Military/Defense Contractors

Military/Defense Contractors

All defense contractors and sub-contractors who process controlled defense information (CDI) are required to meet the DFARS Part 252.204-7012 is also known as Safeguarding Covered Defense Information and Cyber Incident Reporting.

Layer 7 Data Solutions has developed a program custom-designed for helping manufacturers and machines shops meet DFARS compliance.  The DFARS cybersecurity regulation really is just a pointer to the NIST SP800-171 cybersecurity framework which has fourteen functional areas as displayed below.

The 14 NIST SP800-171 Requirements

  • Access Control – Least privilege, separation of duties, limit unsuccessful login attempts, screen lock after a certain time, encrypt CUI on mobile devices, wireless must have password

  • Awareness & Training – Security awareness training, training on malicious insider threats (online or in-person)

  • Audit & Accountability – Each user’s actions must be able to be uniquely traced, synchronization of IT systems’ clocks, correlation of logs from different systems

  • Configuration Management – Server and workstation images that are hardened, application white/blacklisting

  • Identification & Authentication – Multifactor authentication, unique user accounts (not shared), minimum password complexity

  • Incident Response – Written framework unique to each organization’s requirements.  Must be regularly tested.

  • Maintenance – Sanitize systems of CUI when it’s not needed anymore, check media with diagnostic/test programs for malicious code before used in an information system.

  • Media Protection – Mark media with CUI as having CUI, lock drawers of paper with CUI, encrypt media, prohibit portable devices that don’t have an identifiable owner

  • Physical Protection – Escort visitors, log physical building / room access, ensure teleworker sites (work from home) are secure

  • Personnel Security – Background checks, pre-employment screening

  • Risk Assessment – Vulnerability scanning, periodic risk assessments

  • Security Assessment – Periodically assess technical controls, monitor and assess the effectiveness of security controls (Penetration Testing)

  • System and Communication Protection – Explicit deny-all, encryption at rest and in motion, effective subnetting

  • System & Information Integrity – Protect from malicious code (AV/anti-malware), SIEM / IPS to detect unauthorized use of systems

The process for helping military contractors comply is as follows:

  • Step 1: Gap Assessment

    • What does the regulation say I need to be doing vs. what I’m doing today?

  • Step 2: Create an Incident Response Plan

    • Preparation

    • Discovery

    • Notification

    • Analysis

    • Containment

    • Restoration

  • Step 3: Implement Changes based on Gap Analysis

    • Written information security polices

    • Implementation of hardware and software

    • Network segmentation

    • Encryption