Government contractors – especially those working with the Department of Defense – have recently come under fire for poor data security. These organizations often hold and use sensitive data in their work, and a security breach has consequences not only for the business but the U.S. government as a whole. This statement is especially true for DoD contractors, who may have access to classified weapons plans or military strategies.
Unfortunately, per a report from BitSight Technologies, a significant number of contractors aren't nearly as secure as they need to be. When scored on the tech company's security ratings scale, federal agencies scored an average of 15 points higher than contractors. In fact, more than half of the latter businesses scored a letter grade below C in terms of protective technology. Furthermore, 20 percent of technology and defense contractors work on outdated internet browsers, and more than 8 percent of healthcare contractors have disclosed a data breach since 2016.
Something clearly needs to be done, and thankfully, the government is taking the issues seriously. In December 2015, the DoD published the Defense Federal Acquisition Regulation Supplement (DFARS) minimum security standards to guide contractors that process, transmit or store Controlled Unclassified Information (CUI). Contractors had two years (until Dec. 31, 2017) to comply. Those that haven't yet must do so immediately or risk losing their working partnership with the DoD.
Complying with DFARS
DFARS was written to match security requirements set by the National Institute of Standards and Technology. Its extensive guidelines are available as part of a self-assessment handbook on the NIST website.
Requirements in the handbook include:
- Limiting access only to authorized users (rather than every employee).
- Limiting the functions that authorized users can perform.
- Controlling the flow of information so only relevant individuals have access.
- Separating duties so that multiple employees don't have access to the same information, thereby reducing the possibility of malevolent activity.
- Limiting unsuccessful logon attempts, locking the application after a certain number of failures or after a specific amount of time has passed.
- Automatically terminating user sessions after a defined condition, such as a certain period of inactivity.
The full DFARS handbook is much more thorough than the few examples shown here. As such, compliance can be incredibly difficult for contractors who don't know what they're doing.
Businesses do have the option of self assessing, as evidenced by the handbook, but leaving assessment to an inexperienced eye can lead to critical oversights or confusions that ultimately cost the company its contract with the DoD. It's best to dedicate DFARS compliance to an experienced security professional.
If contractors have no such employees on their staff, they can hire a third-party consultant – specifically one experienced in government compliance. Doing so can remove a lot of the headaches of evaluating and updating security, especially if the company in question has several improvements to make.
Regardless of which option they choose, contractors must make certain their processes comply as soon as possible, lest they lose the support of the government and suffer financial consequences.