Military/Defense Contractors

All defense contractors and sub-contractors who process controlled defense information (CDI) are required to meet the DFARS Part 252.204-7012 is also known as Safeguarding Covered Defense Information and Cyber Incident Reporting.

Cyberstone has developed a program custom-designed for helping manufacturers and machines shops meet DFARS compliance. The DFARS cybersecurity regulation really is just a pointer to the NIST SP800-171 cybersecurity framework which has fourteen functional areas as displayed below.

The 14 NIST SP800-171 Requirements

  • Access Control – Least privilege, separation of duties, limit unsuccessful login attempts, screen lock after a certain time, encrypt CUI on mobile devices, wireless must have password
  • Awareness & Training – Security awareness training, training on malicious insider threats (online or in-person)
  • Audit & Accountability – Each user’s actions must be able to be uniquely traced, synchronization of IT systems’ clocks, correlation of logs from different systems
  • Configuration Management – Server and workstation images that are hardened, application white/blacklisting
  • Identification & Authentication – Multifactor authentication, unique user accounts (not shared), minimum password complexity
  • Incident Response – Written framework unique to each organization’s requirements. Must be regularly tested.
  • Maintenance – Sanitize systems of CUI when it’s not needed anymore, check media with diagnostic/test programs for malicious code before used in an information system.
  • Media Protection – Mark media with CUI as having CUI, lock drawers of paper with CUI, encrypt media, prohibit portable devices that don’t have an identifiable owner
  • Physical Protection – Escort visitors, log physical building / room access, ensure teleworker sites (work from home) are secure
  • Personnel Security – Background checks, pre-employment screening
  • Risk Assessment – Vulnerability scanning, periodic risk assessments
  • Security Assessment – Periodically assess technical controls, monitor and assess the effectiveness of security controls (Penetration Testing)
  • System and Communication Protection – Explicit deny-all, encryption at rest and in motion, effective subnetting
  • System & Information Integrity – Protect from malicious code (AV/anti-malware), SIEM / IPS to detect unauthorized use of systems

The process for helping military contractors comply is as follows:

Step 1: Gap Assessment

  • What does the regulation say I need to be doing vs. what I’m doing today?

​Step 2: Create an Incident Response Plan

  • Preparation
  • Discovery
  • Notification
  • Analysis
  • Containment
  • Restoration

Step 3: Implement Changes based on Gap Analysis

  • Written information security polices
  • Implementation of hardware and software
  • Network segmentation
  • Encryption

Contact Us