DFARS 252.204.7012 Ongoing Requirements
Compliance with DFARS is an iterative and ongoing process. Due to the dynamic nature of cybersecurity threats and vulnerabilities, after achieving the initial compliance status organizations must follow specific NIST guidelines to maintain security and safeguard of their sensitive information.
Information System Risk and Security Vulnerability Assessment. Organizations must address the following NIST SP 800171 requirements on an ongoing basis:
3.11.1 – Requires the contractor to periodically assess information system vulnerabilities. 3.12.1 – Requires the contractor to periodically assess the effectiveness of information system security controls. 3.12.2 – Requires the contractor to develop and implement plans of action to correct deficiencies and minimize vulnerabilities.
How to Meet the Ongoing Requirements. In order to meet the ongoing compliance requirements, each organization must implement a formal process (internally or utilizing external resources) to address the following areas:
I) Network Penetration and Exploitation Testing. This is designed to uncover vulnerabilities that are not easily detected, yet present a serious risk to the security of the organization information system. Discovered vulnerabilities are typically categorized into ‘High’ ‘Medium’ or ‘Low’ based on the severity of the potential threat to the organization.
In order for penetration testing to be effective, at minimum, it must assess the risk to network devices, and common communication protocols, as well as the risk posed by human behavior. These include:
A – Testing Network Services & Devices: This is designed to find security weaknesses and vulnerabilities in firewalls, IPs, and DNS configurations, as well as full port scan to determine vulnerabilities in common services such as SSH, SQL/MySQL, SMTP, & FTP, and Microsoft Outlook logins. B – Testing Operating Systems/Software: This is designed to find security exploits associated with outdated or not properly patched operating systems commonly targeted by hackers. C – Wireless Testing: This is designed to find weak wireless protocols and administrative privileges, as well as, rouge access points. D – Social Engineering: This is designed to identify weaknesses that could allow attackers to target unsuspecting or uninformed employees of the organization.
Penetration testing should be conducted both externally to assess the risk of remote attackers, and internally to understand information system vulnerabilities due to insider threats. Some of the common “High” risk vulnerabilities seen in many organizations information systems include:
1) Systems and devices missing critical security updates. 2) Unsupported Operating Systems being used. 3) Weak encryption algorithms being utilized for encrypted/SSH communications. 4) Simple Network Management Protocol responds to default public/private names, thus allowing remote attackers to take control of the system. 5) DenialofService attack vulnerabilities due to old/outdated firewalls. 6) SSL/TLS certificate accepting weak ciphers. 7) The connection between server and client being eavesdropped due to deprecated SSLv2 and SSLv3 protocols.
II) Compliance Audit: This is meant to ensure security controls implemented by policies, procedures, and technical solutions are effective in keeping the organization information system secure. Some of the common security controls that must be included in periodic audits are:
1) Inspecting domain group policies for accuracy, relevance, and effectiveness. 2) Monitoring logical security controls such as users privileges and filesharing policies, as well as antivirus protection. 3) Reviewing physical security controls such as physical access, smart access devices, visitor log, and cameras. 4) Monitoring proper use of portable storage devices based on implemented policies. 5) Inspecting proper use and effectiveness of the twofactor authentication process. 6) Enforcing mobile devices security for those with access to organization email 7) Monitoring proper CUI handling and marking procedures. 8) Reviewing the information system policies and procedures to ensure that the proper documentation accurately reflects recent 9) Inspecting the organization information system assets inventory for proper update and accuracy.
And many more factors depending on the operating procedures of each organization.
As long as proper corrective measures are taken to address the vulnerabilities to the organization’s information system discovered during periodic assessments, the organization is meeting its obligation to satisfy ongoing compliance requirements.