May 15, 2019

    7 Ways to Prepare for DFARS Compliance

    As a government contractor, it’s imperative that you take steps to comply with cybersecurity recommendations outlined in the Defense Federal Acquisition Regulation Supplement (DFARS). To adequately prepare for and meet DFARS compliance standards, you first need to learn more about what DFARS entails and the steps you must take to protect government data.

    What is DFARS?

    DFARS is a set of cybersecurity guidelines that all government contractors must follow as mandated by the Department of Defense. These guidelines include security controls companies must implement to prevent a data breach and reporting procedures companies must follow in the event a breach occurs.

    Why is it important for government contractors to align with DFARS regulations? A data security breach can be devastating, in terms of non-compliance consequences, disruption to your business, and putting sensitive material in jeopardy. If you want to ensure your sensitive data is secure and remain eligible to be a government contractor, you should verify that your security controls are up to DFARS standards.

    DFARS Compliance Areas to Know

    The United States government has issued numerous security guidelines for keeping data secure. To be compliant with DFARS guidelines, there are three publications you should pay particular attention to:

    • DFARS 252.204-7012 or “Safeguarding Covered Defense Information and Cyber Incident Reporting” - This publication focuses specifically on the policies you should adopt to prevent cyber security events and how to report an incident if one occurs.
    • NIST SP 800-171 or “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” - These are the mandatory security protocols all government agencies and contractors should adopt if they want to keep data secure. The publication includes 100 different security requirements broken into 14 categories of cybersecurity measures.
    • NIST SP 800-53 or “Recommended Security Controls for Federal Information Systems and Organizations” - This publication focuses on the security requirements that should exist on all information systems that store government data. There are 303 requirements broken into 18 control families.

    7 Ways to Prepare for DFARS Compliance

    Complying with DFARS guidelines, as outlined by the above publications, requires strategic efforts to make sure you’re prepared for ongoing compliance. Below are essential steps you should take to lay the foundation for compliance today and in the future.

    1. Update Your Compliance Program

    Do you already have a compliance program for your company, but you’re unsure if it’s up to current DFARS standards? Before you take any actual steps toward implementing security measures, you need find all documented plans and procedures, and determine whether or not they need to be updated.

    If you don’t know how to go about updating these documents, you may want to work with an expert compliance consultant. This consultant can point out areas in your compliance documentation that should be updated. While working with an expert might lead to greater costs, it can make this process faster, and you will feel confident that your documentation is accurate.

    2. Update Your Reporting Processes

    In addition to updating your compliance documentation, you also need to create or update your reporting processes. A recent development of DFARS is that you are required to report any cybersecurity incidents within 72 hours of occurrence. This is a short window of time, so it’s imperative that you create a detailed step-by-step reporting process to ensure reporting is rapid and uniform.

    You should also assign the responsibility of reporting incidents to a single employee or a team of employees. Educate them on the reporting process, and ensure they have all the tools needed to quickly detect and report incidents.

    3. Identify CUI and CDI Data

    One clear objective of DFARS is to keep CUI (Controlled Unclassified Information) and CDI (Covered Defense Information) secure and out of unauthorized hands. Some companies have massive amounts of data stored in many different locations, and it’s likely not all of this data falls into the CUI or CDI categories. So, one helpful way to streamline compliance and protect sensitive data quickly is to isolate data that falls under DFARS compliance guidelines. By putting this information all in one place and protecting it first, your organization will be in compliance with regulations faster.

    4. Plan Risk and Security System Assessments

    One of the most effective ways to ensure your data security efforts are up to DFARS standards is to plan for regular risk and security assessments. Let’s look at risk assessments first. Assessing your security controls can reveal potential vulnerabilities that should be addressed. Also, risk assessments are often required when you sign contracts with new clients, so it’s vital that you document all risk assessments to fulfill these requirements.

    Your security controls need to be regularly tested and assessed for their effectiveness, as well. Are all security controls up to your standards? Should any controls be updated? To avoid breaches in security and cybersecurity incidents, run security assessments on an ongoing basis.

    5. Research File Sharing Solutions

    Because so much of DFARS is focused on keeping data secure, you should consider integrating a secure file-sharing solution into your cybersecurity compliance efforts. This will make the compliance process far easier. Although there are countless file-sharing solutions on the market, you should focus your search on ones that offer DFARS-compliant assurances.

    One such solution, GOVFTP from Sharetru, has features built into the solution to promote secure data practices, like in-transit and at-rest encryption, IP address restrictions, user access controls, and more. Plus, by using a hosted file-sharing and storage solution, you avoid implementing many of the security controls yourself. You simply rely on the host to manage the solution and the security measures for you.

    6. Monitor Your Data

    Unfortunately, compliance isn’t a one-time event. It takes continuous monitoring to ensure your data is not being compromised. Establish data monitoring guidelines and invest in any monitoring tools to help your efforts. If you adopt a secure file-sharing solution, you will be alerted when any suspicious activity or cybersecurity incident occurs, even though these attempted breaches will likely be prevented.

    7. Educate Your Employees

    Finally, secure file sharing starts with your employees. You need to educate employees on the standards NIST has set and the actions you expect your team to take to comply with these standards. It’s especially valuable for anyone who works with CUI and CDI to be educated on compliance. Additionally, as regulations and security measures are changed and updated, you should notify employees.

    Ultimately, the best way to be DFARS compliant is to be diligent about your compliance efforts. Continue to assess and reassess your data for the effectiveness of your security controls, and consider using a secure file-sharing solution to keep your data protected. When you do, you can reap the benefits of high levels of data security managed by an expert partner.

     

    Martin Horan

    Martin, Sharetru's Founder, brings deep expertise in secure file transfer and IT, driving market niche success through quality IT services.

    Other posts you might be interested in

    View All Posts