Many federal contractors are realizing that they don’t have much time to enhance their systems if they want to maintain their contracts with the federal government. There are now “Basic Safeguarding” requirements in place with only a few months left to comply. These rules apply to contractors who work with the U.S. Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA), with an amended rule to the Federal Acquisition Regulation (FAR) to ensure proper security controls are in place with contractors. This isn’t surprising with the number of data breaches experienced including those sourced from contractors. The requirements are known as DFARS (Defense Federal Acquisition Regulation Supplement clause) 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting with 15 new security requirements in addition to previous requirements.
The 15 new requirements are as follows:
| FAR Clause 52.204-21(b)(1) | NIST 800- 171 Reference | Basic or Derived | 800-171 Family |
| (i) Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). | 3.1.1 | Basic | Access Control |
| (ii) Limit information system access to the types of transactions and functions that authorized users are permitted to execute. | 3.1.2 | Basic | Access Control |
| (iii) Verify and control/limit connections to and use of external information systems. | 3.1.20 | Derived | Access Control |
| (iv) Control information posted or processed on publicly accessible information systems. | 3.1.22 | Derived | Access Control |
| (v) Identify information system users, processes acting on behalf of users, or devices. | 3.5.1 | Basic | Identification and Authentication |
| (vi) Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. | 3.5.2 | Basic | Identification and Authentication |
| (vii) Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse. | 3.8.3 | Basic | Media Protection |
| (viii) Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals. | 3.10.1 | Basic | Physical Protection |
| (ix) Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices. | 3.10.3, 3.10.4, 3.10.5 | Derived | Physical Protection |
| (x) Monitor, control, and protect organizational communications (i.e. information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems. | 3.1, 3.1 | Basic | System and Communication Protection |
| (xi) Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. | 3.1, 3.5 | Derived | System and Communication Protection |
| (xii) Identify, report, and correct information and information system flaws in a timely manner. | 3.14.1 | Basic | System and Information Integrity |
| (xiii) Provide protection from malicious code at appropriate locations within organizational information systems. | 3.14.3 | Basic | System and Information Integrity |
| (xiv) Update malicious code protection mechanisms when new releases are available. | 3.14.4 | Derived | System and Information Integrity |
| (xv) Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed. | 3.14.5 | Derived | System and Information Integrity |
While these new requirements cover a broad range of topics, there are 2 specific services that are available that will help any organization meet their DFARS requirements.
These include:
- SIEM-as-a-Service
- SOC-as-a-Service
DFARS Managed SIEM
At a high level, a system is needed to aggregate, alert, and notify when there is a threat to the organization. Timely notifications of critical events is the main function of a SIEM. With a Managed SIEM, you can utilize your existing virtualized infrastructure to host the SIEM but don’t need to have any of the expertise in-house to build, manage, or maintain it. The data remains securely on your infrastructure with data retention policies that you define. All the compliance reporting, alerting, and tuning happens by experts in a cost effective OpEx model at a fraction of what it would take to hire in-house expertise.
DFARS SOC-as-a-Service
Most compliance regulations and standards require a cybersecurity professional to review events and logs on a periodic basis. Different requirements have different monitoring standards. Regardless of the frequency of the review, maintaining this level of staff in-house becomes extremely cost prohibitive. Outsourcing this function to a qualified 3rd party SOC-as-a-Service (SOCaaS) provider is a great option.
CAUTION: If evaluating other vendors, be sure that you select a vendor that has 100% US-based staff.
Conclusion
Federal contractors are being required to lift the bar on cybersecurity awareness and solutions, yet these new requirements do not mean that you need to spend a ton of CapEx or hire additional personnel. Working with the right partner can help you easily meet these requirements in a very cost effective way. Talk to StratoZen today about how we can help you meet your DFARS requirements.
