Organizations already working with the Department of Defense will be familiar with the requirements for DFARS compliance, and with how difficult it is to keep on top of them.
The Defense Federal Acquisition Regulation Supplement (DFARS) is updated multiple times each year, and organizations must not only ensure their systems are kept up-to-date with the requirements for DFARs compliance, but - since December 2017 - that their contractors’ systems and any cloud-based services used also comply with the requirements for DFARS compliance.
The December 2017 update to the DFARS (NIST SP 800-171) affected any non-federal entity that handles government data categorized as “Controlled Unclassified Information” (CUI) in circumstances where no other laws exist to protect the data. The update requires organizations to review controls for the data they receive and the systems on which they’re stored, and make changes as necessary.
Many of the 2017 changes to the requirements for DFARS compliance are standard best practices when sensitive data is involved. They include security measures such as access controls, data encryption, limiting unsuccessful login attempts, on demand reporting, and timeouts/session locks so data displayed on unattended monitors and mobile devices can’t be viewed by unauthorized third-parties.
Organizations subject to the requirements for DFARS compliance should therefore define what CUI they manage, map the locations in which it’s stored, implement a least privilege model for who has access to it, and monitor when, where, and by whom the data is accessed. Mechanisms should also be put in place to alert system administrators to abnormal activity.
Over the past several years, new trends have arisen in the public sector including modernizing legacy systems, improving cybersecurity, and Central IT assuming the role of a cloud service broker. Read about them here.