Prepping for DFARS
With the deadline for DFARS (Defense Federal Acquisition Regulation Supplement) quickly approaching (December 31, 2017), many business are scrambling to meeting compliance requirements. An important part of DFARS addresses the need for strong, two-factor authentication, as well as physical access controls to organizational information systems, equipment, and the respective operating environments to authorized individuals. Are you ready?
What is DFARS?
This regulation is an addition to the Federal Acquisition Requirement (FAR) and provides specific acquisition regulations for the Department of Defense (DoD) as well as contractors doing business with the DoD. DFARS rules focus on systems with CDI (Covered Defense Information) not just the specific information. “Covered Contractor Information Systems” means information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits covered defense information. Any contractor or subcontractor who comes in contact with a CDI must be in compliance.
Addressing authentication
Section 3.5 of NIST 800-171 calls for stricter identification and authentication of users. Among other things this section mandates:
- Multi-factor authentication
3.5.3 Use multi-factor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. Multi-factor authentication ensures a user is who they claim to be. Multi-factor authentication can be achieved using a combination of the following factors something you have (such as a token or smart card), with something you know (PIN or password) and/or something you have (biometric). The more factors used to determine a person’s identity, the greater the trust of authenticity.
- Replay-resistant authentication
Two-factor authentication using smart cards or one-time password tokens prevents this type of attack because you need to present a secondary form of authentication.
Physical access requirements
DFARS extends to controlling access to physical locations and documents. Section 3.10 addresses physical protection and says: Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
Security solutions for DFARS compliance
Multi-factor authentication solutions allow customers to address numerous use cases, assurance levels, and threat vectors with unified, centrally managed policies— managed from an authentication back end delivered in the cloud or on-premises. Supported authentication methods include context-based authentication combined with step-up capabilities, Out of Band (OOB), one-time password (OTP), and X.509 certificate-based solutions. Multi-factor authentication methods can be delivered in numerous form factors, including smart card, USB token, software, mobile app, and hardware tokens. Public Key Infrastructure (PKI) is another solution for authentication that allows for other advanced security functionality, such as digital signature and email encryption as well as physical access that we’ll talk about next.
Physical Access can be addressed with certificate-based smart cards with dual physical and logic access (multifactor authentication), including contact cards with choice of card body options and contactless technologies and dual interface cards compatible with NFC. For DFARS, Gemalto recommends a FIPS certified converged badge solution that will meet needs for both physical and logical access.
Privileged Access
A part of section 3.5 also addresses privileged users and who should have access to what information and systems. It says: Use multi-factor authentication for local and network access to privileged accounts and for network access to non-privileged accounts. It’s important to choose an authentication solutions, such as (PKI) or access management services that offer provisioning rules and policy engines that cover privileged users and what level of security is needed for these roles.
We hope you find this blog helpful in planning for DFARS. With the deadline less than two months away, it’s now a race to the finish.
Gemalto recently presented a webinar entitled Are you Ready for DFARS? that explains in more detail about the regulation and how you can prepare to comply. Please visit our BrightTalk channel to view this replay and download additional documents.
Do you need to learn more about government compliance? Visit our Data Compliance Solutions for more information.