DFARS Cybersecurity Team Lead – Timothy E. Allen | Former Special Agent (U.S. Secret Service & DOJ-OIG)
Companies that contract with the U.S. Department of Defense (DoD) take on huge responsibilities for cybersecurity. They will be handling some of the most sensitive information in the world that, even if it is not considered classified, is still a target for cybersecurity attacks from other governments.
Because of the potential for a catastrophic leak of information, the DoD requires all of its contractors to take substantial steps to tighten up their cybersecurity. In December 2015, the agency published a supplement to its Federal Acquisition Regulations (FAR) called the Defense Acquisition Federal Regulation Supplement (DFARS). Contained in Title 48, Chapter 2 of the Code of Federal Regulations (CFR), DFARS lays out the steps that federal DoD contractors have to take in order to protect against cybersecurity invasions, as well as what to do if an attack is identified. It also includes penalties for failing to comply with the procedure.
Importantly, those penalties are levied against your company, even if you have hired a DFARS contractor or consultant to bring your business into compliance. Hiring the right people to ensure that you are in compliance with the DoD’s strict requirements is critical.
The DFARS consultants at Corporate Investigation Consulting provide the experience that you need to protect your company from liability while you perform your obligations to the country under your contract with the Department of Defense.
Put our highly experienced team on your side
Roger Bach
Former Special Agent (OIG)
Timothy E. Allen
Former Senior Special Agent U.S. Secret Service
Chris J. Quick
Former Special Agent (FBI & IRS-CI)
Maura Kelley
Former Special Agent (FBI)
Ray Yuen
Former Supervisory Special Agent (FBI)
Michael S. Koslow
Former Supervisory Special Agent (DOD-OIG)
Marquis D. Pickett
Special Agent U.S. Secret Service (ret.)
The Critical Role of Cybersecurity for DoD Contractors, Today
Never before has cybersecurity been so important. Governments for some of the most powerful countries in the world have adopted cyberattacks as a fundamental aspect of their diplomacy and international strategy. They have used cyberwarfare to pressure allies into complying with their demands and to make their non-allies stay up at night.
As soon as you sign a contract with the United States Department of Defense, you step onto that playing field. If your company was not a potential target for cyberattacks from other countries before, it will be one, now. Especially in the early stages of your contract with the DoD, you can be a target for these hacks, as nefarious parties try to catch you unprepared for the realities of the international defense world and aim to exploit your position as the new link in the DoD’s chain of defense.
Failing to get your cyberdefenses up quickly enough can imperil your new and likely lucrative contract with the DoD. It can also pose a national security risk, which can bring bad press and ruin your company’s reputation in addition to putting the country into danger.
DFARS Requires Strict Cybersecurity Measures
To be compliant with the DFARS regulations, your company has to meet all of the requirements created by the National Institute of Standards and Technology (NIST). These requirements are published in NIST Special Publication 800-171 (NIST SP 800-171) and regularly get updated by the agency. The current version was released in February 2020, and includes updates through January 28, 2021. The currentness of these requirements can be checked on the NIST’s website, which lists old versions and includes details about its current effectiveness.
In the grand scheme of the regulations, the two big picture goals are to:
- Create adequate security mechanisms to protect DoD information that is stored or that passes through your company’s computers
- Quickly report any cybersecurity incidents that may have compromised that data
To do this, NIST SP 800-171 creates 14 “families” of “recommended security requirements.” They deal with:
- Access control
- Awareness and training
- Audit and accountability
- Configuration management
- Identification and authentication
- Incident response
- Maintenance
- Media protection
- Personnel security
- Physical protection
- Risk assessment
- Security assessment
- System and communications protection
- System and information integrity
Each of these “recommended requirements” gets very technical, very quickly, and each one has numerous elements or facets to take into account in order to become fully compliant. Worse, the DoD’s expectations have to change as cybersecurity evolves. This forces contractors to constantly update their practices and compliance protocols.
