The Defense Federal Acquisition Regulations (DFAR) are changing for cyber security. Below are the minimum cyber security requirements required by a company that is currently in the Defense supply chain. These requirements must be met by December 31, 2017 unless extended once again by the Defense department. If you are a Tier 1 supplier, it is all but certain the company will be required to meet these minimum requirements. If you are in the supply chain, it will be up to the main supplier to push these requirements “down the chain”. It should be expected this will occur as the Tier 1 supplier could be in jeopardy of losing their Defense contract if the entire process does not meet the minimum criteria. If you need assistance with meeting the expectations- Call MANTEC First- 717-843-5054
- Limit system access to the types of transactions and functions that authorized users are permitted to execute.
- Limit unsuccessful login attempts.
AWARENESS AND TRAINING
- Ensure that managers, systems administrators, and all users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.
- Provide security awareness training on recognizing and reporting potential indicators of insider threat.
- Create, protect, and retain system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate system activity.
- Protect audit information and audit tools from unauthorized access, modification, and deletion.
- Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
- Control and monitor ALL user-installed software.
IDENTIFICATION AND AUTHENTICATION
- Enforce a minimum password complexity and change of characters when new passwords are created.
- Prohibit password reuse for a specified number of generations.
- Establish an operational incident-handling capability for organizational systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities.
- Track, document, and report incidents to appropriate officials and/or authorities both internal and external to the organization.
- Perform maintenance on organizational systems. Applying systems updates in an appropriate timely manner.
- Ensure equipment removed for off-site maintenance is sanitized of any Controlled Unclassified Information.
- Protect (i.e., physically control and securely store) system media containing Controlled Unclassified Information, both paper and digital.
- Mark media with necessary Controlled Unclassified Information markings and distribution limitations.
- Screen individuals prior to authorizing access to organizational systems containing Controlled Unclassified Information.
- Ensure that Controlled Unclassified Information and organizational systems containing Controlled Unclassified Information are protected during and after personnel actions such as terminations and transfers.
- Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.
- Escort visitors and monitor visitor activity.
- Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of Controlled Unclassified Information.
- Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
- Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.
- Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.
SYSTEM AND COMMUNICATIONS PROTECTION
- Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.
- Implement cryptographic mechanisms to prevent unauthorized disclosure of Controlled Unclassified Information during transmission unless otherwise protected by alternative physical safeguards.
SYSTEM AND INFORMATION INTEGRITY
- Provide protection from malicious code at appropriate locations within organizational systems.
- Update malicious code protection mechanisms when new releases are available.