What is DFARS?

The Defense Federal Acquisition Regulation Supplement, or DFARS, was established to better protect Controlled Unclassified Information (CUI) handled by government departments and agencies, specifically the Department of Defense (DoD), and their third-party partners.

Before DFARS, the White House issued an Executive Order, EO 13556, in November of 2010 to implement a uniform procedure for both civilian and defense agencies to safely manage CUI.

According to EO 13556, 
“At present, executive departments and agencies employ ad hoc, agency-specific policies, procedures, and markings to safeguard and control this information, such as information that involves the privacy, security, proprietary business interests, and law enforcement investigations. This inefficient, confusing patchwork has resulted in inconsistent marking and safeguarding of documents, led to unclear or unnecessarily restrictive dissemination policies and created impediments to authorized information sharing.”

 

In addition to EO 13556, NIST 800-171 further ensured that third-party contractors working with the DoD adhered to DFARS 252.204-7012, which laid out the requirements for safely handling sensitive government information.

Any contractor that works with the DoD is required to comply with DFARS, or they risk being subject to the penalties of non-compliance. Therefore, it is essential that any contractor interested in pursuing DoD contracts understand DFARS compliance requirements and how to meet and maintain them. 

DFARS Qualifying Countries

Currently, there are 26 countries that are considered DFARS compliant, as laid out by DFARS 225.872-1. These countries include:

  • Australia
  • Belgium
  • Canada
  • Czech Republic
  • Denmark
  • Egypt
  • Estonia
  • Federal Republic of Germany
  • Finland
  • France
  • Greece
  • Israel
  • Italy
  • Japan
  • Latvia
  • Luxemburg
  • Netherlands
  • Norway
  • Poland
  • Portugal
  • Slovenia
  • Spain
  • Sweden
  • Switzerland
  • Turkey
  • United Kingdom of Great Britain and Northern Ireland

 

In addition to the above, DFARS 225.872-1 allows DoD contractors to purchase from Austria on a “purchase-by-purchase basis,” as determined by DFARS 225.872-4.  

The 14 Security Requirements of NIST 800-171

1. Access Control 

This requirement addresses who has access to what information. Basic security requirements include limiting system access to only authorized users (3.1.1) or limiting access to specific types of system functions to the appropriate personnel (3.1.2).  

Derived security requirements from NIST 800-53 include an extensive list of 20 protocols, including privacy and security notices (3.1.9), and remote access standards (3.1.12, 3.1.13, 3.14, 3.1.15), controlling the flow of CUI with approved authorizations (3.1.3).

For the full list of Access Control security requirements and detailed descriptions, read pages 69-75 of NIST 800-171 publication.

2. Awareness and Training

NIST 800-171 3.2.1 explains that this requirement “ensures that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.”

Basic and derived security procedures include training procedures for employees to understand their role and responsibilities in protecting CUI and how to use the system in a secure manner (3.2.2). 

For the full list of Awareness and Training security requirements and detailed descriptions, read pages 76 of NIST 800-171 publication.  

3. Audit and Accountability 

Basic requirements ensure that organizations create and retain extensive audit logs and records to enable monitoring, analysis, investigation, and reporting in the event of unlawful or unauthorized system activity (3.3.1). 

Additional security requirements include protocols for tracing individual system user activity (3.3.2), robust alert functionalities (3.3.4), secure storage of audit and reporting information (3.3.8), authorized access to audit information (3.3.9), and more. 

Read the full list of Audit and Accountability security requirements and detailed descriptions, read pages 77-79 of NIST 800-171 publication.  

Explore ARMED Software

4. Configuration Management 

The basis of this requirement is to establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles (3.4.1). 

Configuration management also requires that organizations can track, review, approve/disapprove, and log changes to organizational systems (3.4.3), analyze the impact of system changes (3.4.4), and control and monitor user-installed software (3.4.9). 

For the full list of Configuration Management security requirements and detailed descriptions, read pages 80-83 of NIST 800-171 publication.  

Explore ARMED IO

5. Identification and Authentication

To adhere to this requirement, organizations must identify all system users, processes acting on behalf of a user, and devices (3.5.1). To do this, organizations should verify all users’ identities, processes, and devices as a prerequisite for accessing systems (3.5.2). 

Advanced requirements include multi-factor authentication (3.5.3), which NIST 800-171 defines as “requiring two or more different factors to achieve authentication. The factors include something you know (e.g., password/PIN); something you have (e.g., cryptographic identification device, token); or something you are (e.g., biometric)”

For the full list of Identification and Authentication security requirements and detailed descriptions, read pages 84-86 of NIST 800-171 publication. 

6. Incident Response 

This requirement ensures that organizations have established an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities (3.6.1).  

Compliant organizations should be able to track, document, and report incidents to designated officials, both internal and external to the organization (3.6.2), and test incident response capabilities (3.6.3). 

For the full list of Incident Response security requirements and detailed descriptions, read pages 87-88 of NIST 800-171 publication.  

7. Maintenance

As a DoD contractor, organizations are expected to perform maintenance on all organizational systems (3.7.1). The requirement states that “In general, system maintenance requirements tend to support the security objective of availability.

However, improper system maintenance or a failure to perform maintenance can result in the unauthorized disclosure of CUI, thus compromising the confidentiality of that information.”

To further protect CUI, organizations should also supervise maintenance activities (3.7.6), require multi-factor authentication to establish non-local maintenance sessions (3.7.4), and ensure off-site maintenance equipment is cleared of any CUI (3.7.3).  

For the full list of Maintenance security requirements and detailed descriptions, read pages 89-90 of NIST 800-171 publication.  

