Are you overlooking this regulation affecting your business?
Today, more than ever before, the U.S. federal government depends on external service providers to help meet its goals using state-of-the-art information systems. As a result, businesses that work with the government have to implement the highest security measures in order to protect sensitive data. That’s where government regulations come in. One of the most important regulations for manufacturers, government contractors, and subcontractors working with the United States Department of Defense (DoD) is the Defense Federal Acquisition Regulations Supplement (DFARS).
In an effort to curtail breaches and secure valuable government data and research, the U.S. DoD devised security regulations for businesses with which it entered into contracts. DFARS is a supplement to the Federal Acquisition Regulation (FAR) and outlines 110 security requirements that defense contractors, subcontractors, and suppliers must meet. The DFARS supplement contains requirements of law, policies, deviations from FAR requirements, and policies/procedures that have a significant effect on the public.
The U.S. DoD published an interim rule in December 2015 to the DFARS giving government contractors a Dec. 31, 2017, deadline to implement the requirements outlined in the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-171. These requirements are meant to protect controlled unclassified information (CUI) and confidential data when used by non-government entities such as manufacturers and others contracted with the government. Additionally, a revision has been issued for NIST SP 800-171 that you should also be aware of.
Why DFARS Is So Serious
There have been many instances of breaches and data theft that have negatively impacted both U.S. companies and the government. An article published by CNN Tech in January reported that a Chinese wind turbine firm was found guilty of stealing U.S. trade secrets that “nearly destroyed” an American tech firm as a result. Another piece published in April by The Kansas City Daily Star reported that a Chinese national tried to steal another valuable U.S. trade secret: Kansas rice seeds.
Private industry is not alone in being victimized by hackers. State-employed cybercriminals have also targeted the United States government. Russia and China both currently pose major threats to U.S. security. For example, the New York Post reported earlier this month that Chinese hackers stole secret plans for a new U.S. Navy weapon. Even more recently is was reported that the artificial intelligence startup Clarifai had its computer systems hacked by at least one person in Russia, potentially exposing technology used by the U.S. military to another adversary, according to an article by WIRED. The bottom line is the threat to proprietary data, trade secrets, and top-secret government information is persistent so digital security is of the utmost importance.
Which Industries Does DFARS Impact?
All DoD contractors that process, store, or transmit controlled unclassified information must meet the DFARS minimum security standards. This typically impacts manufacturing companies, contractors, and subcontractors. The deadline for meeting these standards was Dec. 31, 2017.
The Consequences Can Be Dire
Businesses who fail to meet these standards risk losing their existing DoD contracts and could also lose future bids to competitors who are DFARS compliant. In addition, businesses that fail to meet the required DoD requirements can face stiff penalties including jail time. All of this comes in addition to the negative publicity, possible litigation, and loss of reputation that often accompanies data breaches. This makes it imperative that businesses ensure compliance on a regular and ongoing basis.
Where to Begin
To determine if your business is meeting DFARS requirements, you’ll want to revisit your contracts to ensure you fully understand all clauses and requirements specifying the security measures your business must take. While DFARS 252.204-7012 is required in all contracts with the DoD, there may be additional security requirements your business may need to meet.
You’ll also need to conduct an annual risk assessment as well as a gap assessment of your organization’s security. These assessments will provide a baseline of risk so you can make the best decisions for implementing the necessary controls to meet the DFARS regulatory guidelines, identify where partial controls are not enough, and where controls are not being properly utilized.
If your business or a subcontractor is awarded a DoD contract, you have within 30 days of award of said contract to provide a list of the security requirements that have not yet been implemented to the DoD. If a cyber incident is ever discovered, it must be reported within 72 hours of discovery.
While the deadline for DFARS compliance was set for Dec. 31, 2017, the DoD understands some smaller companies are struggling with compliance. As a result, the DoD is allowing companies to have a plan of action and mitigations and a system security plan in place while showing improvement in order to achieve “conformant” status in 2018. Defense contractors must have these two compliance documents ready to submit as every new contract is approved and as each existing contract is renewed.
Assistance Is Available
Though the initial hard deadline has come and gone, we highly encourage you to assess your business’s requirements and work toward DFARS compliance as soon as possible. While compliance can seem a bit daunting, there’s no need to worry. Assistance is available for businesses of all sizes. Dox Electronics has experience helping companies with all of cybersecurity requirements of DFARS to help get you compliant quickly.