The U.S. Department of Defense is one of the most significant agencies in the U.S., handling a multitude of Controlled Unclassified Information. Since CUI are sensitive public data, the U.S. DoD must safeguard its storage and dissemination according to the applicable law and federal policies. To strengthen the CUI safety measures, the DoD published an intern rule in December 2015 that mandates DoD contractors to fulfill certain cybersecurity requirements within two years.
Now, all DoD contractors, vendors, and subcontractors handling CUI must be DFARS compliant to be able to bid on future DoD contracts or extend existing ones.
Since DFARS compliance requirements can be complex for a non-IT contractor, it’s best to gather as much information about DFARS and its compliance requirements or hire an expert DFARS consultant.
What Does DFARS Compliance Entail?
According to the DFARS compliance standards, prime DoD contractors and subcontracts that process or handle controlled unclassified information must implement the data security controls mentioned in the NIST SP 800-171. Besides this, the contractor should have a set procedure to report data breaches in case of any data breach event. The NIST SP further emphasizes periodic assessment of I.T. infrastructure and security controls to protect controlled unclassified information.
Steps to Take to Be DFARS Compliant
If you are DoD prime contractor, you must take every step to be DFARS-compliant. You must address and implement all the 14 security requirement domains mentioned in the NIST SP 800-171.
However, there are some steps you can take to get started with DFAR compliance.
- Conduct Internal Security and Risk Assessments
Controlled Unclassified Information is always under the radar of malicious hackers and cybercriminals. Besides this, a considerable amount of risk is involved in transmitting, processing, storing, and handling CUI. For the complete protection of CUI, contractors must assess their internal processes, I.T. infrastructure, and systems to ensure there are no internal loopholes that may endanger the data from within. An internal scan will help you identify the system’s deficiencies and find measures to correct them.
- Implement I.T. System and Physical Precautions
Monitoring, controlling, and protecting the internal I.T. systems and physical facilities holding CUI is critical to ensuring efficacious data security. This process involves taking a multi-factor approach. Some of the basic things contractors can do to ensure complete information security are:
- Limit physical access to CUI;
- Prevent unverified transfer of data;
- Segregation of internal networks from public systems;
- Encryption of communications.
- Execute Identification, Authentication, and Access Controls
Another step a contractor can take to prepare for DFARS compliance is registering and managing every device that accesses your I.T. system and data. Ensure you only allow individual users to access only the data that they require to fulfill their job.
Identification, tracking, and authentication of users and devices is another essential control measure one can take to be one step closer to being DFARS compliant. Ensure you identify and track each device that accesses your data with proper data security protocols. Some ways by which you can achieve this are:
- Implementing two-factor verification;
- Necessitating password complexity;
- Automatic logging out of users after a set period of inactivity;
- Barring re-usage of old passwords.