10 steps to DFARS cybersecurity compliance [Commentary]

IMG_1175.jpg

Bhavesh Vadhani is a principal at CohnReznick, a leading tax and advisory firm, where he specializes in helping organizations enhance their existing IT environment. Vadhani has more than 13 years of experience in information risk management and is a Certified Information Systems Auditor (CISA), Certified in Risks and Information Systems Controls (CRISC) and Certified in the Governance of Enterprise IT (CGEIT). (Photo Credit: CohnReznick)

According to the World Economic Forum’s 2016 Global Risks Report, cybercrime will cost the global economy $445 billion this year. In our increasingly connected world, it is difficult to escape from the threat of a cyberattack. This is especially true for those who work with highly sensitive data as the potential value of this information makes them a primary target for cyberattacks.

Government contractors are required to handle some of the most sensitive and mission critical information out there, placing them among the most attractive targets for hackers. To protect this sensitive information, contractors who work with the Department of Defense must, by Dec. 31, 2017, demonstrate compliance with newly issued Defense Federal Acquisition Regulation Supplement (DFARS 252.204-7012) guidelines around Safeguarding Covered Defense Information and Cyber Incident Reporting.

For security purposes, DFARS compliance is intended to provide adequate measures to protect, detect and report any cyber incidents. It is essential for contractors to meet these DFARS requirements or at least demonstrate that they are working toward compliance. Otherwise, should an incident occur where covered defense information (CDI) including controlled unclassified information (CUI) is compromised or breached, contractors could be faced with fee reduction, contract loss or even blacklisting.

If you are a contractor working toward DFARS cybersecurity compliance, here are 10 steps you can take now to help your firm get there by the end of the year:

1. Know the services that your company provides.

Although this may seem obvious, a deep knowledge of the services and nuances outlined in each contract is key to being able to identify and protect the government’s data.

2. Understand the contract clauses and the agency-related information that, as part of the contract, will be stored in your company’s IT environment.

An understanding of the specific information your company will be responsible for will allow you to develop a strategy to identify, protect and defend against potential cybersecurity threats.

3. Understand ALL of the IT systems and define a “boundary” to be used to support the contract.

By creating a boundary, you are able to segregate the environment and the IT systems that will be used to support the contract. This will allow for a targeted implementation of information security controls to protect CDI, including CUI, and demonstrate compliance with DFARS clauses.

4. Foster collaboration and communication among the various groups within your organization.

Protecting against cybersecurity threats is not solely the responsibility of the IT department. Everyone has to play a role to ensure compliance is met and continues to be met.

5. Implement or enhance the information security controls as defined by NIST.

NIST 800-171 provides requirements for protecting CUI. While this is the standard that all companies accessing this information must adhere to, enhancing these controls will provide extra protection.

6. Have an adequate security incident response plan.

With this plan in place, your company will be well-prepared to respond to a cybersecurity attack. Even if an incident or breach does not occur, having a response plan in place will help your firm meet DFARS compliance standards.

7. Continuously assess the systems/boundary for the adequacy of the information security controls as defined in NIST 800-171.

Through these assessments, your company will be able to make sure they are making continual progress in meeting the requirements defined. These assessments can address any problems prior to a potential threat materializing, and can help to ensure that your company remains compliant.

8. Have a plan to address the lack of security controls.

Should your company come across situations where you determine it does not have the required security controls, it needs to create a remediation plan to address those weaknesses or have secondary (compensating) controls or measures that can help reduce its potential exposure. When it comes to cyberattacks, time is of the essence. Having an effective remediation plan or contingency plan in place can limit the amount of damage that can be done.

9. Ensure progress in remediation activities.

Remediation does not have to take place over night. But you do need to demonstrate progress to show that you are making the effort in good faith. This progress also provides a level of comfort and assurance to your contracting officer that remediation will ultimately be completed.

10. Communicate with subcontractors to verify they can identify their risks and demonstrate compliance.

Not only do you have to meet compliance, but the subcontractors you work with must as well. Making sure they know their risks and meet compliance helps to cover all bases for protection.

As the Dec. 31, 2017 deadline for DFARS compliance approaches, contractors must adapt and should consider the above listed steps as they begin working toward compliance now. Contractors must also continuously pay attention to the specified requirements because, as technology continues to evolve, so will the practices and requirements for addressing cyber security threats.

Bhavesh Vadhani is a principal at CohnReznick, a leading tax and advisory firm, where he specializes in helping organizations enhance their existing IT environment. Vadhani has more than 13 years of experience in information risk management and is a Certified Information Systems Auditor (CISA), Certified in Risks and Information Systems Controls (CRISC) and Certified in the Governance of Enterprise IT (CGEIT).