Taking Steps Toward DFARS Compliance: Multi-Factor Authentication

Posted by Michael Bailie on Oct 25, 2016 10:37:22 AM

Blog 10_25-5.jpg

As previously discussed in the CyberSheath blog, government contractors who process, store or transmit Covered Defense Information (CDI) are required by DFARS 252.204-7008 to comply with the 14 control families of the NIST SP 800-171 by December 2017. The clause dictates the security requirements specified by DFARS 252.204-7012 for Safeguarding Covered Defense Information and Cyber Incident Reporting. The intention of the directive is to ensure the safeguards implemented to protect CDI are consistent across nonfederal information systems as they relate to work contracted by the US government.

Read More

Topics: DFARS, cybersecurity

Part Four: In-Depth Look at PAM Controls for DFARS Requirements

Posted by James Creamer on Oct 24, 2016 9:51:43 AM

James Series 4.pngAs part of an ongoing series on using privileged account management solutions to meet DFARS requirements, CyberSheath’s security consultants have explored technical controls in great detail, providing readers with real world applications that make a meaningful impact. This week CyberSheath continues to explore NIST control 800-171, “separate the duties of individuals to reduce the risk of malevolent activity without collusion”.

Read More

Topics: CyberArk, Security Assessment, DFARS, PAM

Part Three: In-Depth Look at PAM Controls for DFARS Requirements

Posted by James Creamer on Oct 12, 2016 1:16:32 PM

James_Series_3.jpg

CyberSheath’s security consultants and implementation engineers have previously written about utilizing privileged account management solutions to meet DFARS requirements, and this week James Creamer continues to explore DFARS control requirements in detail.

Read More

Topics: CyberArk, Security Assessment, DFARS, PAM

Part Two: In-Depth Look at PAM Controls for DFARS Requirements

Posted by James Creamer on Sep 26, 2016 10:23:49 AM

James_Series_-_2.jpg

Last week CyberSheath began a new series, “In-Depth Look at PAM Controls for DFARS Requirements”, dedicated to providing a detailed analysis on how privileged account management solutions play an important role for organizations in meeting DFARS requirements.

Read More

Topics: CyberArk, Security Assessment, DFARS, PAM

Don’t Let CUI Fly Away…

Posted by Michael Bailie on Sep 21, 2016 10:23:52 AM

PAMDFARSReq_Blog_Post.jpg

If you have been following the CyberSheath blogs, you might have seen an increased focus on the updated DFARS regulations. These protocols dictate the newly imposed federal requirement for compliance with the NIST 800-171 controls for government contractors who process, transmit or store controlled unclassified information (CUI). The December 2017 deadline for compliance is fast approaching and contractors are required to meet the requirements of the regulation or face possible penalties. The federal government has continued to prioritize its cybersecurity initiatives and isn’t slowing down.

Read More

Topics: DFARS

Part One: In-Depth Look at PAM Controls for DFARS Requirements

Posted by James Creamer on Sep 12, 2016 11:51:14 AM

James_Series_Part_1.jpg

In previous blogs, CyberSheath security analysts have identified new cyber security requirements from the recent changes to DFARS and have provided solution overviews for meeting those requirements and regulations. The series “In-Depth Look at PAM Controls for DFARS Requirements” will expand on previously mentioned regulations and provide a more granular look at how privileged account management solutions can play an important role in meeting DFARS requirements.

Read More

Topics: CyberArk, Security Assessment, DFARS, PAM

Part Two: FAR Ruling 52.204-21 Security Requirements

Posted by Ross Moir on Jun 21, 2016 9:44:56 AM

Updates_to_FARS_2.jpg

This is part two of a continuing series on the Federal Acquisition Register ruling 52.204-21, Basic Safeguarding of Covered Contractor Information Systems.  If you haven’t read part one, please take a few minutes to read it before continuing. 

In May, the federal government announced an update to FAR 52.204-21 that would impose similar rules and requirements to the Defense Federal Acquisition Register rule 252.204-7012, Safeguarding Covered Defense Information. These requirements, although not explicitly tied to NIST 800-171, are characterized as comparable.  NIST 800-171 has been implemented as the requirements for DFARS.  These new regulations apply to contractors that are not part of the Department of Defense.

Read More

Topics: DFARS

Safeguarding of Contractor Information Systems Expands Beyond DFARS 252-204.7012

Posted by Ross Moir on Jun 1, 2016 2:36:26 PM

Updates_to_FARS.jpg * This is the first in a multi-part series on the new FARS 4.19 clause.

 

Recently, the US Government issued a final rule to the Federal Acquisition Regulations (FAR) to “add a new subpart and contract clause for the basic safeguarding of contractor information systems that process, store, or transmit Federal contract information”.  This is a new mandatory regulation, similar to the requirements established by the US Department of Defense with the Defense Federal Acquisition Regulation Supplement (DFARS).

 

Read More

Topics: DFARS

Important DFARS Terms You Need to Know

Posted by Ross Moir on Apr 14, 2016 9:12:44 AM

DFARS_Terms.jpg

 

DFARS Terms

Navigating DFARS clause 252.204-7012 can be a daunting task when your organization has never seen this clause before.  Not to mention the recent updates changed some of the language and expanded the scope to more broadly apply protections for certain sensitive information.  This post, which is an add-on to the three-part series over the last several weeks on changes to DFARS clause 252.204-7012, will provide some additional details about the confusing terms in the clause.  If you haven’t read any of the other posts, please take a few minutes to do so, and then come back to this post.

 Clause 252.204-7012 is titled “Safeguarding Covered Defense Information and Cyber Incident Reporting”.  As reported on over the last three weeks, the Department of Defense has expanded the scope of the clause, updated the security control requirements, and broadened the categories for which Controlled Unclassified Information falls into.  The following are important terms and information categories that your organization should be familiar with and look for on your next contracting engagement with the Department of Defense.  Unless otherwise noted, all definitions and terms are directly from clause 252.204-7012.

Read More

Topics: DFARS

DFARS Updates and Changes | Post 2: NIST 800-53 r4 vs 800-171

Posted by Ross Moir on Mar 23, 2016 4:58:10 PM

DFARS_Updates_Blog_Post_Series_2.jpgIn August and December 2015, the Defense Federal Acquisition Register Supplement (DFARS) received updates that are crucial for the 10,000-plus defense contractors.  If you have been following our blog, we first reported on the changes back in January.  It is important to understand these changes and how they will affect your organization. These next series of blogs will attempt to view the DFARS updates from a high level.  If you haven’t read last week’s post, you can do that here.

 

This week’s post will attempt to boil down the primary differences between NIST 800-53 r4 and 800-171.  For starters, both documents are a set of standards published by the Nation Institute of Standards and Technology (NIST), a federal government organization that produces standards on a variety of topics, including information security.  Back in 2013, when DFARS 252.204-7012 was issued as a final rule, it relied on NIST 800-53 r4 to be the de-facto standard that contractors must adhere to in order to meet DFARS compliance objectives of safeguarding Controlled Unclassified Information (CUI).   In August of 2015, DFARS was updated and replaced its security control requirements.  NIST 800-53 r4 was swapped out with NIST 800-171.

 

Read More

Topics: Security Assessment, DFARS