What CISOs must know about DFARS and NIST to be compliant
The end of 2017 marked the start of a new compliance era: Department of Defense contractors and subcontractors must now meet Defense Federal Acquisition Regulation Supplement compliance rules.
The changes to DFARS require contractors to meet the mandatory security standards outlined in National Institute of Standards and Technology (NIST) Special Publication 800-171: Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations.
But what does this mean for chief information security officers?
NIST creates a framework that many private sector organizations follow to prevent, detect and respond to attacks. The U.S. government legislation intends to safeguard ‘controlled unclassified information’ (CUI) against the growing cybersecurity threats, requiring affected organizations to adequately protect their processes, systems and contracts. If a government contractor fails to meet these requirements, it could result in the loss of their contracts and make them ineligible to bid on new ones.
Concerned about these new requirements? I’ve laid out some advice on how to stay compliant, the consequences of failing to do so and key capabilities that should be part of a planning architecture when considering the best way forward to achieve mandatory compliance objectives.
How Privilege Management and Application Control Map Back
Privilege management and application control map to many of the different controls within the guidelines – and it’s hardly surprising given the proven effectiveness of the two security controls when combined with the visibility it provides.
We know that privilege management allows admin rights to be applied to applications as needed – rather than giving the user too much access. Application control is the part that allows us to whitelist or blacklist an application from running at all.
The good thing about these two technologies together is that they’re great a “bang-for-the-buck.” Between them, they overlap to address controls in access control, audit and accountability, configuration management, maintenance and system and information integrity.
Failure to Comply
Compliance is crucial for CISOs because those who fail to comply will likely lose government contracts. Organizations that are able to demonstrate compliance at an early stage may be in a better position to secure additional wins.
Cyber Incidents have risen by nearly 40 percent in the last three years at a cost of an estimated $400 billion. What is largely agreed upon is that the DoD needs assistance from its contractors to be successful in its mission and that they’d be making no changes to the December 31 deadline.
Best Practice for Measuring and Reporting Success
A key challenge that organizations need to address is auditing. Under DFARS compliance, you’re specifically required to audit any unlawful, unauthorized, or inappropriate information system activity. Essentially you would need to create a baseline what “normal” looks like for a system and log everything else.
The reason people can run unauthorised activity is that they are not currently controlling admin rights or have app control in place (meaning you can do anything.) This doesn’t mean recording every time somebody in the finance department opens a calculator.
CISOs should create a baseline of what is normal activity and record everything else – but of course, this is all in the context of evaluating what this means to the CUI data that an organization holds. Here’s a couple of very simple data records that are relevant for everyone and that you need to be able to track:
- How many users are logging in with admin, and how many are standard users?
- What are they doing when they are logged in?
- What applications are being installed by users?
- Which applications require extra privileges to run?
At a minimum, these data points are essential to collate, because another DFARS mandate is that you must report any incidents directly to the Department of National Defense, with as much supporting information as possible.
Today’s most successful CISOs should work with their teams to identify key compliance gaps and make immediate plans to address them, putting reporting processes in place so that you are reviewing this information at least once a month.
It’s crucial to note that often, such compliance measures enforce security best practices and often follow similar frameworks – so addressing the foundations first, and improving basic security on the endpoint will cover multiple mandates.