What You Need to Know about DFARS IT Standards

The Defense Federal Acquisition Regulation Supplement (DFARS) is a supplement to the Federal Acquisition Regulation created by the Department of Defense (DoD) that dictates how the DoD purchases or leases goods and services from contractors or subcontractors. This supplement is intended to protect the DoD from data breaches and other cyber attacks, particularly those resulting from supply chain risks. As a result, any private sector entity that is a DoD contractor or a subcontractor must comply with the set of stringent requirements.

Let’s take a closer look at the DFARS requirements that relate to IT operations.

The Basics

DFARS centers around safeguarding Controlled Unclassified Information (CUI) as well as the system(s) that house this information. Specifically, organizations are required to be compliant with the following:

• DFARS 252.204-7012 – Safeguarding Covered Defense Information (CDI) as identified by the Controlled Unclassified Information (CUI) Registry.
• DFARS 252.239-7010 – Protecting cloud computing services (e.g., requirements, access limitation, incident reporting, etc.)
• The entirety of NIST 800-171.

In a general sense, CDI is thought of as technical information that is part of or related to a military or space contract and that, as a subset of CUI, requires safeguarding or dissemination control. CUI can be found on company-owned devices such as laptops, desktops, mobile devices, backup media, and application servers. It may be in the form of data, lists, standards, and a variety of other formats.

Building Your Plan of Action & Milestones (POAM)

Before you can develop an effective POAM, you must first identify the CUI in your environment and understand the controls deployed to protect it. This can be accomplished through thorough data classification, risk, and security controls assessments. The results of these efforts can then be compared to the requirements set out by DFARS, and any gaps between the two will form the foundation for a POAM.

The scope of DFARS is massive, covering over a dozen different domains of information security controls and practices. The process of preparing for and developing a POAM may seem simple enough on paper, but once individual phases are planned, the level of organizational commitment can become daunting. Nevertheless, the creation of a well-organized POAM is critical to demonstrating a defined path to DFARS compliance, particularly when remediation of gaps identified during assessments cannot take place immediately.

Prioritizing Remediation Steps

With an organizationally approved POAM in hand, your company can begin prioritizing the remediation of identified gaps based on the level of risk associated with each. Personnel resources, budget, and competing business priorities will also need to be considered when planning out remediation steps. DFARS compliance is critical for many companies, but day-to-day business activities can’t be allowed to break down in the process of achieving that goal.

Given the level of complexity, commitment, and potential cost associated with addressing DFARS requirements, many companies have sought out the services of information security experts to assist with the planning and execution of a DFARS compliance plan. By partnering with a qualified consulting firm, organizations can offload much of the DFARS evaluation and documentation process to experienced consultants and focus instead on growing their business.

CTI, a longstanding IT solutions and consulting firm, has assisted many companies through the complex DFARS compliance process, breaking a massive undertaking into several key steps:

• Identify CUI.
• Understand gaps in current and required protections.
• Create a POAM to guide remediation efforts.
• Document gap resolution.
• Maintain compliance through ongoing risk and control assessments.

CTI will work closely with your organization to understand your existing IT environment and unique business needs to ensure that your information security goals are achieved within an agreed upon timeline and budget.

Contact us today for more information about DFARS compliance.