Cybersecurity is critical to all businesses, especially small businesses. Continuing from our previous section, Cybersecurity Plans & Implementation for Small Business, next we cover cybersecurity standards related to government contracting, particularly defense contracting, though these standards are applicable regardless of whether or not you are seeking to become a government contractor, as they are comprehensive. Special thanks to the Center for Infrastructure & Security Assurance for their guidance on this topic.
Government Contracting Cybersecurity Standards
The Department of Defense (DoD) requires small business contractors to comply with their cybersecurity standards for the protection of unclassified data. These requirements are outlined through several regulations, covered comprehensively by the DoD (Protecting Unclassified Information) and summarized below for your convenience:
Defense Federal Acquisition Regulation Supplement (DFARS)
The Defense Federal Acquisition Regulation Supplement Part 252 “Solicitation Provisions and Contact Clauses” (DFARS 252.204) governs cybersecurity requirements for federal contractors. It requires that contractors provide adequate security, report cyber incidents, submit any malicious software discovered and submit media to support damage assessment.
- Multi-factor authentication of local and network access
- FIPS-validated cryptography to protect CUI when transmitted or stored externally
- Develop a NIST SP 800-171 System Security Plan
- Possess External Certificate Authority (ECA) as verified by DCMA
- Report cyber incidents within 72 hours to DoD. Submit an incident report, any malicious software and provide access to information systems
DFARS further requires that contractors implement the National Institute for Standards and Technology (NIST) Special Publication 800-171 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” (NIST SP 800-171).
Access Control
- Limit information systems to authorized users
- Limit information system access to permitted transactions and functions
Awareness and Training
- Ensure manages, administrations and users are aware of policies, standards and procedures
- Ensure personnel are adequately trained to carry out assigned duties and responsibilities
Audit and Accountability
- Create, protect and retain information system audit records
- Ensure the actions of individual users can be uniquely traced to those users
Configuration Management
- Establish and maintain inventories of information systems (hardware, software, firmware)
- Establish and enforce security configuration systems
Identification and Authentication
- Identify information users, process acting on behalf of users, or devices
- Authenticate (verify) the identities of those users, processes or devices prior to allowing access
Incident Response
- Establish an incident-handling capacity for detection, containment, recovery and user response
- Track, document and report incidents to appropriate officials and/or authorities
Maintenance
- Perform maintenance on organizational information systems
- Provide controls on the tools, techniques, mechanisms and personnel conducting maintenance
Media Protection
- Protect information system media containing CUI both paper and digital
- Limit access to CUI on information system media to authorized users
- Sanitize or destroy information system media containing CUI before disposal or release for reuse
Personnel Security
- Screen individuals prior to authorizing access to information systems containing CUI
- Ensure that CUI are protecting during and after termination and transfers
Physical Protection
- Limit physical access to information systems, equipment, and the respective operating environments
- Protect and monitor the physical facility and support infrastructure for information systems
Risk Assessment
- Periodically assess the risk to operations, assets and individuals from information systems
- Periodically assess the risk associated with processing, storing or transmitting CUI
Security Assessment
- Periodically assess the security controls of information systems
- Implement a plan of action to correct deficiencies and reduce or eliminate vulnerabilities
- Monitor information system security controls on an ongoing basis
- Develop, document, and periodically update security system plans
- Ensure that security system plans describe system boundaries, operational environments, implementation of security requirements, and relationships or connections to other systems
Systems and Communications Protection
- Monitor, control and protect communications at the internal and external boundaries
- Employ secure architectural designs, software development and systems engineering principles
System and Information Integrity
- Identify, report and correct information and system flaws in a timely manner
- Provide protection from malicious code at appropriate locations
- Monitor information security alerts and take responsive action, if needed
To read these government contracting regulations in their entirety visit: DFARS 252.204 and NIST SP 800-171
For more information on government contracting visit: Department of Defense Office of Small Business
To determine whether your business has met the requirements for government contracting visit: Cybersecurity Evaluation Tool and NIST Self-Assessment Handbook
To receive help with government contracting visit: Procurement Technical Assistance Center or Find Your Local SBDC
More on Cybersecurity for Small Businesses
To continue learning about Cybersecurity for Small Businesses, view our next section:
Or return to Cybersecurity Basics for Small Business, Cyber Attacks & Defenses for Small Business, and Cybersecurity Plans & Implementation for Small Business.
Additional Small Business Resources
Already in business or thinking about starting your own small business? Check out our various small business resources:
- View more business reports here: Small Business Snapshots
- View industry-specific research here: Market Research Links
- View small business help topics here: Small Business Information Center
- View business plans samples here: Sample Business Plans
Remember, you can also receive free professional business advice and free or low-cost business training from your local Small Business Development Center!