The U.S. Department of Defense (DoD) recently released updates to its DoD Federal Acquisition Regulations (DFARS) pertaining to cybersecurity and IT management. These updates are important if you deal with government contracts because they outline an essential need for MSP services and IT support personnel to be compliant according to DFARS. The new clause deals specifically with how you must handle controlled, yet unclassified information to satisfy federal cybersecurity regulations.
Know What Data You Need to Protect
While cybersecurity laws concerning IT management of government contracts and information are not new, the definition of the information you must protect has expanded. The National Archives and Records Administration (NARA) issued a statement in September 2016 that expanded how controlled unclassified information (CUI) must be protected and identified which information falls into that category.
According to NARA and DFARS, this applies to a long list of information defined in the CUI list of protected data which includes everything from sensitive contract information and your MSP services to your business banking and accounting data. The December 2017 deadline for compliance is rapidly approaching.
Cybersecurity Compliance Requirements
Compliance requirements are complex since there are different requirements for different information and devices. Important points to consider when arranging your IT management and IT support include the requirement for multifactor authentication that includes the following:
- Passwords
- One-time password generation
- Fingerprint or iris identification to meet compliance
- The location where sensitive information is stored
There are also a number of requirements relating to encryption on mobile devices and the need to segregate protected data from all other data on your various devices. Therefore, business networks that will have access to this information must be properly set up and secured by your MSP services to meet all DFARS requirements.
Security Regulations Concerning Cloud Services
In addition to those mentioned above, DFARS requires additional security measures for cloud computing and cloud-based IT management. This applies whenever contractors use any kind of cloud service to process or host data for the DoD and/or if a cloud server is used as an integral part of your managed IT support services.
Additionally, specific cybersecurity risk assessment and management procedures apply to contractors who store, use, or transmit any protected data via the cloud. Your cloud provider must also comply with all requirements regarding data preservation, protection against malware, and reporting of cyber incidents that threaten security. They must also have the means to perform damage assessment and other forensics in the event of a security breach.
If you are a government contractor and are not yet in compliance with DFARS, the time to ensure that your IT management is ready for the December compliance deadline is now. With the right IT support in place, you can continue to pursue government contracts with confidence and without the risk of penalties for lack of compliance.
Discuss your needs with MSP services that are experienced in DFARS as well as government compliance and can help you comply with the recent changes regarding increased cybersecurity!
