Strengthening Defense, Protecting Data.
The Defense Federal Acquisition Regulation Supplement (DFARS) is a set of cybersecurity regulations that requires all Department of Defense (DoD) prime contractors and subcontractors to implement “adequate security” based on a set of security controls referenced in NIST SP 800-171, and to conduct cyber incident analysis and reporting.
Elevate can help you assess your systems and processes to efficiently assess and manage DFARS compliance with each specific legislation/mandate.
Like any other gap analysis, the first step is to conduct a comprehensive review of all systems and processes. This analysis is then used to determine where you stand against the minimum requirements outlined in DFARS.
The outcome of the Gap Analysis is used to create the appropriate remediation plan in order to bring all systems and procedures into DFARS compliance. Elevate will also provide the documentation necessary to prove compliance with the DoD.
To Meet Minimum Requirements, DoD Contractors Must:
- Provide adequate security, and
- Conduct cyber incident analysis and reporting
Adequate Security is provided by implementing “protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information.”
A covered contractor information system is subject to the security requirements in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. DFARS contains fourteen groups of security requirements covering various components of IT information security. Contractor information systems must pass a readiness assessment of the following NIST SP 800-171 guidelines:
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
Cyber incident analysis and reporting require an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities.