This New Year’s Eve won’t offer much cause for celebration if federal contractors fail to meet the Dec. 31 deadline to comply with the Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity requirements. Failure to meet the requirements could mean a breach of contract, liability under the False Claims Act and many other consequences.
DFARS covers a lot of ground — from how contractors and subcontractors handle unclassified information to incident response planning. Failure to meet the requirements could mean a breach of contract, liability under the False Claims Act and many other consequences.
A few months ago, the U.S. Department of Defence (DOD) held an “Industry Day” to confirm the timeline for DFARS compliance has not changed. As an Industry Day attendee noted in a blog post, the onus is on contractors to self-verify prior to forming an agreement with the government.
“When you sign a contract award, you are attesting to the fact that you are compliant – unless you turn in a list of what compliance requirements haven’t yet been completed within 30 days from your contract award,” the post said.
Elements To Keep in Mind As Your DFARS Compliance Strategy Takes Shape
1. Flexibility to Meet Range Of Requirements
As Steven Snyder noted in an article on Law360, provisions in DFARS include coverage, departures and the National Institute of Standards and Technology (NIST) 800-171, which deals with the protection of classified information.
“Combining the strict verbiage of the DFARS cyber regulations with the comprehensive nature of the NIST CUI requirements creates a formidable compliance challenge for any contractor and its subcontractors,” Snyder wrote.
A reliance on static passwords, for instance, won’t address all the areas that DFARS compliance requires.
2. Ability To Act Fast
Lexology reported that being able to deploy solutions quickly will be essential, given the response times DFARS requires.
“In addition to preventive cybersecurity measures, DoD contractors will also be required to ‘rapidly report’ cyber incidents to the DoD within 72 hours of discovery, provide any malicious software to the DoD Cyber Crime Center, preserve a copy of affected systems for 90 days from a report, and allow DoD access for a forensic analysis,” the article said.
3. User-Friendly Solution
DFARS compliance is causing considerable confusion. The non-profit Cyber Collaboration Center, for instance, has recently announced nationwide training to build awareness and address training and legal impacts. Once in place, solutions need to be both effective and frictionless for users and capable of working online and offline while supporting network and local access.
4. Low Cost of Ownership and Measurable ROI
Information protection is critical but needs to align with economic realities. As Zophia Consulting noted, “Most companies are tasking their Facility Security Officers and/or IT staff with compliance duties on top of their other already busy days. Our colleagues expressed dismay at the unplanned and unexpected high costs of compliance not just in this budget year, but in their added lifecycle costs.”
5. Multi-Credential Platform
An overview of DFARS requirements on InsideGovernmentContracts.com makes it clear that multifactor authentication is a minimum for compliance. This could include a password, a fob or mobile app or biometric credential. “(Physical) presence within a secure facility cannot be used as a substitute for one of the factors under multifactor authentication,” the post noted.
Learn more about how Crossmatch’s DigitalPersona can replace or augment traditional passwords to provide a positive user experience in a matter of days, without tokens or additional costly hardware and training. You’ll not only meet the DFARS deadline but in a way that eases the pain of doing so.
Jeff Carpenter is Director of Identity and Access Management solutions at Crossmatch. In this role, he is responsible for evangelizing Crossmatch’s DigitalPersona® solution. In his 10+ years in cybersecurity, Jeff has held positions with a number of top tier cybersecurity and technology companies, most recently he was with RSA, a Dell Technologies company. Jeff earned a Bachelor of Science degree in Business Administration from Creighton University in Omaha, Nebraska. He holds both a Certified Information Systems Security Professional (CISSP) and a Certified Cloud Security Professional (CCSP) designation.