Being Unprepared is Not an Option -- Security Today

Being Unprepared is Not an Option

What does the future hold for audit and compliance?

By Simon Hill
Mar 18, 2019

The cyber landscape has become so sophisticated that data breaches are now nothing new. Hackers are able to get their hands on countless sources of critical data and use it to their advantage, affecting millions and millions of consumers and citizens across the United States and beyond.

However, there are also many data breaches that aren’t in the public eye; there is a data goldmine that sits within the United States Federal Government which isn’t as widely documented, but just like anything, must be kept secure. The consequences of this data being stolen are extremely severe, with risks posed to state, national and global security if it falls into the wrong hands.

To combat this, the federal government must adhere to numerous policies and regulations to ensure the security of the data held. But, not all of these regulations and policies are applied to organizations sitting outside of the federal government, for example, contractors, which handle sensitive federal data when providing their services. This information must be protected to the same standards applied to federal organizations, and one regulation that is gaining attention is DFARS, the Defence Federal Acquisition Regulation Supplement which has the purpose of addressing this.

DFARS compliance has a primary objective of protecting Controlled Unclassified Information (CUI) and it is mandatory for any outside organization that conducts business with the Department of Defence (DoD) and as a result, processes, stores or transmits CUI. In particular, DFARS Clause 252.204-7012 compels DoD contractors to implement processes and controls to ensure that CDI is kept secure and that reporting mechanisms are in place to ensure cybersecurity incidents are reported.

The scope of DFARS increased in December 2017 to introduce mandatory cybersecurity requirements for contractors and subcontractors to the DoD. Despite this, awareness of the regulation is still low and many contractors are unprepared for an impending audit, oblivious of the challenges it can bring.

The Fine Print

The majority of the requirements of DFARS Clause 252.204-7012 arise from the obligation to meet all of the requirements set out in the NIST SP 800-171 publication. This governs how CUI should be handled and safeguarded in non-federal information systems and organizations.

A primary NIST SP 800-171 requirement is to “implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative safeguards”. Unfortunately, this amounts to challenges and frustrations for many IT departments or individuals, as deploying encryption solutions is thought to be complex, costly and time-consuming. This is not welcome news to departments that are often restricted on budgets and resource. When standard solutions are deployed in an attempt to overcome this, the networks team can become blinded from knowing the type of traffic being encrypted, increasing the difficulty of their day-to-day operations and tasks.

Compliance is Not a Choice

Adhering to regulations such as DFARS is not an option for contractors; it isn’t something that can be implemented when or if time and resource is spare. However, complicated solutions aren’t the only way forward, and they shouldn’t be accepted as the ‘norm’. Network-agnostic solutions focus on protecting the data itself, providing an alternative to the solutions that focus on protecting the network infrastructure and eliminating the cost and complexity usually associated with the deployment of encryption. It is these factors that usually turn encryption into something organizations want to ignore. Additionally, focusing on data rather than the network allows for network visibility, enabling IT teams can continue to do their jobs effectively and that data in transit is protected, meeting the fundamental DFARS requirement.

Who Should be Granted Access?

This is a fundamental question asked by many organizations and is a key challenge of DoD contractor environments. Which personnel should be granted access to which information? In order to adhere to the NIST SP 800-171 requirement, contractors must “establish and manage cryptographic keys for cryptography employed in organizational systems”.

The question is answered with secure, role-based management systems, that allow only authorized access to security policies and the associated encryption keys. With this, contractors can be assured that the CUI within the system is secure and protected; at the same time ensuring that the requirements of DFARS are being adhered to. And the solution is future proof; even if the keys are stolen once, they won’t be able to be used again, as the encryption keys are rotated per policy at the interval prescribed by the authorized user.

Time is Running Out

We know that meeting DFARS cybersecurity requirements can bring several challenges for DoD contractors, but now is the time to adopt the right policies and strategies. The DoD now has various means of enforcement, with cybersecurity clauses being included in both vendor prime and subcontracts for DoD projects. There really is no escape: vendors who do not comply risk not only losing business opportunities with the DoD, but worse, could then be liable for breach of contract actions. It’s not an option, it’s not a choice, and it doesn’t have to be complicated. It’s time to stop shying away from regulations and face them head-on.

i-PRO Certified as a 2025 Great Place to Work Around the World
11/20/2025
Motorola Solutions Acquires Blue Eye
11/19/2025
Allied Universal Named to Forbes List of America’s Best Companies
11/19/2025
SIA Names Jonathan Aguila as 2025 Insightful Practitioner Award Honoree
11/13/2025
Allied Universal Receives Top 50 Learning and Development Team Award
11/13/2025
PSA Network Joins the Foundation for Advancing Security Talent (FAST) as an Exclusive Member
11/12/2025
IPTECHVIEW Launches AI Orchestrator Cloud Video Management Platform
11/12/2025
barox Appoints Industry Veteran Reinhard Florin as Vice President of North America Sales
11/06/2025

Featured

Cost: Reactive vs. Proactive Security

Security breaches often happen despite the availability of tools to prevent them. To combat this problem, the industry is shifting from reactive correction to proactive protection. This article will examine why so many security leaders have realized they must “lead before the breach” – not after. Read Now
- Facility Security
Achieving Clear Audio

In today’s ever-changing world of security and risk management, effective communication via an intercom and door entry communication system is a critical communication tool to keep a facility’s staff, visitors and vendors safe. Read Now
- Facility Security
Beyond Apps: Access Control for Today’s Residents

The modern resident lives in an app-saturated world. From banking to grocery delivery, fitness tracking to ridesharing, nearly every service demands another download. But when it comes to accessing the place you live, most people do not want to clutter their phone with yet another app, especially if its only purpose is to open a door. Read Now
- Access Control
Survey: 48 Percent of Worshippers Feel Less Safe Attending In-Person Services

Almost half (48%) of those who attend religious services say they feel less safe attending in-person due to rising acts of violence at places of worship. In fact, 39% report these safety concerns have led them to change how often they attend in-person services, according to new research from Verkada conducted online by The Harris Poll among 1,123 U.S. adults who attend a religious service or event at least once a month. Read Now
- Facility Security
AI Used as Part of Sophisticated Espionage Campaign

A cybersecurity inflection point has been reached in which AI models has become genuinely useful in cybersecurity operation. But to no surprise, they can used for both good works and ill will. Systemic evaluations show cyber capabilities double in six months, and they have been tracking real-world cyberattacks showing how malicious actors were using AI capabilities. These capabilities were predicted and are expected to evolve, but what stood out for researchers was how quickly they have done so, at scale. Read Now
- Artificial Intelligence

Security Today eNews

Sign up today for essential industry news and product information that can help you stay afloat in the fast-paced world of security.

Email Address*Country*

Please type the letters/numbers you see above.

Webinars

Whitepapers

New Products

Camden CV-7600 High Security Card Readers

Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure.
QCS7230 System-on-Chip (SoC)

The latest Qualcomm® Vision Intelligence Platform offers next-generation smart camera IoT solutions to improve safety and security across enterprises, cities and spaces. The Vision Intelligence Platform was expanded in March 2022 with the introduction of the QCS7230 System-on-Chip (SoC), which delivers superior artificial intelligence (AI) inferencing at the edge.
FEP GameChanger

Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction.