DFARS also known as the cyber DFARS clause 252.204-7012, is a security standard set by the Department of Defense to ensure cybersecurity standards laid out by NIST are maintained. DFARS Compliance is mandatory for all DoD contractors and subcontractors to protect the confidentiality of Controlled Unclassified Information (CUI) or safeguard covered defense information. Failure to comply with DFARS can result in suspension, financial penalties, termination of contract, or even debarment from working with the Department of Defense.
What is a DFARS Compliance Checklist?
A DFARS compliance checklist is a tool used in performing self-assessments to evaluate if a company with a DoD contract is implementing security standards from NIST SP 800-171 as part of the process for ensuring compliance with DFARS clause 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting.”
Simplify DFARS Compliance with Self-assessment Checklists
A DFARS compliance self-assessment checklist is a tool used by manufacturers or contractors to evaluate current mechanisms in place to ensure adequate security for information systems. Self-assessment checklists can also serve as a guide for contractors in complying with DFARS rules and regulations.
Below are sample questionnaires you can use for your DFARS self-assessment checklist. These questions are derived from the “Self Assessment Handbook – NIST Handbook 162” provided by the NIST:
- Access Control
- Does the company have an authentication mechanism?
- Does the company use access control lists to limit access to applications and data based on role and/or identity?
- Do you only grant enough privileges to users to allow them to do their job?
- Awareness and Training
- Do all users, managers, and system administrators receive initial and annual training commensurate with their roles and responsibilities?
- Does security training include how to communicate employee and management concerns regarding potential indicators of an insider threat?
- Are practical exercises included in security awareness training that simulates actual cyberattacks?
- Audit and Accountability
- Does the company perform audit analysis and review?
- Can the company uniquely trace and hold accountable users responsible for unauthorized actions?
- Does the company review and update audited events annually or in the event of substantial system changes or as needed?
- Configuration Management
- Are baseline configurations developed, documented, and maintained for each information system type?
- Are baseline configurations developed and approved in conjunction with the Chief Information Security Officer (CISO) or equivalent and the information system owner?
- Are changes to the system authorized by company management and documented?
- Identification and Authentication
- Does the system make use of company-assigned accounts for unique access by individuals?
- Are initial passwords randomly generated strings provided via a password reset mechanism to each employee?
- Is multifactor authentication used for network access to privileged and non-privileged accounts?
- Incident Response
- Is there a company incident response policy which specifically outlines requirements for handling of incidents involving CUI?
- Is there a company incident response policy that specifically outlines requirements for tracking and reporting of incidents involving CUI to appropriate officials?
- Does the company test its incident response capabilities for regular testing and reviews/improvements?
- Are IT system maintenance tools (e.g., tools used for diagnostics, scanner and patching tools) managed?
- Are controls in place that limit the tools, techniques, mechanisms, and employees used to maintain information systems, devices, and supporting systems?
- Are all activities of maintenance personnel (who do not normally have access to a system) monitored?
- Media Protection
- Are documented workflow, data access controls, and media policy enforced to ensure proper access controls?
- Is access to media from CUI systems provided only to approved individuals? Does the company only provide access to media from CUI systems to approved individuals?
- Is system digital and non-digital media sanitized before disposal or release for reuse?
- Personnel Security
- Are individuals requiring access screened before access is granted?
- Does the company revoke authentication/ credentials associated with the employee upon termination or transfer within certain timeframe?(e.g.,24hours)
- Does the company retrieve all company information system-related property from the terminated or transferred employee within a certain timeframe? (e.g., 24 hours)
- Physical Protection
- Has the facility/building manager designated building areas as “sensitive” and designed physical security protections (including guards, locks, cameras, card readers, etc.) to limit physical access to the area to only authorized employees?
- Has the facility/building manager reviewed the location and type of physical security in use (including guards, locks, card readers, etc.) and evaluated its suitability for the company’s needs?
- Are all visitors to sensitive areas always escorted by an authorized employee?
- Risk Assessment
- Does the company have a risk management policy?
- Are systems periodically scanned for common and new vulnerabilities?
- Do system owners and company managers upon recognition of any vulnerability provide an action plan for remediation, acceptance, avoidance, or transference of the vulnerability risk?
- Security Assessment
- Has a periodic (e.g., annual) security assessment been conducted to ensure that security controls are implemented correctly and meet the security requirements?
- Are deficiencies and weaknesses identified in security requirements assessments added to the action plan within a specified timeframe (e.g., 30 days) of the findings being reported?
- Is there an assessor or assessment team to monitor the security requirement in the system on an ongoing basis?
- System and Communications Protection
- Does the system monitor and manage communications at the system boundary and at key internal boundaries within the system?
- Are the company’s information security policies (including architectural design, software development, and system engineering principles) designed to promote information security?
- Does the system prevent remote devices that have established connections (e.g., remote laptops) with the system from communicating outside that communications path with resources on uncontrolled/unauthorized networks?
- System and Information Integrity
- Are system flaws identified, reported, and corrected within company-defined time periods?
- Does the system automatically update malicious code protection mechanisms?
- Are internal security alerts, advisories, and directives generated?
Moving Beyond Compliance
Complying with DFARS is vital for DoD contractors. Applying DFARS standards not only protects the company against security breaches but also ensures the integrity of its security measures. Conducting regular assessments such as risk assessments, gap analysis, and DFARS self-assessments help in providing data and insights you can use to improve your information systems.
iAuditor, the world’s most powerful inspection app, helps you perform these assessments and get you the insights you need to make your information systems more efficient. Use iAuditor to:
- Perform assessments and inspections anytime, anywhere using your mobile or tablet device
- Uncover areas for improvement with Analytics
- Automatically get comprehensive reports when you finish an audit. Learn more about reports