All Department of Defense (DoD) contractors that process, store, or transmit Controlled Unclassified Information (CUI) or Controlled Defense Information (CDI) were required to meet the Defense Federal Acquisition Regulation Supplement (DFARS) minimum security standards by December 31, 2017 or put themselves at risk of losing their DoD contracts.
DFARS provides a set of basic security controls based on National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171) that should be applied to all systems processing, storing, or transmitting this information.
Academic institutions handling CUI are included in this rule, so many colleges and universities who are involved with defense research or other federal data must ensure ongoing compliance by implementing certain cybersecurity safeguards and reporting data breaches within 72 hours.
With limited staff and resources, and the wide variety of needs that are often found within research contracts, it can be difficult to determine what exactly falls into scope with DFARS on campus. A research project may only last a few months, utilize only a hand full of workstations, or it may pull in a larger segment of your systems.
Your first step will be to review applications and contracts for the appropriate DFARS clause (DFARS clause 252.204-7012). You can work to remove the clause where possible, or have a documented exception where the researchers will not be receiving or generating CUI. Once it is determined that the DFARS clause applies, however, you should visit those departments or labs and find out how information is received or created, and where it is or will be stored.
Just as you often hear us recommend scope reduction for PCI compliance, you will also want to reduce scope for your DFARS environment as much as possible. Creating a compliant infrastructure to protect CUI data can be difficult as researchers will have to use dedicated machines or virtual machines, and these systems will have to be on a segmented, highly secured network. You will want to perform a thorough risk assessment on these areas to identify any current gaps and develop what is referred to as a System Security Plan (SSP) and a Plan of Actions and Milestones (POA&M). These documents are further explained in the guidance issued by the Department of Defense last September. The documents are very similar to the Roadmap Report provided during a PCI assessment detailing where gaps exist and the remediation efforts that will need to occur, as well as a timeline for completion. The DoD did state that if a contractor was not fully compliant with the total set of security controls by the December 31, 2017 deadline, but has an SSP and POA&M, the organization can still report compliance.
NIST has created a handbook that is used to help conduct a security control assessment and steps through each of the NIST SP 800-71 Security Requirement Families below. This includes the 14 sections of the framework broken down into 110 required technology, policy-based, and training controls.
- Access Control
- Awareness and Training
- Auditing and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communication Protection
- System and Information Integrity
Once the SSP is developed, organizations can then work to build a compliant network and implement the required security solutions, or may choose to outsource this environment to a third-party, like Amazon Web Services. The NIST SP 800-171 is not as prescriptive as the PCI DSS and there are usually a number of paths an organization can take and a variety of potential security solutions that can be implemented to satisfy the security requirements.
The great thing about using the NIST SP 800-171 for your DFARS risk assessment is that this standard is also commonly utilized to help ensure higher education institutions are meeting all requirements to comply with the GLBA Safeguards rule. The controls are the same, it is just the type of information that is being protected and where this information is found on campus.
For questions regarding DFARS or how your institution can ensure your research departments are achieving and maintaining compliance, don’t hesitate to reach out us.
Some additional guidance from Security Advisor team below:
[King]: The best way to ensure data is protected according to the standards is to implement security controls before handling covered data. Having a secure posture and training staff on proper security from the onset of the project prevents the development of risky behavior and increases the likelihood of staff adopting secure solutions.
For institutions already handling covered data, a System Security Plan should be developed to document systems and security controls in place. From this document, a Plans of Action should be developed which describes efforts to correct deficiencies and reduce risk. The approach of addressing security after the fact often requires more time and effort as user processes are already in place. Significant changes to established processes will require staff buy-in and retraining. Institutions in this position need to be working on this process now to ensure covered data they are responsible for is protected.