If you are a contractor working on behalf of the Department of Defense (DoD) as either a prime or a sub-contractor, then a December 31, 2017 deadline for compliance with Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 will be a major priority this year. The DFARS 7012 clause is a response to data breaches and increasing threats to cyber security, and may even be in your DoD contracts already.
In summary, DFARS requires DoD contractors to implement technical and procedural controls as specified by the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 to protect sensitive information, and to rapidly report cyber incidents. The DFARS requirement also expanded the type of information that must be safeguarded to include “Unclassified Controlled Technical Information (UCTI).”
What is UCTI?
UCTI is information that is “collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of contract performance”. Therefore, it is difficult to identify a scenario where any DoD contractor would not be subject to the DFARS clause.
The NIST 800-171 information security requirements were developed for nonfederal/contractor information systems, and are significant in scope and responsibility. There are fourteen families of security requirements, which will impact nearly every aspect of IT information security.
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
DFARS also includes the requirement that DoD contractors (prime or sub) must report directly to the government within 72 hours if there is a “Cyber Incident.”
What is a Cyber Incident?
A cyber incident is “actions taken through use of computer networks that result in an actual or potentially adverse effect on an information system and/or the information residing therein.”
Other DFARS requirements include a System Security Plan for several types of sensitive information (UCTI, etc.), multifactor authentication for network access, audit logging, and the advance reporting of use of any types of cloud computing services. Obviously, these types of requirements have significant impact to the current business processes, information security policies, governance, and IT data storage and security.
How will DoD contractors comply with DFARS?
DFARS compliance requires a combination of technology, procedural controls, and technical controls. The requirements of NIST 800-171 leaves DoD contractors with two choices:
- Upgrade and manage an on-premises IT system to NIST requirements
- Migrate to a Cloud-based solution that meets NIST requirements
Microsoft Office 365 is certified to FedRAMP Moderate and DISA Level 2, which meets and exceeds the requirements of NIST SP 800-171.
Office 365 can be a major component of your DFARS compliance strategy, along with the implementation of new IT policies and procedures to provide a robust cybersecurity infrastructure and security breach response protocol.
In my next blog, I will discuss the key technical control requirements in the NIST publication and how Office 365 enables the features and controls to comply with the DFARS 7012 clause.