Explore Managed Security Services

8. Media Protection

Designed to protect system media, both digital and physical, containing CUI (3.8.1), this requirement helps organizations limit access to CUI to authorized users (3.8.2) and ensures organizations clean or destroy media containing CUI before disposal or reuse (3.8.3).

Additional standards include, but are not limited to, prohibiting the use of portable storage devices when they have no identifiable owner (3.8.8) and labeling media as CUI per the marking guidance in the 32 CFR, Part 2002, and the CUI Registry (3.8.4). 

For the full list of Media Protection security requirements and detailed descriptions, read pages 91-93 of NIST 800-171 publication.  

9. Personnel Security  

Personnel Security requires organizations to screen individuals before authorizing access to systems containing CUI. This ensures CUI is protected during and after personnel actions such as a termination or transfer. (3.9.1 and 3.9.2) 

For the full list of Personnel Security requirements and detailed descriptions, read pages 94 of NIST 800-171 publication.

10. Physical Protection 

By limiting physical access to organizational systems, equipment, and the respective operating environments to authorized individuals (3.9.1), this requirement helps protect and monitor the physical facility and support infrastructure for organizational systems (3.9.2). 

To adhere, this requires organizations to monitor visitor activity (3.10.3), maintain extensive audit logs of physical access (3.10.4), enforcing CUI safeguards at alternative worksites (3.10.6), and controlling physical access devices (3.10.5)

For the full list of Physical Protection security requirements and detailed descriptions, read pages 95-96 of NIST 800-171 publication.   

11. Risk Assessment 

To mitigate risk, organizations should “periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.” (3.11.1) 

This can involve routine scans for vulnerabilities in systems and applications, ensuring remediation strategies are in place when vulnerabilities are detected. (3.11.2, 3.11.3) 

For the full list of Risk Assessment security requirements and detailed descriptions, read pages 97-98 of NIST 800-171 publication.   
Explore Cyber Risk Advisory

12. Security Assessment 

To determine the effectiveness of controls in applications, defense organizations should periodically assess security controls in organizational systems (3.12.1) and develop plans to correct deficiencies and eliminate vulnerabilities (3.12.2). 

According to NIST, one way this can be addressed is by “developing, documenting, and periodically updating system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.”(3.12.4) 

For the full list of Security Assessment security requirements and detailed descriptions, read pages 99-100 of NIST 800-171 publication.  

13. System and Communications Protection 

Designed to monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) (3.13.1), this requirement employs architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems (3.13.2).

To protect internal and external communications, organizations must prevent remote devices from establishing non-remote connections with systems (3.13.7), separate user functionality from system management functionality (3.13.3), prevent unauthorized and unintended information transfer via shared system resources (3.13.4), and more.  

For the full list of System and Communications Protection security requirements and detailed descriptions, read pages 101-105 of NIST 800-171 publication.   

14. System and Information Integrity 

To maintain information integrity, defense organizations must be able to identify, report, and correct system flaws promptly (3.14.1), as well as provide proven protection from malicious code (3.14.2) while monitoring system activity for security alerts and advisories (3.14.3). 

Routine updates to malicious code protection (3.14.4), periodic scans of systems and real-time scans of files (3.14.5), and inbound and outbound traffic monitoring (3.14.5) are a few standards organizations must implement to adhere to DFARS information integrity requirements. 

For the full list of System and Information Integrity security requirements and detailed descriptions, read pages 106-108 of NIST 800-171 publication.   

 

Manage DFARS Compliance with a Managed Security Services Provider

According to NIST, all DoD contractors that process, store, or transmit CUI must meet DFARS minimum security standards or risk losing their DoD contracts. As evidenced by the above information, DFARS compliance is a complex, ever-evolving process. Yet, it’s essential to unlocking revenue-boosting contracts with the DoD.

To satisfy DFARS compliance requirements, NIST 800-171 states that non-federal organizations can implement security solutions either in-house or through an experienced managed security services provider (MSSP).

Learn more: How MSSPs Help Defense Contractors Meet DFARS Requirements

Navigate DFARS Compliance with Conquest Cyber

The nature of defense and government-related industries creates prime targets for cyber-attacks, breaches, and information and identity theft. That’s why defense contractors trust Conquest Cyber as their MSSP, leveraging our distinctly qualified cybersecurity specialists to meet strict regulations and requirements for CUI, ITAR, CMMC, and DFARS Compliance.

With Conquest Cyber managed security services and A.R.M.E.D.™ software, organizations in highly regulated industries unlock business potential in the cloud while still meeting DFARS compliance for: 

  • Data security
  • Privacy
  • Regulatory compliance
  • Auditing
  • Risk Management, and more.

Connect with Conquest Cyber today to request an ARMED demo and discover how it can overcome the challenges of navigating DFARS compliance.

 

Sources:

  1. https://www.acquisition.gov/dfars
  2. https://obamawhitehouse.archives.gov/the-press-office/2010/11/04/executive-order-13556-controlled-unclassified-information
  3. https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-171.pdf
  4. https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7012
  5. https://www.acquisition.gov/dfars/225.872-1-general.
  6. https://www.acquisition.gov/dfars/225.872-4-individual-determinations.#DFARS-225.872-4
  7. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r1.pdf
  8. https://nvd.nist.gov/800-53
  9. https://www.govinfo.gov/content/pkg/CFR-2017-title32-vol6/pdf/CFR-2017-title32-vol6-part2002.pdf
  10. https://www.archives.gov/cui/registry/category-list
  11. https://www.nist.gov/mep/cybersecurity-resources-manufacturers/dfars-compliance