DFARS Updates and Changes | Post 1: Expanded Scope and Definitions

Posted by Ross Moir on Mar 16, 2016 11:30:49 AM

DFARS_Updates_Blog_Post_Series.jpgIn August and December 2015, the Defense Federal Acquisition Register Supplement (DFARS) received updates that are crucial for the 10,000-plus defense contractors.  If you have been following our blog, we first reported on the changes back in January.  It is important to understand these changes and how they will affect your organization. These next series of blogs will attempt to view the DFARS updates from a high level.


When we talk about DFARS, which in and of itself is a very large “document,” we are focusing on a specific clause – 252.204-7012.  This is the clause that underwent a major surgery starting in August 2015 with the first interim rule that was released. That rule effectively expanded the scope of protection by defining “Covered Defense Information.”  In this blog post, we will cover the expanded scope and go into a little more detail about the definitions. 


Read More

Topics: DFARS

7 Ways a PAM Solution Can Help You Meet DFARS NIST 800-171 Regulations

Posted by Yanni Shainsky on Mar 14, 2016 5:30:58 PM

PAMDFARSReq_Blog_Post.jpgOn June 18, 2015, NIST released the final version of SP 800-171, which provides guidance for protecting the confidentiality of Controlled Unclassified Information (CUI) residing in nonfederal information systems. In August 2015, DFARS clause 252.204-7012 replaced the original NIST 800-53 r4 controls with NIST 800-171, which we detailed earlier here.  CyberSheath has integrated the requirements laid out in NIST 800-171 into our security assessment process that included all NIST 800-53 controls and in-depth reporting on the DFARS-specific controls.

Out of the new 800-171 controls, a handful deal specifically with privileged access.  Privileged Account Management (PAM) is a way for organizations to manage credentials with administrative rights to ensure the accounts stay safe.  CyberArk, a PAM solution and trusted CyberSheath partner, offer a suite of products designed to optimize privilege account creation while keeping the keys to the kingdom safe.  
The following is a list of top 7 ways in which CyberArk's PAM solution can help an organization meet the SP 800-171 guidelines:


Read More

Topics: Privileged Accounts, DFARS, PAM

Vulnerability Management and Medical Device Manufacturers

Posted by Ross Moir on Feb 18, 2016 8:51:21 AM

Ross_FDAMedicalDevices_Blog_Post.jpgRecent updates from the FDA on securing network-connected medical devices show that there is growing concern for security surrounding the medical industry.  Hospital networks, medical devices, and other critical infrastructure are all at risk.  An article from Threatpost.com last week covered the Kaspersky Lab Security Analyst summit, in which a researcher from Kaspersky Lab was able to breach a Moscow hospital network.  What did he find?  According to the article, “…a shocking array of open doors on the network and weaknesses in medical devices and applications crucial not only to the privacy of patients, but also their physical well-being.”

Read More

Topics: Vulnerability Management, Security Assessment, DFARS

A Closer Look at New FDA Cybersecurity Guidance for Medical Devices

Posted by Ross Moir on Jan 27, 2016 1:30:09 PM

FDA_Guidance_Blog_Post.jpgI recently uncovered an interesting statistic from CMO.com that says: “…Right now, most IoT smart devices aren’t in your home or phone; they are in factories, businesses and health care…”  IoT stands for Internet-of-Things and is a way to categorize devices that are networked together over the Internet.  This statistic which comes from an Intel info graphic hit the mark, especially with health care.  Networked medical devices have been around for years now and their usage is increasing.  The threat to them is also increasing.  In fiction, a hacker on Homeland assassinated the fictional vice president of the United States by hacking his pacemaker.  While that was television, the threat is real.  In 2012, a researcher was able to adjust the dosage of insulin by reprogramming an insulin pump and delivered a fatal dose.   Upon reading this and other articles, it came as no surprise that the US food and Drug Administration has decided to do something about it.

Read More

Topics: DFARS

DFARS Update: 12/2017 Implementation Requirement Not a Grace Period

Posted by Ross Moir on Jan 8, 2016 11:52:41 AM

DFARS_Update_Blog_Post.jpgThe push to formalize cyber security controls via the DFARS started in 2007/2008 with the initial Defense Industrial Base (DIB) framework agreements being negotiated and signed on a company by company basis with the Department of Defense (DoD). This work matured to what became DFARS 252.204-7012 issued in 2013.

In July 2015, CyberSheath published the post “DFARS Cyber Security Requirements Growing Clearer.”  Since that posting there has been additional guidance and interim rules established by the DoD.  The interim rule, released in August 2015 amended 252.204-7008, Compliance with Safeguarding Covered Defense Information Controls, and DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting which provided additional guidance and established NIST 800-171 as the standard by which defense contractors must adhere to the security requirements identified there in. 

Read More

Topics: DFARS

There is No Industry Average for Security Maturity

Posted by Mark Walsh on Dec 23, 2015 12:35:10 PM


“There is nothing noble in being superior to your fellow man; true nobility is being superior to your former self.” – Ernest Hemingway

When planning for a security maturity assessment by an independent third party, many organizations often ask if their results can be compared to other companies in their specific industry.   On the surface this “benchmarking” seems to be a reasonable request.  CIOs want to spend as much on security as their peers;  CISOs want to be “as secure” as their competitors.  Nobody wants to devote wildly more or less resources to the effort than those in their industry.  However, the request to see your company’s security maturity “score” stacked side-by-side with other companies is not attainable for two reasons.

Read More

Topics: Security Assessment, DFARS

DFARS Cyber Security Requirements Growing Clearer

Posted by Lia Konieczny on Jul 7, 2015 2:42:00 PM
Lias_Blog_PostIn November of 2013, the Department of Defense released DFARS clause 252.204-7012, which required defense contractors and subcontractors to provide adequate security to safeguard DoD unclassified controlled technical information resident on or transiting through their unclassified information systems from unauthorized access and disclosure.

Since the publication of the regulations, some defense contractors have struggled to define how to comply.  Is there an assessing or auditing entity in the government?  Is there a “passing” score?  Can I be certified as compliant?   All of these questions remained somewhat unanswered and it was up to the organization to do their best to show some kind of evidence to their prime contractors and customers that they were satisfying the DFARS regulations.

CyberSheath was one of the first independent security consultants to offer an assessment that measures and documents a company’s DFARS compliance, providing pragmatic recommendations and a clear roadmap to obtain compliance.  And we know that basing an organization’s compliance program on only the 51 DFARS controls is not enough.  We have always considered the full list of NIST 800-53 Low and Moderate controls to be the standard by which organizations should measure their maturity, and we specifically call out the DFARS 51 controls during a larger NIST assessment effort, demonstrating adherence to the regulation while also gaining a true picture of the security posture of the company.

Read More

Topics: DFARS