Requirements
- Control the flow of CUI in accordance with approved authorizations.
- Separate duties of individuals to reduce the risk of malevolent activity without collusion.
- Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
2. Audit and Accountability
Basic Security Requirements
- Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity.
- Ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions.
Derived Security Requirements
- Provide audit reduction and report generation to support on-demand analysis and reporting.
- Protect audit information and audit tools from unauthorized access, modification, and deletion.
- Limit management of audit functionality to a subset of privileged users.
3. Awareness and Training
Basic Security Requirements
- Ensure that managers, systems administrators, and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of organizational information systems.
- Ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities.
Derived Security Requirements
- Provide security awareness training on recognizing and reporting potential indicators of insider threat.
4. Configuration Management
Basic Security Requirements
- Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
- Establish and enforce security configuration settings for information technology products employed in organizational information systems.
Derived Security Requirements
- Track, review, approve/disapprove, and audit changes to information systems.
- Analyze the security impact of changes prior to implementation.
- Control and monitor user-installed software.
5. Identification and Authentication
Basic Security Requirements
- Identify information system users, processes acting on behalf of users, or devices.
- Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
Derived Security Requirements
- Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
- Prevent reuse of identifiers for a defined period.
- Store and transmit only encrypted representation of passwords.
6. Incident Response
Basic Security Requirements
- Establish an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities.
- Track, document, and report incidents to appropriate officials and/or authorities both internal and external to the organization.
Derived Security Requirements
- Test the organizational incident response capability.
7. Maintenance
Basic Security Requirements
- Perform maintenance on organizational information systems.
- Provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance.
Derived Security Requirements
- Ensure equipment removed for off-site maintenance is sanitized of any CUI.
- Check media containing diagnostic and test programs for malicious code before the media are used in the information system.
- Supervise the maintenance activities of maintenance personnel without required access authorization.
8. Media Protection
Basic Security Requirements
- Protect (i.e., physically control and securely store) information system media containing CUI, both paper and digital.
- Limit access to CUI on information system media to authorized users.
Derived Security Requirements
- Mark media with necessary CUI markings and distribution limitations.
- Control the use of removable media on information system components.
- Protect the confidentiality of backup CUI at storage locations.
9. Personnel Security
Basic Security Requirements
- Screen individuals prior to authorizing access to information systems containing CUI.
- Ensure that CUI and information systems containing CUI are protected during and after personnel actions such as terminations and transfers.
10. Physical Protection
Basic Security Requirements
- Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
- Protect and monitor the physical facility and support infrastructure for those information systems.
Derived Security Requirements
- Escort visitors and monitor visitor activity.
- Maintain audit logs of physical access.
- Enforce safeguarding measures for CUI at alternate work sites (e.g., telework sites).
11. Risk Assessment
Basic Security Requirements
- Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of CUI.
Derived Security Requirements
- Scan for vulnerabilities in the information system and applications periodically and when new vulnerabilities affecting the system are identified.
- Remediate vulnerabilities in accordance with assessments of risk.
12. Security Assessment
Basic Security Requirements
- Periodically assess the security controls in organizational information systems to determine if the controls are effective in their application.
- Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems.
13. System and Communications Protection
Basic Security Requirements
- Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
- Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational information systems.
Derived Security Requirements
- Separate user functionality from information system management functionality.
- Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
- Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
14. System and Information Integrity
Basic Security Requirements
- Identify, report, and correct information and information system flaws in a timely manner.
- Monitor information system security alerts and advisories and take appropriate actions in response.
Derived Security Requirements
- Update malicious code protection mechanisms when new releases are available.
- Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
- Identify unauthorized use of the information system.
FAQs: DFARS Compliance for Federal Defense Contractors
How can federal defense contractors establish (and maintain) DFARS compliance?
With DFARS’ extensive technical, organizational, and physical security requirements, establishing compliance is not easy. Defense contractors must ensure that they have a comprehensive understanding of their obligations, and they must commit themselves to doing what is necessary to comply. For defense contractors that are not DFARS-compliant, implementing an effective compliance program starts with conducting an in-depth assessment of their current security protocols and seeing how they stack up against the DFARS requirements.
What are the core components of an effective DFARS compliance program?
While all defense contractors need to implement custom DFARS compliance programs, the core components of most contractors’ programs will be similar. These include comprehensive compliance documentation, DFARS compliance program implementation and training, compliance monitoring and auditing, and compliance enforcement.
Are all defense contractors subject to the same DFARS requirements regardless of size?
While all defense contractors are generally subject to the same DFARS requirements, the steps contractors must take to meet these requirements will vary based on their size and financial resources. As a result, what is required of one defense contractor will not necessarily be required of another, and what is sufficient for one contractor might be insufficient for its larger competitors.
What are the risks of DFARS noncompliance?
The risks of DFARS noncompliance can be substantial. Defense contractors found in noncompliance can lose their contracts with the DOD, and individuals who are responsible for a contractor’s compliance failures can potentially face civil or criminal penalties. If a compliance failure leads to an intrusion that threatens national security, the consequences can be far more severe.
Do I need to engage an outside consulting firm for DFARS compliance?
Because of the complexity and challenges of DFARS compliance, most defense contractors will need to engage an outside consulting firm to assist them. With our consultants’ prior experience at the DOD OIG and other federal agencies and offices (including the DOJ and FBI), we are uniquely positioned to help our clients meet their obligations under DFARS.
Speak with a Senior DFARS Compliance Consultant Today
If you would like to know more about how our former federal agents help defense contractors with DFARS compliance, we encourage you to get in touch. Please call 866-352-9324 or inquire online to schedule a complimentary (and completely confidential) consultation.