Having the federal government as your sole client isn’t the same dynamic as other companies have with multiple commercial contract clients, is it? Why? Because when you are a federal government contractor, your processes are dictated by contract and legislation. But that’s not all… The technology that underlies your processes must be in line with your contractual obligations. In this article, we’ll tell you the real story and unvarnished truth about keeping your technology in line with legislation, contracts, and company goals.
You’re a Small Federal Government Contractor… Does Your IT Services or Computer Support Company Know the difference between Main Street tech support and K Street tech support?
Do you know where the term “red tape” came from in relation to governmental bureaucracy?
It began with Charles V of Spain who wanted to streamline his government and used red tape (really red ribbon) to bind together files of important documents.
Don’t you wish that efficiency was still the cumulative effect of red tape?
Unfortunately, it’s not.
Federal government contractors deal with enough bureaucratic red tape to win and keep federal contracts; you don’t need the hassle of IT management and compliance on your plate as well.
What do you want?
It’s pretty simple.
You want an IT services or computer support company here in Washington DC to make sure that your IT infrastructure meets or exceeds the specifications you need to prove compliance and operate efficiently.
We’ll talk about NIST and DFARS technology compliance a little later, but let’s answer some more basic questions first.
What About Managed Services to Support an Entire Company’s IT Infrastructure?
Just in case you are unfamiliar with the term “Managed IT Services” let’s start with a definition.
Managed IT Services is a subscription technology support model that provides an entire array of IT services such as cybersecurity, IT management, IT maintenance, data backup/recovery, and operational monitoring for a pre-determined monthly payment. Managed IT Services takes a holistic approach to the health of a company’s IT infrastructure and is the proactive maintenance option for businesses that must have near-zero downtime.
The advantages of managed services are:
- A stable, predictable IT support budget
- An entire team of experienced business technology professionals
- Vendor support that frees your team to do their tasks
- Security that protects your network, data, and compliance standing
- Business continuity strategies that allow your business to function regardless of circumstance
- Helpdesk staff that are happy to answer your IT questions
- Proactive maintenance to avoid costly downtime
Is A Hosted Computing Environment a Good Idea for Federal Government Contractors?
Cloud hosting has come a long way in a very short timeframe. Today’s data centers are usually more secure than servers in your facility. Why? Because their business hinges on keeping your data safe. This drives datacenters to put enterprise-level encryption and security measures in place, enact geo-redundancy protocols, and meet compliance standards for all of the industries and governmental agencies that they serve.
The conclusion is that a hosted computing environment that is properly implemented, carefully maintained, and studiously monitored for security is a good option for a federal contractor’s data storage and retrieval, virtual machines, applications, and even mission-critical workflows.
The obvious caveat is that you must do your homework and make sure that the data center you are considering meets the stringent requirements defined by your contractual obligations.
What About a Co-Location Option?
In case you are unfamiliar with the phrase “co-location” let’s explain it.
In the data center scenario we discussed above, a company’s data is stored on servers owned by the datacenter. In a co-location scenario, a federal contractor will purchase their own server and have it installed in a data center. This option gives the company the peace of mind that their server is in the right environment and the control that comes with owning their own server. To facilitate this co-location, the data center provides:
- Space for the company’s server
- Redundant power supply
- Physical Security – Security Guards, Biometric Access Controls
- IP Address
The space that datacenters rent out is rented in units called “racks” and “cabinets.
A rack unit is 1.75 inches of an equipment rack.
It takes forty-seven rack units to make up a full rack. This is referred to as a cabinet.
Co-location customers rent rack units, half cabinets, or full cabinets as their needs require.
What Do You Need to Know About NIST and DFARS Compliance Rules?
Since November of 2013, the Department of Defense has systematically been tightening up on how federal government contractors transmit, store, and process data that is considered to be “covered” by the regulation.
What is “covered information”?
According to The Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 (Revised Oct 21, 2016), Safeguarding Covered Defense Information and Cyber Incident Reporting, Covered defense information is defined as follows:
Unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, and is:
(1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
(2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
This mostly covers anything that could be considered “sensitive” but falls short of being considered “classified.”
The deadline for compliance for DFARS was December 31,2017. Therefore, it’s vital that your systems meet DFARS standards if you are going to be going after contracts involving covered defense information.
How do you know if you have to be DFARS compliant or not?
If you are a contractor or subcontractor for the DOD you must demonstrate “adequate security” as defined by NIST 800-171 and have cyber incident reporting protocols that meet the standards set by DFARS 252.204-7012.
NIST 800-171 has been around a lot longer than the DFARS compliance rules and includes requirements for:
- Audit and Accountability (3.3.5 and 3.3.6): Audits provide transparency into your data management strategies and how they work in a practical sense.
- Identification and Authentication (3.5.3): Using multifactor authentication to access your physical network, wireless network, and cloud assets provide greater protection.
- Incident Response (3.6.1): Having a team of IT security professionals that will respond to a potential breach, do forensics work, remediate any damage, and bring the entire system back to a secure state again is essential to meeting this requirement.
- Security Assessment (3.12.1 and 3.12.3): Continuous monitoring and accessible reporting is the way that federal government contractors meet the stipulations set forth in this rule.
What Happens if you are not DFARS or NIST 800-171 Compliant?
You already understand that compliance is a prerequisite for doing business with the various branches of the federal government. If you cannot prove compliance, then your valuable contracts may be at risk. With that said, compliance is possible and the compliance process can be simplified for you with the right cybersecurity professionals on your side. If you have any questions about the compliance process, take the time to learn more about Intelice Solutions. We have more than twenty years of experience in assisting federal government contractors in their efforts to design, configure, and maintain compliant IT infrastructure.
Want to read more helpful articles? We’ve picked out three just for you!