- The Department of Defense and General Services Administration have streamlined contract language and cross-agency requirements for contractors.
- Many contracting organizations’ IT departments are active in identifying,mitigating, and eliminating cybersecurity threats attempting to attack systems and equipment.
- Recent cybersecurity failures, such as the Equifax breach, have sparked reform and discussion around protecting private information and sensitive data.
- Cybersecurity breaches result in stolen intellectual property, compromised personal information, interruption in services and supply lines, damaged reputation, and monetary loss.
- Less than 30% of contractors have security risk assessment plan in place.
- Compliance with the Department of Defense’s Defense Federal Acquisition Regulations System (DFARS) clause for safeguarding covered defense information and cyber incident reporting is expensive, time consuming, and can be a deterrent from winning government contracts.
- Establish security requirements with well-defined guidelines for all personnel including subcontractors and independent support entities.
- Work across functions within the organization to review present security requirements and identify gaps. Implement and track changes to ensure compliance with DFARS standards.
- Test technological and physical security systems to verify proper function and maintain an ongoing monitoring and scanning log.
TEACH LIFE A LESSON
PRODUCT: DFARS NIST Compliance Toolkit
ACTIVITY 1: Outline Subcontractor Requirements
Contractors must include DFARS Clause 252.204-7012 to outline security expectations for subcontractors. This clause is specific for subcontractors performing operationally critical support, or if work includes covered contractor information systems. It is the role of the contractor to provide, ensure, validate, and audit base compliance standards to protect information. Subcontractors must comply with the guidance supplied by the contractor. Ensure all contract language complies with the clause standard and provide this information to subcontractors.
ACTIVITY 2: Work Toward Compliance
Making measurable steps toward compliance is the key to success. Create and publish robust standards for guarding sensitive material, private data, and proprietary information that go beyond the minimum requirements. Establish a safety culture by modeling behavior, monitoring for issues, and correcting and retraining personnel as needed. Upgrade firewalls and endpoint security to safeguard information from hacking and infiltration. Consider purchasing a customized Microsoft Windows domain, which can improve compliance to DFARS requirements by up to 35%.
ACTIVITY 3: Invest in Protection
Some third-party IT programs can charge $5,000-$10,000 to secure files in your data cloud. Instead of purchasing the software, contact your insurance company. Property and casualty insurance often includes coverage for cybersecurity and data breaches. Have your current policy reviewed by an underwriter and make adjustments to cover cyber incidents for a cost saving of $15,000 to $30,000 a year in cloud securing expenses.