Contractors are Liable for Any Compliance Failures
In order to ensure adequate compliance, the DoD audits the cybersecurity measures taken by its contractors. If your company is found to be out of compliance, you will likely receive a stop-work order from the agency. All of your performance and payments under the contract will be halted immediately. In order to resume, you will have to implement measures that bring your company back into DFARS compliance to insulate the sensitive information passing through your company’s computers.
In the worst case scenarios, the DoD will pursue civil penalties for breach of contract and presenting false claims of reimbursement to the government. If these claims against your company are successful, you will have to reimburse the DoD for the costs of the contract breach and may be held liable for three times the amount that the agency paid you while you were out of DFARS compliance.
The DoD will also likely terminate your defense contract with the United States. News of this termination can become a huge blow to your company’s reputation, and will make it extremely difficult to secure a government contract in the future.
Importantly, these outcomes are possible regardless of whether you try to reach DFARS compliance in-house or if you hire a third party cybersecurity team or consultant group to do it for you. Even if you hire a third party contractor to conduct DFARS compliance, the DoD will still penalize your company for any issues that arise.
FAQs About DFARS Compliance Strategies and What Corporate Investigation Consulting Can Do for Your Company
Are There Benefits to Hiring an Outside Consultant Rather Than Pursuing DFARS Compliance On My Own?
Yes. Some DoD contractors see that they will still be held liable if their DFARS compliance consultant or contractor makes a mistake. They then reach the conclusion that this leaves them with little reason to hire one. However, these contractors quickly find that they will be reinventing the wheel in their attempts to reach compliance with all of the DFARS requirements.
DFARS consultants have an intimate understanding of what compliance means. When you hire experienced consultants, they will start by conducting a “gap analysis” to see where your company is falling short of the regulatory requirements. Any shortcomings will be addressed in a comprehensive remediation plan that is carefully tailored to your company. Once the remediation plan is completed, a DFARS consultation team will continue to monitor the cybersecurity system in order to report any potential attacks to the DoD and to keep it up-to-date with any changes in DoD compliance requirements.
These are all routine business activities for DFARS consultants, like those at Corporate Investigation Consulting.
How Can I Tell if My Company’s Cybersecurity is Adequate?
While maintaining compliance with the DoD’s and the NIST’s requirements is the baseline for whether your cybersecurity mechanisms are adequate, conducting internal audits is an important part of every cybersecurity initiative, especially those by DoD contractors that handle sensitive information. A key component of all cybersecurity audits is the penetration test, where hackers look for vulnerabilities in your defenses and let you know what they find. At Corporate Investigation Consulting, we also use internal audits of your cybersecurity programs to find problems that the penetration testing may have overlooked.
What Do I Do if There Has Been a Breach?
If you are a federal contractor with the DoD and you have found evidence of a cybersecurity breach, DFARS regulations require you to notify the Department of Defense within 72 hours of the discovery of the breach. That notification, however, has to include enough details for the DoD to ascertain the level of risk to the agency and to national security. The information that you have to provide is highly technical and must be provided extremely quickly. Many contractors who decide to do DFARS compliance on their own get tripped up at this point. Worse, the failure to adequately notify the DoD of a breach is itself considered a breach of DFARS protocol. If there has been a cybersecurity breach, you are likely to face some scrutiny from the agency as they try to determine if the breach was a result of your oversight. If you fail to adequately notify the DoD of the breach, you will also face repercussions for that DFARS violation, as well.
DFARS Consultants at Corporate Investigation Consulting
Many federal contractors quickly realize that reaching DFARS compliance in-house is a Herculean task. Hiring the right consultants, or Managed Security Service Providers (MSSPs), to make it work, though, is not easy.
The attorneys and cybersecurity consultants at Corporate Investigation Consulting have helped numerous DoD contractors reach a level of DFARS compliance that passes the agency’s audits with clean results. Our team of professionals have years of experience in representing federal government agencies like the DoD in conducting audits of contractors and rooting out signs of noncompliance. We can help ensure that your company reaches DFARS compliance, passes an audit, and insulates sensitive defense information from America’s competitors.
Call our team at (866) 352-9324 or contact us online.