Military/Defense Contractors
All defense contractors and sub-contractors who process controlled defense information (CDI) are required to meet the DFARS Part 252.204-7012 is also known as Safeguarding Covered Defense Information and Cyber Incident Reporting.
Layer 7 Data Solutions has developed a program custom-designed for helping manufacturers and machines shops meet DFARS compliance. The DFARS cybersecurity regulation really is just a pointer to the NIST SP800-171 cybersecurity framework which has fourteen functional areas as displayed below.
The 14 NIST SP800-171 Requirements
-
Access Control – Least privilege, separation of duties, limit unsuccessful login attempts, screen lock after a certain time, encrypt CUI on mobile devices, wireless must have password
-
Awareness & Training – Security awareness training, training on malicious insider threats (online or in-person)
-
Audit & Accountability – Each user’s actions must be able to be uniquely traced, synchronization of IT systems’ clocks, correlation of logs from different systems
-
Configuration Management – Server and workstation images that are hardened, application white/blacklisting
-
Identification & Authentication – Multifactor authentication, unique user accounts (not shared), minimum password complexity
-
Incident Response – Written framework unique to each organization’s requirements. Must be regularly tested.
-
Maintenance – Sanitize systems of CUI when it’s not needed anymore, check media with diagnostic/test programs for malicious code before used in an information system.
-
Media Protection – Mark media with CUI as having CUI, lock drawers of paper with CUI, encrypt media, prohibit portable devices that don’t have an identifiable owner
-
Physical Protection – Escort visitors, log physical building / room access, ensure teleworker sites (work from home) are secure
-
Personnel Security – Background checks, pre-employment screening
-
Risk Assessment – Vulnerability scanning, periodic risk assessments
-
Security Assessment – Periodically assess technical controls, monitor and assess the effectiveness of security controls (Penetration Testing)
-
System and Communication Protection – Explicit deny-all, encryption at rest and in motion, effective subnetting
-
System & Information Integrity – Protect from malicious code (AV/anti-malware), SIEM / IPS to detect unauthorized use of systems
The process for helping military contractors comply is as follows:
-
Step 1: Gap Assessment
-
What does the regulation say I need to be doing vs. what I’m doing today?
-

-
Step 2: Create an Incident Response Plan
-
Preparation
-
Discovery
-
Notification
-
Analysis
-
Containment
-
Restoration
-
-
Step 3: Implement Changes based on Gap Analysis
-
Written information security polices
-
Implementation of hardware and software
-
Network segmentation
-
Encryption
-