What is DFARS?
Understand DFARS and How to Handle Controlled Unclassified Information in accordance with NIST 800-171
The Defense Federal Acquisition Regulation Supplement, or DFARS, was established to protect Controlled Unclassified Information (CUI) handled by government departments and agencies, specifically the Department of Defense (DoD) and third-party partners. Before DFARS, the White House issued an Executive Order, EO 13556, in November of 2010 to implement a uniform procedure for civilian and defense agencies to safely manage CUI.
According to EO 13556:
“At present, executive departments and agencies employ ad hoc, agency-specific policies, procedures, and markings to safeguard and control this information, such as information that involves the privacy, security, proprietary business interests, and law enforcement investigations.
This inefficient, confusing patchwork has resulted in inconsistent marking and safeguarding of documents, led to unclear or unnecessarily restrictive dissemination policies and created impediments to authorized information sharing.”
In addition to EO 13556, NIST 800-171 further ensured that third-party contractors working with the DoD adhered to DFARS 252.204-7012, which laid out the requirements for safely handling sensitive government information.
Any contractor who works with the DoD is required to comply with DFARS or risk being subject to the penalties of non-compliance. Therefore, any contractor interested in pursuing DoD contracts must understand DFARS compliance requirements and meet and maintain them.
DFARS Qualifying Countries
Currently, there are 26 countries that are considered DFARS compliant, as laid out by DFARS 225.872-1. These countries include:
In addition, DFARS 225.872-1 allows DoD contractors to purchase from Austria on a “purchase-by-purchase basis,” as determined by DFARS 225.872-4.
The 14 Security Requirements of NIST 800-171
1. Access Control
This requirement addresses who has access to what information. Basic security requirements include limiting system access to only authorized users (3.1.1) or restricting access to specific system functions to the appropriate personnel (3.1.2).
Derived security requirements from NIST 800-53 include an extensive list of 20 protocols, including privacy and security notices (3.1.9) and remote access standards (3.1.12, 3.1.13, 3.14, 3.1.15), controlling the flow of CUI with approved authorizations (3.1.3).
For the complete list of Access Control security requirements and detailed descriptions, read pages 69-75 of NIST 800-171 publication.
2. Awareness and Training
NIST 800-171 3.2.1 explains that this requirement “ensures that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.”
Primary and derived security procedures include training procedures for employees to understand their role and responsibilities in protecting CUI and how to use the system in a secure manner (3.2.2).
For the complete list of Awareness and Training security requirements and detailed descriptions, read pages 76 of NIST 800-171 publication.
3. Audit and Accountability
Basic requirements ensure that organizations create and retain extensive audit logs and records to enable monitoring, analysis, investigation, and reporting in the event of unlawful or unauthorized system activity (3.3.1).
Additional security requirements include protocols for tracing individual system user activity (3.3.2), robust alert functionalities (3.3.4), secure storage of audit and reporting information (3.3.8), authorized access to audit information (3.3.9), and more.
Read the full list of Audit and Accountability security requirements and detailed descriptions, read pages 77-79 of NIST 800-171 publication.
4. Configuration Management
The basis of this requirement is to establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles (3.4.1).
Configuration management also requires that organizations can track, review, approve/disapprove, and log changes to organizational systems (3.4.3), analyze the impact of system changes (3.4.4), and control and monitor user-installed software (3.4.9).
For the full list of Configuration Management security requirements and detailed descriptions, read pages 80-83 of NIST 800-171 publication.
5. Identification and Authentication
To adhere to this requirement, organizations must identify all system users, processes acting on behalf of a user, and devices (3.5.1). To do this, organizations should verify all users’ identities, processes, and devices as a prerequisite for accessing systems (3.5.2).
Advanced requirements include multi-factor authentication (3.5.3), which NIST 800-171 defines as “requiring two or more different factors to achieve authentication. The factors include Something you know (e.g., password/PIN); Something you have (e.g., cryptographic identification device, token); or Something you are (e.g., biometric)”
For the complete list of Identification and Authentication security requirements and detailed descriptions, read pages 84-86 of NIST 800-171 publication.
6. Incident Response
This requirement ensures that organizations have established an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities (3.6.1).
Compliant organizations should track, document, and report incidents to designated officials, both internal and external to the organization (3.6.2), and test incident response capabilities (3.6.3).
For the complete list of Incident Response security requirements and detailed descriptions, read pages 87-88 of NIST 800-171 publication.
As a DoD contractor, organizations are expected to perform maintenance on all organizational systems (3.7.1). The requirement states that “In general, system maintenance requirements tend to support the security objective of availability.
