Do you need to become compliant with the Defense Federal Acquisition Regulation Supplement (DFARS)? The Department of Defense (DoD) has issued a regulation, DFARS 252.204-7015, Safeguarding Covered Defense Information and Cyber Incident Reporting, which requires federal contractors and subcontractors who have access to Controlled Unclassified Information (CUI) to protect that information from unauthorized disclosure. In order to protect your company and ensure compliance with DFARS, follow these six steps:
- Understand the requirements of DFARS 252.204-7015. This regulation applies to any contractor or subcontractor who “has or will have access to CUI” whether it is in an electronic or physical form. The regulation covers safeguarding CUI from unauthorized access, use, or disclosure both inside and outside the company.
- Assign a responsible individual or team to manage your company’s compliance with DFARS. This individual or team will be responsible for developing and implementing policies and procedures to protect CUI, training employees on how to handle CUI safely and securely, and monitoring compliance with the regulation.
- Develop policies and procedures to protect CUI. Your policy and procedures should include steps to protect CUI from unauthorized access, use, or disclosure both inside and outside the company. It is important to tailor your policy and procedures to your specific company’s needs, including the type of information you are protecting and the systems you use to store and transmit that information.
- Train employees on how to handle CUI safely and securely. Employees who have access to CUI must be trained on how to protect it from unauthorized access, use, or disclosure. The training should include information on the policies and procedures your company has put in place to protect CUI.
- Monitor compliance with DFARS 252.204-7015. It is important to regularly monitor your company’s compliance with DFARS 252.204-7015. This includes reviewing and updating your policies and procedures as needed, training employees on updated procedures, and testing your security measures to ensure they are effective.
- Report cyber incidents. DFARS 252.204-7015 requires federal contractors and subcontractors to report any cyber incidents that could have resulted in the unauthorized access, use, or disclosure of CUI. Report these incidents as soon as possible to the DoD Cyber Crime Center (DC3).
By following these six steps, you can ensure that your company is compliant with Defense Federal Acquisition Regulation Supplement and protect Controlled Unclassified Information from unauthorized access, use, or disclosure. Your company’s compliance with DFARS is important not only to meet the requirements of the regulation, but also to protect your business and its customers.
If you are unsure whether your company is compliant with DFARS, or need help implementing the required security measures, consider partnering with a Managed Security Service Provider like SysArc that specializes in DFARS consulting. SysArc can help you develop and implement a compliant security program, and provide ongoing monito