All defense contractors and sub-contractors who process controlled defense information (CDI) are required to meet the DFARS Part 252.204-7012 is also known as Safeguarding Covered Defense Information and Cyber Incident Reporting.
Cyberstone has developed a program custom-designed for helping manufacturers and machines shops meet DFARS compliance. The DFARS cybersecurity regulation really is just a pointer to the NIST SP800-171 cybersecurity framework which has fourteen functional areas as displayed below.
The 14 NIST SP800-171 Requirements
- Access Control – Least privilege, separation of duties, limit unsuccessful login attempts, screen lock after a certain time, encrypt CUI on mobile devices, wireless must have password
- Awareness & Training – Security awareness training, training on malicious insider threats (online or in-person)
- Audit & Accountability – Each user’s actions must be able to be uniquely traced, synchronization of IT systems’ clocks, correlation of logs from different systems
- Configuration Management – Server and workstation images that are hardened, application white/blacklisting
- Identification & Authentication – Multifactor authentication, unique user accounts (not shared), minimum password complexity
- Incident Response – Written framework unique to each organization’s requirements. Must be regularly tested.
- Maintenance – Sanitize systems of CUI when it’s not needed anymore, check media with diagnostic/test programs for malicious code before used in an information system.
- Media Protection – Mark media with CUI as having CUI, lock drawers of paper with CUI, encrypt media, prohibit portable devices that don’t have an identifiable owner
- Physical Protection – Escort visitors, log physical building / room access, ensure teleworker sites (work from home) are secure
- Personnel Security – Background checks, pre-employment screening
- Risk Assessment – Vulnerability scanning, periodic risk assessments
- Security Assessment – Periodically assess technical controls, monitor and assess the effectiveness of security controls (Penetration Testing)
- System and Communication Protection – Explicit deny-all, encryption at rest and in motion, effective subnetting
- System & Information Integrity – Protect from malicious code (AV/anti-malware), SIEM / IPS to detect unauthorized use of systems
The process for helping military contractors comply is as follows:
Step 1: Gap Assessment
- What does the regulation say I need to be doing vs. what I’m doing today?
Step 2: Create an Incident Response Plan
Step 3: Implement Changes based on Gap Analysis
- Written information security polices
- Implementation of hardware and software
- Network segmentation