If you’re an individual or private firm looking to capitalize on Department of Defense contracts, you need to be aware of the security requirements. A fact is crucial if you are at risk for cybersecurity attacks. The Defense Federal Acquisition Regulation Supplement helps organizations prioritize their security when acquiring materials and performing work for the Department of Defense. Here are some commonly asked questions about the cybersecurity portion of this supplement.
What Is It?
DFARS is a set of regulations published by the Department of Defense. One of the clauses in it, which will be the focus of this article, relates to cybersecurity and the protection of CUI, or Controlled Unclassified Information, for Department of Defense contractors.
Today, the cybersecurity clause requires contractors to receive a Cybersecurity Maturity Model Certification or CMMC from a third-party source. Without this, you will not be able to bid on a Department of Defense contract that deals with CUI. If you’re interested in receiving this certification, you must know more about cybersecurity and the requirements for your system.
What Is CUI?
Even before you worry about your Department of Defense’s required audit, you need to know what CUI means. In short, this is sensitive information and deals with the United States government, but it is not regulated. Therefore, even though this information is not classified, it still needs a unique set of safety controls to protect it.
What Is NIST 800–171?
NIST 800-171 is a set of cybersecurity regulations released by the National Institute of Standards and Technology that deals with CUI for non-Federal organizations. Similar to the supplement, these regulations encourage the safeguarding, handling, and distribution of sensitive data that is not classified or regulated.
What Are the Key Points for Compliance?
To take contract work, you must prove that you are compliant with the cybersecurity clause via an audit that tests several vital points. Some of these points of your security protocols that the audit will test are your system protection, risk assessment, physical safety, maintenance, media protection, configuration management, authentication, incident response, access controls, staff training, and accountability.
Who Should Be Compliant?
Anyone doing contract work for the Department of Defense that handles CUI must comply with this clause. It doesn’t matter if you belong to a massive organization that arranges these contracts or an individual contractor. The only way to engage in future contract opportunities is to participate in an audit and receive a CMMC.
How Do You Comply?
To receive your CMMC, you must demonstrate compliance, meaning you must meet a specific set of requirements in an audit. These regulations include establishing proper handling techniques for CUI, using cyber incident analysis and reporting, effectively monitoring and responding to intrusions, and meeting the required cybersecurity protocols for your CMMC level.
What Are the Steps Associated With Compliance?
Compliance starts with a security assessment, which is essential because it will help you identify where you store sensitive information. Once this is complete, you should assign a task to move you closer to compliance and monitor your security protocols to ensure you stay there. This team will be responsible for running security assessments once or twice per year to keep your cybersecurity protocols effective.
If you plan to become a contractor for the Department of Defense, you must ensure that your cybersecurity system meets the specific requirements laid out in the supplement. The first step to compliance is to learn more about what this involves, which will help you understand the regulations and what steps you must take to become compliant. Once you have this knowledge, you can ensure your system is compliant so that you can profit off of Department of Defense contracts.
