This article will discuss the following:
Failure to comply with DFARS, also known as the cyber DFARS clause 252.204-7012, can result in suspension, financial penalties, termination of contract, or even debarment from working with the Department of Defense.
What is a DFARS Compliance Checklist?
A DFARS compliance checklist is a tool used in performing self-assessments to evaluate if a company with a DoD contract is implementing security standards from NIST SP 800-171 as part of the process for ensuring compliance with DFARS clause 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting.”
Maintain DFARS Compliance with Self-Assessment Checklists
A DFARS compliance self-assessment checklist is a tool used by manufacturers or contractors to evaluate current mechanisms in place to ensure adequate security for information systems. Self-assessment checklists can also serve as a guide for DoD contractors in complying with DFARS rules and regulations.
A Guide to DFARS Compliance Requirements
Below are sample questions you can use for your DFARS compliance self-assessment checklist. These questions are derived from the “Self-Assessment Handbook NIST– Handbook 162” provided by the NIST:
- Does the company have an authentication mechanism?
- Does the company use access control lists to limit access to applications and data based on role and/or identity?
- Do you only grant enough privileges to users to allow them to do their job?
DFARS Training and Awareness
- Do all users, managers, and system administrators receive initial and annual training commensurate with their roles and responsibilities?
- Does security training include how to communicate employee and management concerns regarding potential indicators of an insider threat?
- Are practical exercises included in security awareness training that simulates actual cyberattacks?
DFARS Audit and Accountability
- Does the company perform audit analysis and review?
- Can the company uniquely trace and hold accountable users responsible for unauthorized actions?
- Does the company review and update audited events annually or in the event of substantial system changes or as needed?
- Are baseline configurations developed, documented, and maintained for each information system type?
- Are baseline configurations developed and approved in conjunction with the Chief Information Security Officer (CISO) or equivalent and the information system owner?
- Are changes to the system authorized by company management and documented?
Identification and Authentication
- Does the system make use of company-assigned accounts for unique access by individuals?
- Are initial passwords randomly generated strings provided via a password reset mechanism to each employee?
- Is multifactor authentication used for network access to privileged and non-privileged accounts?
- Is there a company incident response policy which specifically outlines requirements for handling of incidents involving CUI?
- Is there a company incident response policy that specifically outlines requirements for tracking and reporting of incidents involving CUI to appropriate officials?
- Does the company test its incident response capabilities for regular testing and reviews/improvements?
- Are IT system maintenance tools (e.g., tools used for diagnostics, scanner and patching tools) managed?
- Are controls in place that limit the tools, techniques, mechanisms, and employees used to maintain information systems, devices, and supporting systems?
- Are all activities of maintenance personnel (who do not normally have access to a system) monitored?
- Are documented workflow, data access controls, and media policy enforced to ensure proper access controls?
- Is access to media from CUI systems provided only to approved individuals? Does the company only provide access to media from CUI systems to approved individuals?
- Is system digital and non-digital media sanitized before disposal or release for reuse?
- Are individuals requiring access screened before access is granted?
- Does the company revoke authentication/ credentials associated with the employee upon termination or transfer within a certain timeframe? (e.g., 24 hours)
- Does the company retrieve all company information system-related property from the terminated or transferred employee within a certain timeframe? (e.g., 24 hours)
- Has the facility/building manager designated building areas as “sensitive” and designed physical security protections (including guards, locks, cameras, card readers, etc.) to limit physical access to the area to only authorized employees?
- Has the facility/building manager reviewed the location and type of physical security in use (including guards, locks, card readers, etc.) and evaluated its suitability for the company’s needs?
- Are all visitors to sensitive areas always escorted by an authorized employee?
- Does the company have a risk management policy?
- Are systems periodically scanned for common and new vulnerabilities?
- Do system owners and company managers upon recognition of any vulnerability provide an action plan for remediation, acceptance, avoidance, or transference of the vulnerability risk?
- Has a periodic (e.g., annual) security assessment been conducted to ensure that security controls are implemented correctly and meet the security requirements?
- Are deficiencies and weaknesses identified in security requirements assessments added to the action plan within a specified timeframe (e.g., 30 days) of the findings being reported?
- Is there an assessor or assessment team to monitor the security requirement in the system on an ongoing basis?
System and Communications Protection
- Does the system monitor and manage communications at the system boundary and at key internal boundaries within the system?
- Are the company’s information security policies (including architectural design, software development, and system engineering principles) designed to promote information security?
- Does the system prevent remote devices that have established connections (e.g., remote laptops) with the system from communicating outside that communications path with resources on uncontrolled/unauthorized networks?
System and Information Integrity
- Are system flaws identified, reported, and corrected within company-defined time periods?
- Does the system automatically update malicious code protection mechanisms?
- Are internal security alerts, advisories, and directives generated?
iAuditor for DFARS Compliance
DFARS compliance is essential for DoD contractors. Applying DFARS standards not only protects the company against security breaches but also ensures the integrity of its security measures. Conducting regular assessments such as risk assessment, gap analysis, and DFARS compliance self-assessment helps in providing data you can use to improve your information systems.
As one of the best compliance software, iAuditor by SafetyCulture can help you perform these assessments and get you the insights you need to make your information systems more efficient, reliable, and secure. Use iAuditor to:
- Perform assessments and inspections anytime, anywhere with any mobile device
- Uncover areas for improvement with analytics and create corrective actions
- Automatically get comprehensive reports after completing compliance audits
Get started for free with iAuditor today or download one of our free DFARS compliance checklist templates below.