Are You Prepared For Upcoming DOD Requirements?
Is Your Business Prepared for the Upcoming DoD Requirements?
If you’re a contractor or even a vendor of the Department of Defense (DoD), you’re affected by the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. This is a cyber clause called “Safeguarding Covered Defense Information and Cyber Incident Reporting” which goes into effect on December 31, 2017.
The goal of this cyber clause is to protect covered defense information (CDI), which applies to nearly all potentially sensitive nonpublic information. Based on this clause, you’re required to have adequate security measures in place before the deadline.
Is your business prepared for these upcoming requirements? Here’s what needs to happen before the deadline.
Operating as an IT Service or System for the Government
If you provide IT services or operate as an IT system for the government, any cloud computing services need to be in accordance with cyber clause 252.239-7010, titled “Cloud Computing Services.” If you’re not part of an IT service or system, you’ll still be required to implement security requirements under National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Revision 1, better known as NIST SP 800-171.
This cyber clause, titled “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”, outlines the requirements that need to be in place by December 31, 2017. If your contract was awarded before October 1, 2017, you need to notify DoD Chief Information Officer (CIO) within 30 days of your contract award of any security requirements that have not been implemented at the time of your award.
Based on the DFARS cyber clause, any company that has access to or transmits CDI must address their compliance in numerous areas in order to meet the new security objectives.
The Areas That Need to Be Addressed
If you’re a company directly impacted by DFARS 252.204-7012, your information systems that contain any CDI need to be in compliance with NIST SP 800-171 Revision 1. This cyber clause outlines 14 different areas that need to be assessed in order to meet the mandatory security regulations.
These areas include:
- Access Control. Limit access to CDI to authorized users or devices.
- Awareness and Training. Ensure that users of your information systems are aware of security risks and properly trained to carry out duties.
- Audit and Accountability. Ensure actions of users can be appropriately traced; create audit records to appropriately monitor and investigate information system activity.
- Configuration Management. Apply security configuration settings to the system.
- Identification and Authentication. Identify users and authenticate identity.
- Incident Response. Establish incident-handling protocol.
- Perform maintenance on the system.
- Media Protection. Protect system media containing CDI.
- Personnel Security. Properly screen individuals before allowing access.
- Physical Protection. Limit and monitor physical access.
- Risk Assessment. Assess risk to operations, individuals, and assets as needed.
- Security Assessment. Assess security controls to ensure efficacy.
- System and Communications Protection. Monitor and protect communications at the appropriate boundaries.
- System and Information Integrity. Identify and correct system information flaws; report in a timely manner.
In accordance with this cyber clause, you must also report any cyber security attack that impacts CDI within 72 hours.
What Your Next Steps Are
Unless you’re an IT company, you’ll likely need to work with an IT expert to implement these new security regulations. It’s imperative to determine whether your contract includes CDI as soon as possible so that you know whether or not the requirements affect you.
Once you determine the identified CDI, you can evaluate which steps to take for your compliance measures. To bring your entire system into compliance will be the costliest method, but it may also be the most necessary. In nearly every situation, compliance is going to be costly and will take time, but it’s imperative that you don’t incur the costs of non-compliance.
You can also establish segregated systems and ensure that your information system that contains CDI is compliant with the DFARS cyber clause. You may also choose to adapt your rates to account for the new cost of this compliance.
This cyber clause is intended to address vulnerabilities and reduce the chances of cyber attacks. Don’t risk your contract just because you can’t keep up with compliance demands. Your business can be prepared for the deadline by assessing and implementing security measures now with the help of security professionals!