What DoD Contractors Need To Know To Be Compliant

If you’re a Department of Defense (DoD) contractor, you need to comply with a wide-arching set of guidelines related to data security. A failure to demonstrate and maintain compliance means your business is out of the running for DoD business.

What do you need to know to keep your company eligible and compliant?

What DoD Guidelines Apply to My Business?

In 2015, the DoD issued a supplement to its Federal Acquisition Regulations (FAR) that went into effect in December 2017. The Defense Acquisition Federal Regulation Supplement (DFARS). The supplement is meant to ensure that contractors maintain cybersecurity guidelines set forth by the National Institute of Standards and Technology, specifically standard NIST SP 800-171.

DoD contractors need to meet minimum standards laid out in the NIST guidelines in order to remain eligible for departmental contracts.

What Are the Minimum Standards for DoD Compliance?

The NIST focuses primarily on data security. The mandates boil down to two main components:

• Providing adequate security that protects applicable defense information that is stored in or transmitted via a company’s unclassified information management systems. Specifically, the security measures must protect against unauthorized access or disclosure of that information.
• Immediate reporting of any breaches or cyber incidents and cooperation with the Defense Department regarding the response to security incidents. This requirement includes providing access to affected media and sharing malicious software with the department.

The challenge comes in the phrase “adequate security.” The DFARS identifies 14 categories of security requirements that need to be secured, affecting many components of your IT system, components, applications and data. In order to qualify as being DFARS compliant, your business needs to pass a readiness assessment based on the NIST SP 800-171 standards.

The guidelines cover the following 14 areas:

• Access Control
• Awareness and Training
• Audit and Accountability
• Configuration Management
• Identification and Authentication
• Incident Response
• Maintenance
• Media Protection
• Personnel Security
• Physical Protection
• Risk Assessment
• Security Assessment
• System and Communications Protection
• System and Information Integrity

Within those 14 sections are 110 specific requirements that must be met. For example, under the Identification and Authentication guidelines are 11 requirements including:

• Using multifactor authentication for local and network access
• Employing replay-resistant authentication mechanisms for network access \
• Disabling identifiers after a defined period of inactivity
• Requiring a minimum password complexity and a change of characters when new passwords are created
• Preventing password reuse
• Requiring temporary passwords to be changed to permanent passwords immediately
• Storing and transmitting only encrypted passwords

What Happens If We Are Not Compliant?

The consequences of noncompliance are severe. If your business is audited by the DoD and found to be out of compliance, you are likely to be issued a stop-work order. That means you’ll be unable to complete any DoD work until the gaps are addressed. Your business may also be subject to fines or contract termination.

How Can My Business Ensure Compliance?

Your company needs to provide detailed documentation about each of the 110 specifications within the 14 guidelines. That’s a massive commitment to ensure you remain eligible.

You have two options.

Internal Compliance Management

If your business has the expertise, staff and time to commit to demonstrating and maintaining compliance, then an in-house solution makes sense. In fact, the DoD has created a handbook to guide contractors through the process.

However, the resources it takes to complete the initial compliance work and maintain it is often too much for small- and medium-sized businesses to take on.

Outsourced Compliance Management

Many companies opt to outsource the work to a managed service provider that has the experience and qualifications to provide the assessments, recommendations, solutions and maintenance necessary. Your managed service provider will save your business time and money, have a clear understanding of what each of the 110 specifications means and what is needed to demonstrate compliance.

After an initial assessment, your managed service provider can recommend the best solutions for your business that remediate any gaps and are acceptable to the DoD. Your managed service provider also has the resources, tools and expertise to monitor your systems, detect threats and security incidents, and respond accordingly on an ongoing basis.

How Do I Know If Our Business Is Compliant?

The DFARS guidelines require a compliance assessment as a first step. This assessment includes a gap analysis that pinpoints what’s lacking in your IT policies, procedures and systems. This security assessment is, in fact, one of the 14 NIST SP 800-171 guidelines.

After the assessment, your managed service provider will present a System Security Plan, along with action and mitigation plans. Collectively, these planning documents act as a roadmap that help contractors develop, document and regularly update their system specs, implementation of solutions and how those solutions connect with other company systems.

For each identified deficiency, the plan must indicate what’s being fixed, the people, processes and technologies that will be used, and the timing of when the corrective actions will be in place.

What Happens Next with DFARS Compliance?

Your managed service provider can purchase, install and configure any necessary technologies needed to ensure compliance. Whether it’s an advanced, next-generation firewall, automated updating and patching, or more secure network endpoints, your provider should have the ability to make sure that everything is in working order with minimal disruption to company operations.

However, to remain compliant, there are additional requirements. You also need to make sure that there is continuous monitoring that looks for, detects and identifies suspicious network activity. These monitoring solutions give you peace of mind that issues will be detected early, addressed and eliminated before any harm can come to sensitive data. They can also assist with multifactor authentication, automated updating and patching, and advice on how to optimize your various system components.