However, improper system maintenance or a failure to perform maintenance can result in the unauthorized disclosure of CUI, thus compromising the confidentiality of that information.”
To further protect CUI, organizations should also supervise maintenance activities (3.7.6), require multi-factor authentication to establish non-local maintenance sessions (3.7.4), and ensure off-site maintenance equipment is cleared of any CUI (3.7.3).
For the complete list of Maintenance security requirements and detailed descriptions, read pages 89-90 of NIST 800-171 publication.
8. Media Protection
Designed to protect system media, both digital and physical, containing CUI (3.8.1), this requirement helps organizations limit access to CUI to authorized users (3.8.2) and ensures organizations clean or destroy media containing CUI before disposal or reuse (3.8.3).
Additional standards include, but are not limited to, prohibiting the use of portable storage devices when they have no identifiable owner (3.8.8) and labeling media as CUI per the marking guidance in the 32 CFR, Part 2002, and the CUI Registry (3.8.4).
For the full list of Media Protection security requirements and detailed descriptions, read pages 91-93 of NIST 800-171 publication.
9. Personnel Security
Personnel Security requires organizations to screen individuals before authorizing access to systems containing CUI. This ensures CUI is protected during and after personnel actions such as a termination or transfer. (3.9.1 and 3.9.2)
For the complete list of Personnel Security requirements and detailed descriptions, read pages 94 of NIST 800-171 publication.
10. Physical Protection
By limiting physical access to organizational systems, equipment, and the respective operating environments to authorized individuals (3.9.1), this requirement helps protect and monitor the physical facility and support infrastructure for organizational systems (3.9.2).
To adhere, this requires organizations to monitor visitor activity (3.10.3), maintain extensive audit logs of physical access (3.10.4), enforcing CUI safeguards at alternative worksites (3.10.6), and controlling physical access devices (3.10.5)
For the complete list of Physical Protection security requirements and detailed descriptions, read pages 95-96 of NIST 800-171 publication.
11. Risk Assessment
To mitigate risk, organizations should “periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.” (3.11.1)
This can involve routine scans for vulnerabilities in systems and applications, ensuring remediation strategies are in place when vulnerabilities are detected. (3.11.2, 3.11.3)
For the complete list of Risk Assessment security requirements and detailed descriptions, read pages 97-98 of NIST 800-171 publication.
12. Security Assessment
To determine the effectiveness of controls in applications, defense organizations should periodically assess security controls in organizational systems (3.12.1) and develop plans to correct deficiencies and eliminate vulnerabilities (3.12.2).
According to NIST, one way this can be addressed is by “developing, documenting, and periodically updating system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.” (3.12.4)
For the full list of Security Assessment security requirements and detailed descriptions, read pages 99-100 of NIST 800-171 publication.
13. System and Communications Protection
Designed to monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) (3.13.1), this requirement employs architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems (3.13.2).
To protect internal and external communications, organizations must prevent remote devices from establishing non-remote connections with systems (3.13.7), separate user functionality from system management functionality (3.13.3), prevent unauthorized and unintended information transfer via shared system resources (3.13.4), and more.
For the full list of System and Communications Protection security requirements and detailed descriptions, read pages 101-105 of NIST 800-171 publication.
14. System and Information Integrity
To maintain information integrity, defense organizations must be able to identify, report, and correct system flaws promptly (3.14.1), as well as provide proven protection from malicious code (3.14.2) while monitoring system activity for security alerts and advisories (3.14.3).
Routine updates to malicious code protection (3.14.4), periodic scans of systems and real-time scans of files (3.14.5), and inbound and outbound traffic monitoring (3.14.5) are a few standards organizations must implement to adhere to DFARS compliance information integrity requirements.
For the complete list of System and Information Integrity security requirements and detailed descriptions, read pages 106-108 of NIST 800-171 publication.
ARMED™ Cyber Risk Management Software
- Data security
- Regulatory compliance
- Risk Management, and more.
Connect with Conquest Cyber today to request an ARMED demo and discover how it can overcome the challenges of navigating DFARS compliance.
Conquest’s proprietary cyber risk management software, ARMED ATK, allows organizations in highly regulated industries to effectively manage and monitor cybersecurity efforts in accordance with industry compliance requirements.
This enables security professionals to make data-backed decisions based on real-time visibility of security controls, events, and levels of service.
ARMED ATK enables radical operational transparency, providing mission-critical data that is centrally available and easily consumable for key stakeholders and technical teams alike.