Summit 7 Team Blogs

Office 365 DFARS Frequently Asked Questions (and Answers) - Part 1

There are a lot of questions surrounding the upcoming DFARS requirements for DoD Contractors. What does it mean for your business? What happens if you're not compliant in time? To help guide you through the process, here are some questions and answers that you may need to know. 

DFARS_FAQ_1.png1. Can O365 be set up to alert our IT staff of a cyber-incident and create a report that holds all the information of the incident?

Yes, Office 365 can be set up to alert a group of chosen individuals based on rules and policies configured by the IT Security or IT Administrative staff.  Office 365 can create audit and alert reports that can be used as a component of an incident report. 

DFARS_FAQ_2.png2. How are cyber incidents reported, and can they be directly reported to the proper authorities automatically?

Reporting a cyber-incident requires a DoD approved medium assurance certificate.  The required interaction with the certificate makes automatic reporting more difficult.  All cyber incidents must be reported to https://dibnet.dod.mil within 72 hours.

DFARS_FAQ_3.png3. Can O365 enforce policies and procedures automatically - such as improper downloading of documents, emailing sensitive information, and improper sharing of documents?

Yes, there are various toolsets within the Office 365 platform that can help you control this type of interaction.  These capabilities are included in the Rights Management Services, Advanced Security Management and Data Loss Prevention. 

DFARS_FAQ_4.png4. Since O365 is updated by Microsoft, how will we know if a change they make doesn’t align with the compliance points in the future?

Microsoft maintains their datacenters and platforms to meet compliance for dozens of international standards.  The datacenters are constantly going through compliance audits so it is critical that any updates that they make to the environment will not compromise the various security and compliance configuration.

DFARS_FAQ_5.png5. Where can I get training on security awareness and incident prevention in O365?

We do not currently have a publicly available course on Office 365 DFARS Security Awareness.  However, if you have a specific need we may be able to provide a session customized to your organizational needs.

DFARS_FAQ_6.png6. Can I get a risk assessment for my environment?

We have a great set of partners who can provide DFARS Policy Assessments and Risk Assessments.  Summit 7 Systems can provide assessments of your existing Office 365 platform to help you build a gap analysis between where you are and NIST 800-171 compliance. 


This FAQ is part of a series. Be sure to subscribe and get notified when there's a new post, or check back soon for the next post in the series!

New Call-to-action


About Scott Edwards

Scott Edwards is an accomplished computer engineer and organizational leader with experience in business, project management, systems engineering, training and security. Scott’s technical experience was honed at NASA as a Senior Computer Engineer and the Chief Engineer and Engineering Manager for the NASA Datacenter.

Scott received his Bachelor of Science from the United States Military Academy and his Master of Science in Computer Science with an emphasis in Information Assurance at James Madison University. Scott proudly served as an Officer in the US Army Signal Corps with both the 2-227th Aviation Battalion in Bosnia-Herzegovina and the 1-6 Air Defense Artillery Battalion in Fort Bliss, Texas.

Currently, Scott is the President and Managing Partner of Summit 7 Systems. Summit 7 Systems is Service Disabled Veteran Owned Small Business (SDVOSB) and a Microsoft Gold Cloud Productivity Partner that specializes in Office 365 security solutions.