Defense Federal Acquisition Regulation Supplement (DFARS)
DownloadThe adequate safeguards required under DFARS are spelled out in the NIST security framework 800-171. That standard addresses 14 aspects of effective security, including:
- Risk assessment
- Configuration Management
- Maintenance
- System & information integrity
- Identification & Authentication
- Audit & accountability
The U.S. Department of Defense (DoD) manages its procurement needs through a rule called the Defense Federal Acquisition Regulation Supplement, or DFARS. One section of DFARS (Clause 252.204-7012) requires that all defense contractors maintain adequate security safeguards for any ‘controlled unclassified information’ (CUI) that either is stored in or transits through the contractor’s systems.
Contractors that use subcontractors for parts of their DoD contracts or that outsource some of their IT operations are still responsible for assuring DFARS compliance throughout their supply chain. That is, a defense contractor is responsible for the DFARS compliance (or the lack thereof) of its third parties.
The Defense Department does not certify that a contractor is DFARS compliant; nor will it recognize any third-party assessment or certification that a contractor is DFARS compliant. Rather, by signing a contract with the DoD, a company is agreeing that it will comply with DFARS.
A contractor that fails to meet DFARS standards can be barred from bidding on government contracts, lose contracts it currently has, or even face civil and criminal penalties in court.
The Role of Cybersecurity In DFARS
Controlled unclassified information can encompass a vast range of material: personal data, financial data, nuclear propulsion plans, accident information, budget estimates, whistleblower identities and much more. Any defense contractor possessing or processing any such information for the DoD will need to provide security protections as dictated by NIST 800-171.
The NIST standard expressly addresses several points about enterprise security. Among those points are configuration management and system maintenance, including software patches.
So an unauthenticated attack exploiting a misconfiguration or vulnerability in your mission-critical applications, which many organizations use to manage their supply chains with their partners, could allow malicious actors to manipulate underlying data without touching user applications or leaving an audit trail. Even with strong internal controls and audits at the infrastructure and database layers, security weaknesses at the application level can still leave CUI data exposed and jeopardize your DFARS compliance.
Steps to Take
- Understand the nature of this compliance obligation and assign responsibility for it. CISOs may not understand the demands of DFARS compliance, while internal audit or compliance teams may not grasp the challenges of assuring security compliance throughout the supply chain. Assign a team to assess DFARS security risks and necessary mitigation steps.
- Develop a security strategy for mission-critical applications that address DFARS issues. That strategy should address configuration management, log management, custom application development, patches, continuous monitoring and more. Those steps must provide solid protection against data manipulation in your ERP infrastructure.
- Find the right tools to do the job. Security teams, in conjunction with business operations leaders and internal audit, need to identify risks and weaknesses that jeopardize DFARS compliance, and seal those gaps. With modern ERP systems supporting mission-critical applications, that’s no easy task. Using the right technology is crucial to do the job right.
Learn how Onapsis can help identify security and compliance risks and streamline your audit processes. https://onapsis.com/request-a-demo/